Remember when the most annoying thing about air travel was paying $15 for a sandwich that tastes like cardboard? Well, buckle up—Scattered Spider, the cybercriminal group with a name that sounds like a rejected Marvel villain, has decided to make flying even more stressful by targeting airlines across North America.

The Spider’s Web Spreads to 30,000 Feet

The notorious hacking collective has set its sights on the aviation industry, successfully infiltrating multiple airlines in the US and Canada throughout June 2025. Hawaiian Airlines and WestJet have already confirmed they’re dealing with the aftermath of cyberattacks.

What makes this particularly frustrating is Scattered Spider’s approach: they’re masters of the oldest trick in the book—social engineering. Think of them as the used car salesmen of cybercrime, except instead of selling you a lemon, they’re stealing your entire digital infrastructure.

The Art of the Con: Why Call Centers Are Cybercriminal Gold Mines

Here’s where it gets both impressive and infuriating: Scattered Spider’s preferred attack vector is simply calling people. While we’re all busy patching systems and deploying AI-powered threat detection, these hackers are picking up the phone and pretending to be Karen from Accounting who forgot her password again.

Airlines are particularly vulnerable to this approach because they rely heavily on call centers for customer support, IT help desks, and vendor coordination. It’s a target-rich environment where a convincing voice and basic social engineering skills can open doors that would take traditional hackers weeks to crack.

As former Las Vegas airport CISO Aakin Patel noted, “Airlines rely heavily on call centers for a lot of their support needs, making them a likely target for groups like this.” It’s like building a fortress with titanium walls, then leaving the front door propped open with a sticky note reading, “Please don’t rob us.”

Patterns in the Chaos: Scattered Spider’s Sector Strategy

What’s particularly telling about Scattered Spider is their methodical approach to mayhem. They don’t randomly attack targets—they pick a sector and systematically work through it like items on a grocery list:

• September 2023: Las Vegas casinos (MGM Resorts, Caesars Entertainment)
• November 2024: Retail (Ahold Delhaize USA, parent company of Giant and Food Lion)
• April 2025: Retail continued (Marks & Spencer, The Co-op, Harrods)
• June 2025: Insurance sector (Aflac)
• June 2025: Aviation industry (Hawaiian Airlines, WestJet Airlines)

This pattern suggests operational discipline that would make legitimate consulting firms jealous. They’re essentially running cybercrime as a business, complete with market research and sector specialization.

The Silver Lining in This Digital Storm Cloud

Before you start booking your next vacation via covered wagon, there’s good news. The targeted airlines have maintained operational continuity—flights are still departing and arriving on schedule. This suggests these organizations have implemented proper network segmentation and business continuity planning.

In cybersecurity terms, this is like having airbags in your car. The crash still hurts, but you’re more likely to walk away from it.

What This Means for Your Organization

If you’re thinking, “Well, I don’t run an airline, so I’m safe,” think again. Scattered Spider’s tactics work across any industry that relies on:

• Help desk operations
• Call centers
• Third-party vendors and contractors
• Customer service representatives with system access

Sound familiar? That describes roughly 90% of modern businesses.

Practical Defense Strategies

1. Implement Rigorous Identity Verification

Your help desk should treat every caller as if they’re attempting social engineering—because they might be. Multi-factor authentication isn’t just for users; it should extend to support interactions.

2. Conduct Regular Social Engineering Training

Your employees need to understand that the person calling at 3 PM claiming to be “Dave from IT” might actually be “Dave from Cybercrime.” Regular phishing simulations and social engineering awareness training are no longer optional.

3. Establish Network Segmentation

If Scattered Spider gains access, ensure they can’t reach everything. Proper network segmentation means an unauthorized access in your customer service system doesn’t automatically grant threat actors access to your most sensitive data.

4. Strengthen Vendor Risk Management

Remember, these attacks often target IT contractors and trusted vendors. Your security is only as strong as your weakest partner’s defenses.

The Bottom Line

Scattered Spider’s aviation campaign reminds us that sometimes the most sophisticated attacks use the most basic techniques. While we focus on AI-powered threats and advanced persistent threats (APTs), these cybercriminals succeed with nothing more than charm, confidence, and a phone.

The good news? Social engineering attacks are entirely preventable with the right policies, training, and culture. The challenge? They require something often harder to implement than technical solutions: getting humans to consistently follow security protocols.

As we watch Scattered Spider continue their sector-by-sector tour of American business, one thing is clear: the best defense against social engineering combines security awareness with healthy skepticism. In cybersecurity, paranoia isn’t a bug—it’s a feature.