SIM-Swap Fraud: How The M&S Attack Vector Should be a wake Up Call for UK Organisations
The recent cyber attack on Marks & Spencer has exposed a growing and dangerous trend in the cyber security threat landscape - SIM-swap fraud. This type of attack, which manipulates mobile identity verification systems, is increasingly being used to bypass multi-factor authentication (MFA) and access sensitive business infrastructure.
As reported by The Times, cyber criminals allegedly gained access to M&S systems by taking control of a staff member’s mobile number. Once inside, attackers were able to navigate internal networks, disrupt operations, and expose systemic weaknesses in mobile-based security protocols.
“This isn’t just a breach. It’s a blueprint for how social engineering and mobile identity fraud can bypass even the most established security infrastructures,” said Damon Rands, CEO of PureCyber. “The M&S case should be a turning point - not just for retail, but for all sectors reliant on SMS-based authentication.”
What is SIM-Swap Fraud?
SIM-swap fraud, also known as SIM-jacking, is a form of identity theft where attackers hijack a person’s mobile number. This is often done through social engineering, insider threats, or by exploiting weak verification procedures used by telecom providers.
Once attackers have control of a mobile number, they can:
Intercept SMS-based two-factor authentication codes
Reset passwords for corporate or personal accounts
Access business-critical systems
Impersonate the victim across communication channels
Recent figures from CIFAS show a dramatic increase in cases — from under 300 in 2022 to nearly 3,000 in 2023 in the UK alone.
“We've long warned that relying on SMS for 2FA is no longer fit for purpose,” said Rands. “Your mobile number should not be your digital identity.”
How the M&S SIM-Swap Breach Unfolded
In the Marks & Spencer cyber attack, criminals are believed to have exploited the SIM-swap technique to impersonate an internal user. By gaining control of the user’s mobile number, they reportedly manipulated helpdesk procedures to reset login credentials and gain elevated access to internal systems.
This method of entry is particularly dangerous because it relies on social engineering and internal trust mechanisms, not just technology flaws.
“It’s not just about technical vulnerabilities. It’s about how deeply human behaviour and system design are intertwined,” Rands added. “Attackers are exploiting trust - and that’s much harder to firewall.”
The Business Impact of SIM-Swap Attacks
Once a SIM swap is executed successfully, attackers can:
Breach internal systems undetected
- Hijack email, messaging and social media accounts
- Intercept password reset links and confidential data
- Breach internal systems undetected
- Launch further phishing or social engineering attacks on colleagues
- Cause significant brand and reputational damage
- Trigger financial losses and regulatory penalties
At PureCyber, we have helped several high-profile UK businesses recover from SIM-swap-related breaches. In every case, the aftermath includes operational downtime, reputational harm, and deep concerns about employee and customer safety.
SIM-Swap Prevention: PureCyber’s Security Recommendations
For Individuals and Employees:
Limit sharing of personal data such as phone numbers and birthdays on public platforms
Avoid SMS-based two-factor authentication - use authenticator apps (e.g. Google Authenticator) instead
Enable PINs or security codes with your mobile provider
Watch for suspicious activity or unusual 2FA prompts
For Organisations:
Phase out SMS-based authentication in favour of token-based or biometric MFA
Provide security awareness training on social engineering and identity fraud
Strengthen helpdesk protocols to detect and prevent SIM-swap manipulation
Conduct regular security audits and red-team simulations focused on identity compromise
Collaborate with telecom providers to review and upgrade SIM-swap mitigation procedures
“Security is no longer just a tech issue. It’s a human one,” Rands commented. “Organisations must understand that trust can be manipulated - and must design systems that don't rely on it blindly.”
The Role of Telecoms and Banks in Preventing SIM Fraud
UK mobile network operators must move beyond outdated identity checks. Traditional knowledge-based authentication methods - name, postcode, date of birth - are no longer adequate in the age of data breaches and open-source intelligence.
At the same time, financial institutions should urgently reconsider the use of SMS as a primary channel for transaction confirmation and account recovery. Secure mobile apps and biometric verification offer far stronger alternatives.
Final Word: A Turning Point for UK Cybersecurity
The Marks & Spencer data breach is not an isolated incident - it is a clear demonstration of how outdated identity verification systems are being exploited by sophisticated threat actors.
“Cybersecurity must catch up with the way we live and work,” concludes Rands. “The tools exist. The knowledge exists. What’s needed now is urgency - and the will to act.”
Follow this link to check out our full Cyber Threat Analysis of the UK Retail Sector
The Next Step: Unlock the Security & Financial Advantages of PureCyber Threat Exposure Management
Webinar: Uncover The Unseen: Redefining Cyber ROI With Threat Exposure Management
Wednesday June 4th | 11am
Join our high-impact session revealing how continuous Threat Exposure Management and brand protection are rapidly becoming a critical part of the new frontline of cyber security. Offering compelling examples of how the most prepared organisations are redefining their cyber ROI through proactive cyber security.
What you’ll learn:
+ How attackers are exploiting your digital footprint in places you aren’t watching
+ Why brand protection is no longer just a marketing problem - it’s a security priority
+ Real-world examples of the positive ROI impact proactive cyber security can have
+ The costs of inaction: data leaks, impersonation, revenue loss & reputational damage
How Can PureCyber Help?
The PureCyber team are here to take over the burden of your cyber security and ensure your organisation’s data remains secure and well managed, with proactive monitoring and real-time threat intelligence - providing you with a comprehensive and reliable cyber department to support you in all aspects of your security efforts, including: 24/7 Security Operations Centre (SOC) services, Managed Detection & Response (MDR/EDR),Threat Exposure Management (TEM) & Brand Protection Services & Penetration Testing.
PureCyber is recognised as an Assured Service Provider by the NCSC to offer governance and compliance consultancy services/audits. Contact our team of compliance experts to enquire about our full range of Governance Support - including Cyber Essentials, ISO 27001, FISMA, SOC1 and SOC2 standards.
Get in touch or book a demo for more information on our services and how we can safeguard your organisation with our expert cyber security solutions.
Email: info@purecyber.com Call: 0800 368 9397