The Headlines That Should Make You Pause
In April and May 2025, two of the UK’s most recognisable retailers — Marks & Spencer and Co-op — were hit by serious cyberattacks, both involving phishing and social engineering tactics.
1. M&S: SIM Swap, Help Desk Failure, and £300M Fallout
M&S confirmed that hackers tricked IT help desk staff into resetting credentials by posing as employees, then escalated the breach by performing a SIM swap to intercept two-factor authentication codes. This allowed attackers to access sensitive customer data, including contact details and order history.
📉 According to reports, the fallout will cost M&S up to £300 million in lost profits, reputational damage, and security overhauls.
2. Co-op: Credential Phishing and Member Data Exposure
Co-op’s breach followed a similar pattern: attackers exploited human error and weak access controls to break into internal systems. They extracted a significant volume of member data — including names, emails, and contact details — though financial info was reportedly not accessed.
Co-op later admitted the breach occurred over several days and involved manipulating multiple staff interactions.
⚠️ Takeaway: If They Can Get in There, They Can Get in Anywhere
Phishing isn’t just about dodgy emails anymore. These attacks worked because:
- Help desk protocols were manipulated with confidence tricks
- Multi-factor security was circumvented via SIM swapping
- Internal trust was exploited — attackers sounded convincing
These are big-name brands with big cybersecurity budgets. But they fell victim to mistakes SMEs are even more vulnerable to — limited training, under-tested processes, and overworked support staff.
🔒 What Can SMEs Do Today?
Here are 5 real-world, low-cost actions any SME can take — starting now.
1. Run a Fake Phishing Test
Simulate a phishing email campaign using tools like KnowBe4, Gophish, or Microsoft Attack Simulator. 👉 Find out who clicks. Learn. Improve.
2. Train Like You Mean It
Not a one-off workshop — make cyber hygiene part of the culture: • Teach people how phishing really looks • Run spot quizzes • Reinforce what “never share” actually means
In the Co-op attack, it’s likely that the staff gave away too much info, believing they were helping.
3. Secure the Front Door
Use multi-factor authentication (MFA) on everything. Then go further: • Restrict MFA resets to named admins • Block new devices from logging in without manual approval
M&S’s attackers bypassed MFA using SIM swap fraud. Your mobile provider can help lock this down.
4. Lock Down IT Support
Whether in-house or outsourced, your support process must: • Use callback verification • Ask multi-layer ID questions • Record all reset activity
M&S’s breach started with an innocent-sounding request to reset a password.
5. Limit Access by Role
Segment your systems. No one should have “just in case” access. The fewer doors an attacker can open, the less damage they can do.
SME Risk Reduction Cheat Sheet
💬 Final Word
If your team isn’t trained — or if your IT support can be tricked — then you’ve got a gap. Not because you’re careless. But because attackers are smart and relentless.
🔐 At PiBlu, we help SMEs put the basics in place. Not enterprise-level complexity — just practical, everyday defences that actually work.
Want a quick, jargon-free chat about your setup?
📞 Call 0161 388 8188or message me here on LinkedIn.
Let’s get your business phishing-ready — before someone tests it for you.
