Cybercrime in Europe: What We Covered in the Second Episode of The Phish Bowl

The LastPass TIME Team is thrilled to share the second episode of our new podcast, The Phish Bowl! Join us every month as my co-host, friend, and colleague Mike Kosak and I (Stephanie Schneider) dive into the global cyber threat landscape. Every episode, we’ll unpack what’s really going on beneath the surface, exploring the globe region by region. For our second episode, we kicked things off with a deep dive into the cyber threat environment in Europe. We’re also publishing a new report for each region on a quarterly basis that will serve as the foundation for the podcast.  

Europe has continued to experience a moderate threat level compared to other regions. Europe’s strong economies, high internet penetration rate, involvement in the ongoing Russia-Ukraine and Israel-Gaza conflicts, and digital ecosystem vulnerabilities make it a particularly attractive target for hackers. Special guest Daniel Card, Cybersecurity Consultant at PwnDefend, joined to share lessons learned from the field, plus thoughts on the UK’s Online Safety Act and how orgs can better defend against threats.

What’s driving the heightened cyber threat environment in Europe?

To frame the second episode’s discussion on cyber threats in Europe, let’s start by highlighting some regional trends and activity to put things in perspective. We just published a regional report on Europe that does an even deeper dive if you want to read more.

IBM’s X-Force 2025 Threat Intelligence Index found Europe was the third most targeted region after Asia-Pacific and North America last year. Attacks are continuing at a high frequency this year driven by several factors, including active conflicts in Ukraine and Gaza which have the potential to spill over into supporting countries, and the rise of cybercrime, such as the recent Scattered Spider campaigns targeting the UK retail sector (more on that in a bit). In Q2 2025, attacks against Europe jumped , marking the highest year-over-year (YoY) growth in regional attack volume (22%). The United Kingdom was the most targeted country in Europe, followed by Germany (18%) and Austria (14%), which are among the top economies in the region.

Ransomware is one of the most prevalent types of attacks targeting the region. Europe accounted for 25% of reported ransomware incidents, coming in second place after North America at 53% in Q2 2025. Germany and the UK are among second tier ransomware targets compared to the US (52%). Several other European countries are also significantly targeted by ransomware to a lesser extent. Speaking of ransomware and cybercrime…

Scattered Spider weaves its web to trap UK retailers

Scattered Spider has been splashed across news headlines of late. The group is infamous, responsible for significant breaches over the last few years, like Okta and MGM Resorts. They’re interwoven with other notorious groups like The Com and LAPSUS$. Social engineering is the name of their game. Scattered Spider frequently leverages IT help desks to gain unauthorized access, targeting both IT help desk employees and organizations’ employees. Since first emerging in 2022, the group has been linked to over 100 attacks across multiple market verticals but tends to target one sector at a time. As one of their latest victims, Scattered Spider targeted the UK retail sector in April, before pivoting their industry focus to US insurance, airlines and transportation, and finance.

As part of their evolution, they’ve moved from conducting primarily US-focused attacks to more global in nature, such as the recent campaigns in UK and Australia. They’ve also progressed their TTPs from phishing kits and SIM swapping to broader approaches, among other advancements. As Mike points out, they’ve become more technically savvy, shifting from exfiltration to deploying ransomware, and have gotten better at reconnaissance, often going after credentials stored in clear text.

Our discussion highlighted several lessons learned from the recent Scattered Spider attacks:

1. The power of simple social engineering. Attackers frequently get around security systems with phishing calls to trick help-desk staff into resetting passwords, exploiting weak or reused credentials without MFA, and using local IP proxies or other means to appear legitimate.
2. Embracing threat fluidity. Traditional threat modeling treats hackers as separate teams, but individuals can join and leave operations at will, share intel, swap roles, and more. Cool names like Dragonforce or Shiny Hunters make splashy headlines, but defenders should recognize these groups aren’t operating in separate silos.
3. Building real resilience. We can take straightforward steps to transform from easy targets into hardened, resilient environments to stop attacks before they even begin. To push back, start with enforcing strong, unique passwords and mandating MFA; automating patching on all critical, internet-facing systems; and continuously monitoring for exposed credentials.

Joint advisory recommendations

In response to these widespread, damaging attacks, several governments issued a joint alert and warnings about Scattered Spider’s updated TTPs to raise awareness and stay ahead of this threat. We strongly encourage folks to review these advisories for additional recommendations. Here are a few steps you can take to protect yourself and your organization against Scattered Spider-style social engineering attacks:

• Train help desk staff and employees to recognize and shut down social engineering tactics. Social engineering goes after the weakest link in cybersecurity: humans.   
• Strong identity access controls, including:  
  • Least privileged access 
  • Segmentation to prevent lateral movement 
  • Phishing-resistant MFA and passkeys, across all user accounts, and especially for administrative accounts with privileged access 
• Stick to approved channels for communications to prevent MFA bombing/fatigue, a tactic Scattered Spider has commonly used to bypass defenses. 

Mastering the fundamentals to minimize cyber risk

Daniel’s real-world anecdotes and no-nonsense advice underscore a crucial message: simplicity in security controls can yield outsized protection. Leaving front doors open, even unintentionally, invites compromise. The vast majority of breaches stem from credential theft and human error (phishing, weak or reused passwords, lack of MFA), not always from advanced zero-day exploits. By mastering the fundamentals—enforcing unique strong passwords, rolling out MFA, keeping systems patched, and continuously scanning for exposed credentials—organizations can block most attacks and respond swiftly when incidents inevitably occur.

Insights on the UK’s Online Safety Act

The UK’s Online Safety Act aims to protect children online, but as Daniel highlighted, narrowing the focus to a single group without considering workarounds and systemic failures, can lead to blind spots. Real-world testing revealed uneven implementation of this well-intentioned policy. While child safety is vital, effective regulation needs to consider all users and the full breadth of internet services—search engines, apps, and browsers alike—to prevent harm without creating loopholes or enforcement gaps.

Listen to the full episode  

We’ve got the wheels rolling on this podcast now. Thanks for sticking around if you’re coming back for more, and if you’re new here, welcome!

• Listen to Episode 2 of The Phish Bowl wherever you get your podcasts:  
  • YouTube  
  • Spotify  
  • Apple  

• Subscribe for monthly threat intel deep dives.
• Access LastPass's Regional Report for detailed analysis of recent Europe trends and activity.
• Check out the LastPass Labs blog for more insights. 

See you next month to talk about more threat environment updates in North America, along with a corresponding regional report!