Scattered Spider Now Targets U.S. Insurance Companies

Scatter Spider

Cybersecurity researchers have confirmed a surge in cyberattacks on U.S. insurance firms, attributed to the threat group Scattered Spider. Known for its sector-specific focus, this group previously targeted retailers in the U.K., then moved to U.S. retail firms. Now, it has shifted attention to the American insurance industry.

A Coordinated Social Engineering Strategy

John Hultquist, Chief Analyst at Google Threat Intelligence Group (GTIG), warned that these attacks bear all the hallmarks of Scattered Spider activity. According to GTIG, companies in the insurance sector should be on high alert, especially against social engineering attempts that exploit help desks and call centers.

Scattered Spider is also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra. The group is known for bypassing advanced security by using phishing, SIM swapping, and MFA fatigue attacks to gain initial access. These tactics often culminate in ransomware deployment. Observed strains include RansomHub, Qilin, and DragonForce.

The attackers use impersonation and emotional manipulation, sometimes including threatening language, to scare victims into compliance. These attacks usually involve convincing help desk agents to reset credentials or disable security features.

Strengthening Defenses Against Scattered Spider

GTIG recommends companies implement strong identity controls, segregate privileged accounts, and enforce rigorous verification for MFA setup and password resets. It is also crucial to gain visibility across infrastructure and identity systems.

Security awareness training should include examples of impersonation via SMS, phone calls, or messaging platforms. Employees must know how to recognize and respond to suspicious requests.

The U.K. National Cyber Security Centre (NCSC), responding to similar attacks on Marks & Spencer, Harrods, and Co-op, advises activating two-factor authentication, auditing admin account activity, and reviewing help desk authentication procedures.

Organizations should also monitor login attempts from unusual IP sources, such as residential VPNs, to detect early signs of compromise. By adopting these practices, insurance companies can better protect against this highly organized and evolving threat.

Facebook
X
LinkedIn
Picture of Fredrik Bjoerklund
Fredrik Bjoerklund
Fredrik Björklund serves as the CEO of Eye World, bringing with him over two decades of experience in internet-based industries. With a strong background in Internet and Cybersecurity, Fredrik is recognized as a seasoned expert in digital risk management, online infrastructure, and the ever-evolving cybersecurity landscape. His deep understanding of the digital world positions him as a trusted voice in the industry. As part of his leadership role, Fredrik will take an active position in curating and reporting on global cybersecurity developments. He will regularly update the Eye News Section with the latest insights, emerging threats, and critical updates in the cybersecurity domain, ensuring readers are well-informed in an increasingly digital and vulnerable world.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2025 Eye World AB

Linkedin Youtube X-twitter

Products

Industries

Knowledge

About Us