Scattered Spider, who is believed to be responsible for several cyberattacks against the retail sector in recent months, has apparently shifted targets to the insurance sector. 

In an X post from Chief Analyst John Hultquist of Google Threat Intelligence Group, he warns that the group may intend to target the insurance sector and work “their way through.” 

Hulquist advises that insurance organizations “should be on the lookout for social engineering schemes targeting their call centers.” 

Below, security leaders discuss the apparent shift in targets from Scattered Spider. 

Security Leaders Weigh In

Fletcher Davis, Senior Security Research Manager at BeyondTrust: 

Insurance companies are attractive targets for Scattered Spider because they handle vast amounts of sensitive customer data, including personal information, financial records, and health data, which can be targeted for data theft and extortion. Insurance companies often have large help desk and outsourced IT functions that are susceptible to social engineering attacks, which align directly with Scattered Spider’s competencies and playbooks. The global and complex structure of many of these insurance firms makes comprehensive security and detection of malicious activity significantly difficult as well.

Dave Gerry, CEO at Bugcrowd:

Scattered Spider’s shift to targeting the insurance industry, as noted by Google’s Threat Intelligence Group, raises serious cybersecurity concerns. They’ve been exploiting vulnerabilities with social engineering tactics, focusing on help desks and call centers, where the human is oftentimes the weakest link.  

Recent incidents, like the breach at Erie Insurance, highlight the urgency for enhanced defenses and robust incident response plans across the insurance sector. It’s crucial for companies to bolster their defenses against evolving threats like these and realize that employees continue to be increasingly targeted. 

Ben Hutchison, Associate Principal Consultant at Black Duck:

Unfortunately, it is not uncommon for a particular industry sector and classes of organizations to suffer from an upsurge of similar attacks, or seemingly targeted attacks, in phases of threat actor operations. They may be considered victims of the moment, as unfortunately once a particular attack or threat actor group has been successful in compromising a specific target/sector, this can serve as motivation both for others to engage in similar efforts and for the specific threat actor to double down on their efforts and launch attacks against similar targets. Given the recent rising trend in attacks targeting retail organizations and the insurance industry, these organizations should treat this as yet another wakeup call to ensure they are prioritizing their cybersecurity and digital resiliency.