Scattered Spider Aims at US Insurers After UK Retail Hit, Google Warns
A hacker group known for high-profile attacks on retail giants is now turning its attention to the insurance sector, according to a new warning from Google’s Threat Intelligence Group. The group, known as Scattered Spider, has been linked to a series of recent cyber attacks that disrupted access for insurance customers across the United States.
The alert follows a series of data breaches at major UK retailers earlier this year. After that wave of attacks, Google analysts noted that Scattered Spider had begun targeting US-based retailers. Now, researchers say the group is showing a clear interest in insurance firms and is actively exploiting their workforce through social engineering.
“Actors that bear the hallmarks of Scattered Spider are now targeting the insurance industry, they have a habit of working their way through a sector,” said John Hultquist, chief analyst at Google’s Threat Intelligence Group. In a post on X, he noted that Scattered Spider relies heavily on social engineering, especially schemes aimed at help desks and call centers.
Actors that bear the hallmarks of Scattered Spider are now targeting the insurance industry. They have a habit of working their way through a sector. Insurance companies should be on the lookout for social engineering schemes targeting their call centers.
— John Hultquist (@JohnHultquist) June 16, 2025
The tactic isn’t new, but it remains effective. Rather than relying on complex exploits or malware, the group frequently poses as employees or contractors to convince staff to reset passwords or share sensitive access credentials. This approach gives attackers a way in, without having to breach security
While Google hasn’t publicly named the companies affected in this latest wave of attacks, Erie Insurance, a Pennsylvania-based provider, reported a breach on June 7. The company has not confirmed who was behind it, but the timing aligns with Google’s warning. Erie has been issuing updates to customers but has yet to share details about the full extent of the intrusion.
Meanwhile, Scania’s insurance division was also reportedly affected, adding weight to concerns that the group’s focus on insurers is well underway.
🚨Data Breach Alert‼️ 🇸🇪Sweden – Scania Financial ServicesA threat actor using the alias "hensi" claims to have breached the subdomain insurance.scaniacom, allegedly gaining access to and exfiltrating a full set of files.
The actor states this is a first-time intrusion… pic.twitter.com/aPP09wSjhB
Dave Gerry, CEO at Bugcrowd, says the recent activity highlights long-standing risks in the way companies handle internal support systems.
“They’ve been exploiting vulnerabilities with social engineering tactics, focusing on help desks and call centers, where the human is oftentimes the weakest link,” Gerry said. “Incidents like the one at Erie Insurance show how important it is for the insurance sector to revisit its defenses and incident response strategies. These aren’t one-off events. This is targeted, and it’s ongoing.”
Insurers hold sensitive financial and personal data, a tempting target for attackers. But what makes them especially vulnerable is the combination of high-value information and complex customer support systems, which often require staff to handle urgent access requests or account changes.
When threat actors can impersonate staff or customers convincingly enough, help desk employees may unknowingly hand over access to internal tools or user accounts.
Organizations should review how support teams verify identity and manage account access. Multi-step verification, better training, and limiting permissions can help reduce the risk of a successful social engineering attack.
HackRead
