This year marks two milestones in the evolution of cybercrime at scale. First, US authorities charged a teenager linked to Scattered Spider — also known as Octo Tempest, UNC3944, 0ktapus and Scatter Swine — in connection with over 120 intrusions and $115 million in ransom demands. Then, federal agents uncovered a massive SIM farm in New York wired with over 100,000 SIM cards, designed to disrupt telecommunications infrastructure and facilitate fraud at scale.
These aren’t isolated threats. They signal the rise of cybercrime as infrastructure — cross-border, scalable, and capable of targeting the foundational systems finance teams rely on. From telecom and identity to internal approvals and cross-border payments, the surface area is expanding.
Cybercriminals are scaling like global businesses
The New York SIM farm investigation revealed how attackers can now flood networks with millions of texts per day. According to federal officials, this setup could disrupt regional telecom services and power large-scale phishing and financial scams.
In parallel, Scattered Spider has been tied to campaigns that impersonate login portals used by staff in large enterprises — including Okta and CMS platforms. These fake sites lure users into handing over credentials, which are then paired with techniques like SIM swapping to silently bypass MFA and seize account control.
How cybercrime operations reach finance
While no vendor payment fraud has been directly linked to these groups, their tactics resemble the early stages of a business email compromise: observe, imitate, intervene.
Inbox monitoring and account escalation give attackers a window into how your team communicates, approves invoices, and updates vendor data. If a fraudster has access to your systems and knows your workflows, they don’t need to fake an email. They can be inside the process.
Scattered Spider dissected
Scattered Spider — also tracked as Octo Tempest, UNC3944, 0ktapus and Scatter Swine — is one of the most sophisticated and aggressive groups seen to date. Here's how their tactics break down:
| Tactic | What it is | Why it matters for finance |
|---|
| Impersonation | Attackers pose as internal IT or helpdesk support | Bypasses verification through social trust |
| MFA fatigue | Users are spammed with push prompts until they accept | Gives attacker silent access to secured accounts |
| SIM swapping | Control of a user’s phone number or SIM card | Lets attacker intercept SMS-based authentication |
| Phishing portals | Fake login pages that mimic enterprise systems | Steals real credentials in real time |
| Inbox monitoring | Attacker reads internal email without alerting staff | Reveals invoice timing, vendor details and approval habits |
| Admin escalation | Using compromised access to gain higher privileges | Allows attackers to edit vendor records or initiate payments |
Why finance teams should pay attention
The finance function — especially in large, cross-border teams — has a uniquely complex digital footprint:
- Vendor onboarding often involves multiple systems and departments
- International payments depend on timely, secure identity verification
- Manual approvals can be spoofed or intercepted through telecom layers
- Security gaps in finance-owned processes are often exploited silently
These realities make finance teams a critical attack surface — not always the direct target, but a key part of the kill chain.
What to take away from this
We’re seeing the rise of cybercrime operations that build infrastructure, deploy at scale, and infiltrate the middle layers of your payment ecosystem. From phishing to SIM control to inbox surveillance, these aren’t just tech issues — they’re process risks that finance leaders need to see coming.
Book a demo to learn how Eftsure helps finance teams detect anomalies, verify vendor details and shut down payment fraud before it starts.
