‘The insurance industry should be on high alert,’ says chief analyst
Insurers have been urged to reinforce cyber defences after Google’s Threat Intelligence Group (GTIG) confirmed that actors linked to the notorious Scattered Spider group have now turned their attention to the insurance sector.
John Hultquist, chief analyst at GTIG, warned that the threat group typically targets one sector at a time and is now deploying “all the hallmarks of Scattered Spider activity” in attacks on insurance firms.
“The insurance industry should be on high alert,” Hultquist told BleepingComputer. He also wrote on LinkedIn that “insurance companies should be on the lookout for social engineering schemes targeting their call centers”.
Scattered Spider – also tracked as 0ktapus, UNC3944, and Muddled Libra – uses advanced social engineering techniques, including phishing, SIM-swapping and multifactor authentication (MFA) fatigue attacks to gain initial access.
The group has previously breached high-profile organisations such as Marks and Spencer and Harrods, often deploying ransomware in the later stages of the attack.
In June 2025, two US insurance firms – Philadelphia Insurance Companies and Erie Insurance – disclosed cyber incidents consistent with these tactics.
Philadelphia Insurance discovered unauthorised access on 9 June and was forced to disconnect parts of its network, while Erie Insurance reported “unusual network activity” starting on 7 June and took immediate action to protect its systems and data.
Target acquired
The shift in the target sector marks an evolution in Scattered Spider’s strategy, according to GTIG, which previously tracked the group’s activity as it moved from UK retail into US retail and now into financial services.
Read: When AI acts alone, who is to blame? Insurers confront the unthinkable
Read: Brokers must bolster commercial cyber cover takeup
Explore more cyber-related content here, or discover other news stories here
Cyber security experts believe this trend poses a risk to UK insurers. Jon Abbott, chief executive at ThreatAware, said: “The rising tide of attacks on US insurers is a serious threat the sector must address – and a warning for other industries to stay vigilant.
“These attackers tend to target one sector at a time and no industry is immune. Previous successes against the likes of M&S, Caesars and MGM highlight one critical truth – cyber hygiene matters more than the tools already deployed and working.”
Abbott added that Scattered Spider’s methods “don’t rely on advanced exploits, but instead use fast-moving social engineering tactics to bypass weak helpdesk protocols and identity checks”.
To defend against such attacks, GTIG and the UK’s National Cyber Security Centre (NCSC) recommend enhancing identity verification processes, especially for high-privilege users, and reviewing how helpdesks authenticate credentials. Other measures include monitoring for unauthorised logins.
Abbott said insurers must prioritise fundamentals, such as maintaining accurate asset inventories, hardening service desk processes and monitoring behavioural anomalies. “Most importantly, insurers need to cultivate a culture of security awareness across all teams,” he added.
“Visibility, processes and people – not just tech – are the real lines of defence against Scattered Spider.”
No comments yet