Cybercriminals are shifting focus to insurance, using social engineering to breach IT support teams.
Google’s Threat Intelligence Group (GTIG) has issued a warning about a series of attacks by Scattered Spider, a cybercrime group known for its social engineering tactics. The group, also known as UNC3944, has been linked to recent intrusions at U.S. insurance firms, marking a shift from its prior focus on retailers in the U.S. and U.K.
According to GTIG, multiple breaches show strong signs of Scattered Spider’s involvement. The group is known for targeting one industry at a time, and the insurance sector is now in its crosshairs, especially companies with help desks and IT support teams that are vulnerable to impersonation and phishing.
Scattered Spider typically gains access by tricking IT support staff into resetting credentials or bypassing multi-factor authentication (MFA). The group impersonates employees through phone calls or phishing messages and is described as being particularly effective due to its cultural familiarity and native English fluency.
Recent activity suggests that Scattered Spider may be operating alongside or in parallel with DragonForce, a ransomware cartel that recently absorbed RansomHub’s infrastructure. While speculation about collaboration has surfaced, GTIG says there is no concrete evidence that Scattered Spider is deploying ransomware or coordinating with DragonForce directly.
Security firms, including Mandiant and ReliaQuest, have also flagged an uptick in Scattered Spider attacks against managed service providers (MSPs) and IT contractors, allowing them to reach multiple clients through one compromised vendor.
GTIG chief analyst John Hultquist said the group’s latest attacks bear “all the hallmarks of Scattered Spider activity.” SOS Intelligence added that the attackers excel at psychological manipulation, often deceiving help desk teams into resetting credentials by posing as internal staff.
ReliaQuest and Mandiant also noted that large enterprises with third-party or distributed IT support are particularly exposed due to the scale and complexity of their operations.
Scattered Spider’s expansion into the insurance sector reflects a broader tactic of targeting industries with layered IT systems and support models that can be exploited through social engineering. Rather than relying on ransomware, the group emphasizes access, impersonation, and long-term presence. Organizations with remote or outsourced IT support face higher exposure to these tactics. In response, businesses are focusing on stronger identity checks, tighter control of user privileges, and better training to detect and report deceptive access attempts.
Insurers handle sensitive personal and financial data, and many rely on large or outsourced IT support structures, which can be exploited through impersonation and phishing.
Although some reports suggest parallel targeting by DragonForce, GTIG has not seen direct evidence of collaboration or ransomware deployment by Scattered Spider.
They often call IT help desks pretending to be employees, use stolen credentials to appear legitimate, and pressure support teams into resetting passwords or disabling MFA.
Implement stricter authentication procedures, train help desk staff to verify identities through multiple channels, and monitor for unusual access behavior in real time.
While large firms with big IT teams are a primary focus, any organization using MSPs or third-party IT services could become a secondary target through supply chain compromise.