Update: On 13 May 2025, Marks & Spencer confirmed that customer data had been compromised in the cyberattack. You can find out more here.
In the wake of the recent cyberattack on Marks & Spencer, scammers are likely to see this as an opportunity to exploit fear and confusion.
While there is currently no confirmation that customer data has been compromised, cybercriminals often take advantage of uncertainty like this to trick people into giving away personal details.
Here’s what you need to know
Scammers may pose as:
- Marks & Spencer customer service representatives
- Banks or payment providers “flagging suspicious activity”
- Legal firms offering fake compensation claims
- Or other organisations requesting identity confirmation
Their messages may seem urgent and convincing – often via email, text message, or even phone calls. The goal is to pressure you into clicking malicious links, sharing sensitive details, or downloading dangerous attachments.
Common scam tactics to watch for
Phishing emails that look like official communications
Scammers may send emails that appear to come from M&S, using logos, branding, and even email addresses that look legitimate at first glance. These emails often claim there’s a problem with your order or your account and include links that lead to fake login pages designed to steal your credentials.
Tip: Always hover over links before clicking and check the URL. If in doubt, go directly to the official M&S website instead of clicking through an email.
Texts asking you to “verify” your personal details
You may receive a text claiming there was a suspicious login or refund issue, asking you to click a link and “verify” your account. These are classic smishing (SMS phishing) tactics designed to harvest information or install malware on your device.
Tip: Legitimate companies will never ask you to submit personal or payment details through a link in a text message.
Fake M&S websites or customer portals mimicking the real one
Cybercriminals may set up fake websites that closely resemble the real M&S site. These pages often appear in scam emails or ads and can trick users into entering login credentials, payment details, or submitting complaints that capture personal data.
Tip: Double-check the website URL — the official M&S site is www.marksandspencer.com. Look out for misspellings, extra characters, or unfamiliar domains like “. support” or “.help”.
Calls claiming you’re entitled to compensation — for a fee
Scammers may call claiming to be from a law firm, data protection agency, or even M&S, telling you that you’re entitled to compensation due to the cyberattack — but you’ll need to “pay a processing fee” or provide your banking details first.
Tip: No legitimate legal claim will ask you to pay upfront or provide sensitive information over the phone.
Poorly written messages with a sense of urgency
Fraudulent messages often contain spelling errors, odd formatting, or grammar mistakes, but rely on creating panic. They might say things like “Your M&S account has been locked!” or “Act now to avoid losing your refund!”
Tip: Take a moment to breathe and assess the message. Urgency is a red flag. When in doubt, contact M&S directly using verified contact methods.
What you should do to stay safe following the M&S hack
In situations like this, cybercriminals often rely on confusion and urgency to trick people into making quick decisions. Whether or not your personal data has been exposed, it’s important to stay alert and take basic steps to protect yourself.
Here’s how to safeguard your information and avoid falling victim to scams:
Do not click links or open attachments unless you’re 100% sure of the sender
If you receive an email or text that appears to be from M&S or another trusted company, don’t interact with any links or attachments unless you’ve verified it’s legitimate. Scammers often use convincing branding to mimic real communications. Check the sender’s email address carefully. If something feels off, contact M&S directly through their official website instead of replying or clicking through.
Never share your passwords, card details, or National Insurance number
No genuine organisation will ask you to provide sensitive information like passwords or bank details via email, text, or an unsolicited phone call. If someone contacts you claiming to represent M&S or a legal firm and requests this kind of information, treat it as a red flag and end the conversation immediately.
Go directly to the official M&S website or app to check for real updates
To avoid phishing websites and fake portals, always visit M&S by typing www.marksandspencer.com into your browser or by using the official app from a trusted app store. Avoid using links sent to you in emails or texts unless you’re absolutely sure they are genuine.
Report suspicious messages or websites to Action Fraud
If you come across any suspicious emails, texts, calls, or websites, report them to Action Fraud – the UK’s national reporting centre for fraud and cybercrime. Your report could help stop others from becoming victims.
A final reminder
M&S and other reputable organisations will never ask you to confirm personal or financial details through unsolicited messages. If you’re ever unsure about the legitimacy of a message or phone call, stop and verify it independently. Your best protection is a cautious, informed approach.
This is a fast-moving situation, and we’ll continue to provide updates as more information becomes available.
If you’ve been notified that your data was compromised, you may be entitled to join a future claim for compensation. Our simple eligibility checker provides instant clarity. Answer a few straightforward questions, and you’ll know if you could qualify to join a data breach group action claim.
