Google’s Threat Intelligence Group has issued a stark warning: the cybercriminal group known as Scattered Spider has shifted focus once again, this time toward U.S.-based insurance companies. Infamous for their high-profile breaches in the casino and retail sectors, this adaptable and increasingly aggressive group has now taken aim at a sector rich in sensitive data and operational vulnerabilities.
Who Is Scattered Spider?
Operating under aliases like UNC3944 and associated with groups like “The Com,” Scattered Spider is primarily composed of young hackers located in Western countries. They specialize in social engineering, exploiting human behavior to bypass even the most secure technical barriers. Their tactics include:
- Impersonating IT support staff via calls, phishing emails, and SMS.
- MFA fatigue attacks and SIM-swapping.
- Abusing legitimate tools for lateral movement and data exfiltration.
Their previous attacks have compromised major names in hospitality and retail, including MGM Resorts and Caesars Entertainment.
Insurance Industry in the Crosshairs
According to Google, the group’s latest operations have involved multiple intrusions into American insurance networks starting in early June 2025. Notable victims include:
- Erie Insurance: Detected suspicious activity on June 7, prompting a widespread investigation and containment effort.
- Philadelphia Insurance Companies (PHLY): Experienced unauthorized access on June 9, leading to system outages and customer impact.
These incidents are part of a broader trend, where insurance firms—already under immense regulatory pressure—are becoming high-value cyber targets due to the wealth of personally identifiable information (PII) and financial data they manage.
How They Breach
Scattered Spider is known for using low-tech but high-impact methods. Their attacks often start with:
- Help-desk manipulation: Tricking support staff into resetting passwords or bypassing MFA using convincing scripts or spoofed phone numbers.
- Residential proxies and home IP addresses: To evade detection by mimicking legitimate user activity.
- Post-access deployment: Once inside, they may exfiltrate sensitive data or deploy ransomware via affiliate partnerships with ransomware gangs like RansomHub or Qilin.
Expert Recommendations
Google and Mandiant have issued urgent security guidance, including:
- Help-desk Hardening: Use video verification or secondary challenge questions for identity resets.
- Stronger MFA: Implement phishing-resistant methods such as hardware tokens.
- Monitoring and Logging: Increase visibility across endpoints, identity systems, and network activity.
- Training for Frontline Staff: Educate employees to detect social engineering red flags.
- Segmentation: Limit lateral movement by enforcing strict access controls.
Why Insurance?
The pivot to insurance makes strategic sense. These companies hold:
- Troves of sensitive financial and health-related data.
- Complex digital ecosystems with varied third-party integrations.
- High stakes – service interruptions can cost millions and increase the likelihood of ransom payments.
For threat actors, it’s a lucrative and increasingly viable target.
Final Thoughts
Scattered Spider is proving to be more than a flash-in-the-pan hacking crew. Their relentless evolution, broadening targets, and continued reliance on psychological manipulation rather than brute force make them uniquely dangerous. As they set their sights on insurance firms, companies in every sector should revisit their incident response plans, identity verification procedures, and employee training programs—because if they haven’t been targeted yet, they might be next.
