2 min read
Scattered Spider now targeting U.S. insurance firms, Google warns
Farah Amod
Jun 30, 2025 2:37:23 PM

Cybercriminals are shifting focus to insurance, using social engineering to breach IT support teams.
What happened
Google’s Threat Intelligence Group (GTIG) has issued a warning about a series of attacks by Scattered Spider, a cybercrime group known for its social engineering tactics. The group, also known as UNC3944, has been linked to recent intrusions at U.S. insurance firms, marking a shift from its prior focus on retailers in the U.S. and U.K.
According to GTIG, multiple breaches show strong signs of Scattered Spider’s involvement. The group is known for targeting one industry at a time, and the insurance sector is now in its crosshairs, especially companies with help desks and IT support teams that are vulnerable to impersonation and phishing.
Going deeper
Scattered Spider typically gains access by tricking IT support staff into resetting credentials or bypassing multi-factor authentication (MFA). The group impersonates employees through phone calls or phishing messages and is described as being particularly effective due to its cultural familiarity and native English fluency.
Recent activity suggests that Scattered Spider may be operating alongside or in parallel with DragonForce, a ransomware cartel that recently absorbed RansomHub’s infrastructure. While speculation about collaboration has surfaced, GTIG says there is no concrete evidence that Scattered Spider is deploying ransomware or coordinating with DragonForce directly.
Security firms, including Mandiant and ReliaQuest, have also flagged an uptick in Scattered Spider attacks against managed service providers (MSPs) and IT contractors, allowing them to reach multiple clients through one compromised vendor.
What was said
GTIG chief analyst John Hultquist said the group’s latest attacks bear “all the hallmarks of Scattered Spider activity.” SOS Intelligence added that the attackers excel at psychological manipulation, often deceiving help desk teams into resetting credentials by posing as internal staff.
ReliaQuest and Mandiant also noted that large enterprises with third-party or distributed IT support are particularly exposed due to the scale and complexity of their operations.
The big picture
Scattered Spider’s expansion into the insurance sector reflects a broader tactic of targeting industries with layered IT systems and support models that can be exploited through social engineering. Rather than relying on ransomware, the group emphasizes access, impersonation, and long-term presence. Organizations with remote or outsourced IT support face higher exposure to these tactics. In response, businesses are focusing on stronger identity checks, tighter control of user privileges, and better training to detect and report deceptive access attempts.
FAQs
What makes the insurance industry an appealing target for attackers like Scattered Spider?
Insurers handle sensitive personal and financial data, and many rely on large or outsourced IT support structures, which can be exploited through impersonation and phishing.
Is there any confirmed link between Scattered Spider and ransomware groups?
Although some reports suggest parallel targeting by DragonForce, GTIG has not seen direct evidence of collaboration or ransomware deployment by Scattered Spider.
What are some social engineering tactics used by this group?
They often call IT help desks pretending to be employees, use stolen credentials to appear legitimate, and pressure support teams into resetting passwords or disabling MFA.
How can companies better protect against these types of attacks?
Implement stricter authentication procedures, train help desk staff to verify identities through multiple channels, and monitor for unusual access behavior in real time.
Are smaller firms or only large enterprises at risk?
While large firms with big IT teams are a primary focus, any organization using MSPs or third-party IT services could become a secondary target through supply chain compromise.