Sim-Swap Fraud Hits Marks & Spencer

A recent cyberattack on Marks & Spencer (M&S) has raised eyebrows across the industry not because it was complex but because it was clever. Reports suggest that attackers used an old trick with a new twist: SIM swap fraud and if a company as established as M&S can fall victim then anyone can.

What Really Happened?

While the full technical breakdown is still under wraps, early reports say cybercriminals may have hijacked an employee’s mobile number. With that control, they allegedly convinced internal IT to reset credentials, essentially walking right into the company’s digital core.

Let that sink in: no malware, no zero-day exploit, just a well-played con.

SIM-Swap Fraud:

Here’s how it works. A scammer contacts your mobile provider pretending to be you and convinces them to transfer your number to a new SIM card they control. Suddenly, all your calls and texts, including 2FA codes go to them.

This gives them the power to:

1) Reset your emails, banking apps, or WhatsApp

2) Read your private messages

3) Impersonate you to your contacts

4) Access internal systems if you're an employee at a target company

It’s terrifying because it relies less on technical and more on human psychology and weak identity checks.

Why This Attack Hits Different:

What used to be a trick aimed at crypto holders and influencers is now going mainstream. According to CIFAS, SIM swap cases in the UK exploded from under 300 in 2022 to nearly 3,000 in 2023. And let’s be honest we've all posted too much online. A birthday here, a phone number in a job post, an email address in a giveaway… it doesn’t take much for a scammer to build a profile convincing enough to fool customer service reps.

What You Can Do Right Now: (Here are five things you can do today)

1) Ditch SMS 2FA – Use authenticator apps like Google Authenticator.

2) Add a PIN to your mobile account – Make sure your phone number can’t be moved without it.

3) Think twice before sharing personal info – Especially your number or date of birth.

4) Learn to spot phishing – Don’t give attackers easy entry points.

5) Use different emails for different purposes – One for banking, one for social media, one for public stuff.

Final Thoughts from Me:

This isn’t just about M&S. It’s about a wider shift in how attackers are targeting the weakest link in our security. The phone number once a basic communication tool is now a digital identity and unless we start protecting it like one we’re going to see more stories like this.

Stay safe, stay aware.

– Yashwanth Karuppusamy