

Update, August 1, 2025: This story, originally published on July 31, has been updated with another warning from the FBI regarding a new cyberattack. Do not reset your passwords, the FBI said, and now has added advice about how not to get caught in a code-scanning threat campaign.
Scattered Spider is the somewhat too cutesy name applied to one of the most dangerous threats facing organizations today. The ransomware threat actors behind devastating attacks on retail and aviation targets, among others, show no signs of going away. The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have now updated a joint cybersecurity advisory with a critical new warning: don’t reset your passwords. Here’s what you need to know about the latest FBI warning and the ongoing Scattered Spider threat.
The FBI Password Reset Warning — Why It Makes Sense
At first glance, being told not to reset your password in the face of an attack that compromises passwords appears somewhat counterintuitive, to say the least. After all, Google has been advising Gmail users to change their passwords, along with other cybersecurity warnings recommending the same, for the longest time now. But, as with most everything cyber, context is critical. Changing a password to prevent an attack, as in the advice to switch to a more secure technology such as passkeys, makes sense. Not using weak or previously compromised passwords, ditto. But this advice is different; it addresses the specific methodology employed by the Scattered Spider group in attacks.
The July 29 update to the FBI and CISA cybersecurity advisory, alert code AA23-320A, warns that Scattered Spider has “posed as employees to convince IT and/or helpdesk staff to provide sensitive information, reset the employee’s password, and transfer the employee’s MFA to a device they control on separate devices.”
Scattered Spider is using “layered social engineering techniques,” the FBI warned, often comprising multiple calls and contacts. These are made to ascertain the steps required to conduct password reset requests from support staff. “Once that information is identified,” the FBI said, “the threat actors continue to conduct phone calls to employees and help desks to gather password reset-specific information of a targeted employee.” This all culminates in a highly-targeted spearphishing call to the help desk in question to convince staff to “reset passwords and/or transfer MFA tokens.”
The FBI recommended that organizations use phishing-resistant multifactor authentication for all services and accounts that access critical systems. “Organizations should continue to perform diligent employee training against vishing and spearphishing,” the alert said, and advised that updated mitigation recommendations from the U.K. National Cyber Security Centre be followed, including to “review helpdesk password reset processes, including how the helpdesk authenticates staff members credentials before resetting passwords, especially those with escalated privileges.”
Do Not Scan These Codes — The FBI Has Warned
Critical FBI cybersecurity warnings are starting to be a little like London buses: you wait a while, and then a whole bunch turn up at once. Just days after the FBI issued the Scattered Spider cybersecurity alert update, the Bureau has now published alert number I-073125-PSA warning the public of a new twist to an old threat: the brushing scam.
Brushing scams involve vendors fraudulently increasing their product ratings online by sending unsolicited items to unsuspecting recipients and using their information to post positive reviews. This latest scam, the FBI has warned, operates along a similar theme but is now using QR codes on such packages as a means to facilitate financial fraud.
The packages contain a QR code that “prompts the recipient to provide personal and financial information or unwittingly download malicious software that steals data from their phone,” the FBI said. Such parcels are often sent without any information as to their origin as a means to encourage recipients to scan the malicious code.
If you receive an unexpected package from an unknown sender, the FBI advises that you should not scan any QR codes contained within it or on the packaging itself. The FBI requests that the public report these fraudulent or suspicious activities to the FBI IC3 at www.ic3.gov.