Scattered Spider Shifts Focus to U.S. Insurance Sector, Google Warns

Scattered Spider, a cybercrime group known for sector-specific targeting, has recently shifted its focus to the U.S. insurance industry, according to warnings issued by Google’s Threat Intelligence Group (GTIG) and reporting from BleepingComputer and Reuters. John Hultquist, GTIG's Chief Analyst, confirmed that “Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry.” Previously observed in high-profile breaches of retail organizations in both the U.K. and U.S., the group’s pivot toward insurers marks a continuation of its pattern of targeting one vertical at a time. Hultquist added, “Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes, which target their help desks and call centers.”

The warning comes amid ongoing disruptions at major insurance providers. Erie Insurance disclosed a network outage beginning June 7, later attributing it to “unusual network activity” that triggered a broader incident response, including involvement from law enforcement and third-party cybersecurity firms. The outage, which impacted core systems, was confirmed in an SEC filing. Similarly, Philadelphia Insurance Companies (PHLY) reported unauthorized access detected on June 9, resulting in the disconnection of its systems to contain the threat. While neither company officially linked the incidents to Scattered Spider, their timing and characteristics align with the group’s tactics. On June 20, Aflac disclosed a separate cybersecurity incident first identified on June 12 involving unauthorized access via social engineering. Although attribution has not been made, the methods used are consistent with tactics previously linked to Scattered Spider and further align with GTIG's warning.

Organizations are advised to implement and strengthen their identity verification processes for help desk and support functions, a key attack vector in Scattered Spider operations. Recommendations include requiring on-camera identity checks, challenge-response authentication, and phishing-resistant MFA. Scattered Spider’s operations have previously bypassed mature security controls through aggressive and well-crafted social engineering campaigns, often leveraging impersonation and urgency tactics to manipulate internal staff. Google and U.K. authorities have stressed the need for reviewing password reset procedures, especially for privileged accounts, and monitoring for abnormal login behaviors, such as access from residential IP ranges or through consumer VPN services. As activity linked to this group intensifies, security teams in the insurance sector are being urged to proactively harden access controls and remain alert for signs of intrusion.