I fell down a rabbit hole of videos a while back. People putting on a high-vis vest, picking up a clipboard, and walking straight into stadiums, office buildings, film sets. No badge check. No questions. Just confidence and the right props.
While everyone in the comments laughed, Scattered Spider was taking notes.
In February 2025, they did the same thing, just over the phone. Called M&S's IT help desk, said they were an employee, asked for a password reset and the help desk gave it to them. That was the door. The £300 million in lost profit came after.
P.S. Let’s connect on LinkedIn!
Same move, different door
Turns out, this isn’t a single case, it’s a pattern. M&S wasn't even the first. MGM Resorts in 2023. Co-op and Harrods in 2025. Scattered Spider’s edge is that they understand something most security frameworks don't design for.
It exists in every organization. And until you've deliberately designed an answer to it, you're hoping the person at the front desk is having a bad day and won’t freely share information.
And this goes well beyond phone calls. I see this all the time when visiting office buildings. Contractors just walk into buildings all the time. In most offices, someone vouched for them, they had a badge that looked right, and the person at reception let them through because they seemed fine.
That scene plays out every day. And the question it raises is “who actually verified that person?”
Three questions worth asking this week
The question goes unanswered because the gap between physical and digital identity is invisible until a phone call to a help desk costs you £300 million.
So here's where to start:
Who verifies, and are they trained to? In most offices, it's whoever is closest to the door: reception, a passing colleague, the person who happened to pick up the phone. That's not a verification process.
What does a legitimate identity actually look like in your building? If you can't describe it precisely, neither can the person letting people in. Scattered Spider won because the help desk had no clear standard to check against.
Does your physical verification connect to anything digital? A visitor log that lives in a notebook and an access control system that lives in IT are two separate things. If they don't talk to each other, you have two half-answers to the same question.
The question made visible
The M&S story isn't really about cybersecurity. It's about whether a workplace knows who's in it, physically, digitally, at any given moment.
That's a question we think about a lot at Joan and it's why we've been building e-paper badges. It turns out, a badge is the one physical object in a workplace that's supposed to answer "who is this person" at a glance. And most of them are doing that job with a paper sticker that can’t be updated once printed and connects to nothing.
Our e-paper badges change that. They always show current info on who someone is, what they're there for, and where they're authorized to be. If you’d like to see how to improve your office security with our epaped badges, let me know.
See you in the next one, Luka
P.S. You can now also follow my product, sustainability and workplace insights on LinkedIn. Let’s connect!
About the author
Insights that keep your office running smoothly
Fresh content on productivity, space management, and the future of work. Perfect for managers, admins, and busy teams.
Join thousands of workplace professionals who already read the Joan blog. Unsubscribe anytime.