The Attack Surface in Your Pocket—and How Scattered Spider Socially Engineers Their Way Inside

This advisory warns financial institutions that mobile devices and social-engineering campaigns led by groups such as Scattered Spider (in collaboration with LAPSUS$ and ShinyHunters) are primary attack vectors—exploiting SIM swaps, SMS/MFA, help-desk flows, and OAuth integrations—and recommends concrete mitigations including FIDO2/passkeys, cryptographic device binding, OAuth hygiene, stricter help-desk controls, and mobile-focused awareness and incident playbooks.