Scattered Spider, the notorious threat group known for targeting major retailers and employing advanced social engineering techniques, has reportedly shifted its focus to the U.S. insurance industry, according to a new warning from Google's Threat Intelligence Group (GTIG).
The group, which previously disrupted operations at several high-profile retail organizations in the U.K. and the U.S., is now believed to be behind several digital break-ins affecting U.S.-based insurance companies. GTIG issued the alert after observing multiple attacks and tactics consistent with Scattered Spider's known playbook.
"Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert—especially for social engineering schemes which target their help desks and call centers," said John Hultquist, Chief Analyst at Google Threat Intelligence Group.
[RELATED: Scattered Spider Strikes Again: U.K. Attacks Spark U.S. Retailer Alarm]
The pivot toward insurance firms aligns with Scattered Spider's preference for high-value data and easily manipulated entry points. Insurance companies often store extensive customer data—Social Security numbers, financial information, and health records—which can be exploited for extortion or sold on the dark web.
"Insurance companies are attractive targets… because they handle vast amounts of sensitive customer data," said Fletcher Davis, Senior Security Research Manager at BeyondTrust. "They also have a large help desk and outsourced IT functions that are susceptible to social engineering attacks, which align directly with Scattered Spider's competencies.”
That combination of rich data and vulnerable endpoints makes the sector particularly susceptible.
While Google has not named specific companies affected by the latest campaign, Pennsylvania-based Erie Insurance may be one of them. The company disclosed a cybersecurity breach on June 7th and has been updating customers on its recovery efforts. Though attribution has not been confirmed, the timing and methods resemble other attacks tied to Scattered Spider.
Scania's insurance division has also reportedly suffered a breach, suggesting a potentially broader targeting of the sector.
According to Ben Hutchison, Associate Principal Consultant at Black Duck, these kinds of sector-specific campaigns are common in the threat actor lifecycle.
"Once a particular attack or group has been successful in compromising a specific target or sector, this can serve as motivation both for others to engage in similar efforts and for the specific threat actor to double down," Hutchinson said.
Dave Gerry, CEO at Bugcrowd, emphasized the importance of human-centered defense strategies.
"They've been exploiting vulnerabilities with social engineering tactics, focusing on help desks and call centers, where the human is oftentimes the weakest link," Gerry said. "The Erie breach underscores the need for robust incident response plans and ongoing employee training."
With Scattered Spider continuing to evolve and shift its focus, the insurance sector may now be in the eye of the storm. Experts are urging firms to reevaluate their employee awareness programs, shore up help desk defenses, and deploy layered incident response protocols.
The message from the threat intelligence community is clear: this is not a one-off event, it's a campaign—and insurance companies must treat it with urgency.