18-05-2025
Working from home 'making companies more vulnerable to M&S-style cyberattacks'
Cybersecurity experts warned the rise of hybrid working plus tools like AI voice simulation had 'changed the game' for hackers.
Working from home is making companies more vulnerable to M&S-style cyberattacks, experts have warned. Joe Jones, boss of cybersecurity firm Pistachio, has told how the rise of hybrid working along with tools like AI voice simulation have 'changed the game' for hackers.
He highlighted cases where workers have been tricked by AI into thinking they're speaking to their boss or finance team as scams become ever more sophisticated. It comes amid reports the hack on the major retailer, thought to have been carried out by notorious cyber criminals Scattered Spider, saw IT help desk workers duped into handing over access to company systems.
So-called 'social engineering' attacks - targeting human vulnerabilities rather than system flaws - have become the preferred tactic of hackers, with a Mimecast study finding 95 per cent of data breaches last year were linked to human error. Jones, whose firm runs cyberattack simulations for companies, warned a new £16million UK Government package to ramp up cyber defences was only part of the equation.
He said: 'AI voice simulation can now trick you into thinking you're speaking to your finance director, or an email can write exactly like your boss.
'Some of these hacks are very sophisticated and the increase of working from home since the pandemic has left us more vulnerable.
'While added investment into cybersecurity can help reduce attacks like this in the future, far, far more important than that is educating people on how to avoid an attack.
'Buying cybersecurity technology but not training human beings is like putting an expensive security camera and alarm system on your house and then leaving all the doors open.'
The late April attack, which also affected Co-op and Harrod's, caused panic among the retailers with online orders suspended and store shelves lying empty.
Experts including Jones and Jude McCorry, boss of Scotland's Cyber and Fraud Centre, warned the M&S hack - which the retail giant has now admitted saw personal data stolen - will likely lead to a 'wave' of phishing attacks targeting customers.
McCorry said: 'We need to start thinking outside the box around this.
'Staff training (on cyber security) I think should be mandatory in organisations, and it should be mandatory in government as well.
'We should do cyber exercises the same way as we do fire drills.
'We rely on technology for everything - our internet banking, our shopping and how we pay, how we order things, how we click and collect and even how we get our food onto the shelves and into restaurants.
'This should be a wake up call. We hope maybe people will realise how delicate the system is.'
She advised all M&S customers to change their password and ensure they're using different passwords on different sites, as well as two-factor or multi-factor authentication.
Join the Daily Record WhatsApp community!
Get the latest news sent straight to your messages by joining our WhatsApp community today.
You'll receive daily updates on breaking news as well as the top headlines across Scotland.
No one will be able to see who is signed up and no one can send messages except the Daily Record team.
All you have to do is click here if you're on mobile, select 'Join Community' and you're in!
If you're on a desktop, simply scan the QR code above with your phone and click 'Join Community'.
We also treat our community members to special offers, promotions, and adverts from us and our partners. If you don't like our community, you can check out any time you like.
To leave our community click on the name at the top of your screen and choose 'exit group'.
If you're curious, you can read our Privacy Notice.
McCorry, whose Cyber and Fraud Centre is Scotland's only social enterprise dedicated to cybersecurity, warned: 'Even if the threat to your own data isn't there, there will be threat actors out there pretending they are from M&S or pretending that they've got your data.
'We should make sure we're having conversations with older people as well, and family and friends, on how to protect themselves.'
Jones added: 'We often see this kind of breach followed by a wave of personalised phishing attempts.
'Anyone with an M&S account should be extra cautious and stay alert for emails or texts claiming to be from the retailer.'
