Scattered Spider Threat Group Targets U.S. Insurance Sector

Sophisticated Social Engineering Tactics Used in Latest Attacks

Cybersecurity analysts have confirmed that Scattered Spider, a threat group known for impersonation and manipulation tactics, is now focusing on U.S. insurance companies. Previously active in the U.K. and U.S. retail sectors, the group has shifted toward exploiting customer service operations in the financial industry.

John Hultquist, Chief Analyst at Google’s Threat Intelligence Group (GTIG), warned that these new attacks reflect classic Scattered Spider behavior. The attackers use phishing, SIM swapping, and MFA fatigue to bypass defenses and gain access to enterprise systems.

Once inside, they often deploy ransomware tools such as RansomHub, Qilin, and DragonForce, with the initial breach typically achieved through help desk manipulation or credential resets.

Steps to Defend Against Scattered Spider Techniques

GTIG advises firms to enforce strict identity controls, restrict access to privileged accounts, and verify all changes to MFA or password settings through secure, multi-step processes.

Security awareness training must include real-world examples of voice phishing, text-based impersonation, and emotional pressure tactics. Employees should be trained to escalate suspicious requests and avoid overriding policy due to urgency.

The U.K.’s National Cyber Security Centre (NCSC) also recommends activating two-factor authentication, auditing admin-level activities, and tightening help desk workflows.

Organizations should monitor for unusual login activity, especially those coming from residential VPNs or unexpected geolocations. These steps can improve early threat detection and limit the impact of future breaches.

Scattered Spider’s evolving strategy shows that attackers are prioritizing human weaknesses over technical flaws—making training and procedural discipline as important as firewalls and endpoint protection.