Skip to content

Illustration by iStock; Security Management

Scattered Spider Cyber Criminals Turn to Insurance Companies as Next Targets

By Claire Meyer
23 June 2025

Today in Security

A trio of insurance companies were hit by cyberattacks in a five-day period earlier this month as a cybercrime collective targets the sector.

The group, known as Scattered Spider or UNC3944, recently targeted retail companies but has pivoted to major insurance companies, Google’s Threat Intelligence Group (GTIG) said in an email sent to different stakeholders. The group is known for its ability to use social engineering to impersonate employees, deceive IT teams, and bypass multifactor authentication, according to an SOS Intelligence briefing.

“Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity,” John Hultquist, chief analyst at GTIG, said in the email on 16 June. “We are now seeing incidents in the insurance industry. Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”

The group is seemingly comprised of native English speakers who can launch alarmingly effective phishing and phone-based attacks. They often single out large enterprise organizations in hopes of a bigger payoff. Enterprises with large help desks and outsourced IT functions that are more susceptible to social engineering attacks are also targeted, according to The Hacker News.

After gaining network access, Scattered Spider threat actors have used publicly available, legitimate remote access tunneling tools to collect additional information, according to the FBI and CISA.

U.S. supplemental insurance vendor Aflac disclosed on 20 June that it experienced a cyberattack earlier this month that potentially affected the company’s data, Reuters reported.

According to a filing with the U.S. Securities and Exchange Commission (SEC), “On June 12, 2025, Aflac Incorporated, a Georgia corporation (the ‘Company’), identified unauthorized access to its network. The Company promptly initiated its cybersecurity incident response protocols and believes that it contained the intrusion within hours. The Company’s business remains operational, and its systems were not affected by ransomware. The Company continues to serve its policyholders as it responds to this incident and can underwrite policies, review claims, and otherwise service customers as usual. The Company has engaged leading third-party cybersecurity experts to support the Company’s response to the incident.”

The full scope of the breach is not yet known, but early investigations indicated the potential compromise of Social Security numbers, claims information, and health records.

Given this actor's history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.

In emailed commentary, Ted Miracco, CEO at zero trust security firm Approov, said, “Aflac’s swift response and transparent disclosure following the June 12 breach are both commendable and somewhat atypical. The use of social engineering to gain network access is part of a growing trend we’re seeing across the insurance and broader financial services sector. These attacks are often aided by agentic AI, as attackers are targeting the human element, at scale, to bypass perimeter defenses and exfiltrate sensitive data such as health records and Social Security numbers. This reinforces the urgent need for a layered security approach, particularly in mobile-first environments, where phishing-resistant authentication, runtime app protection, and robust API shielding are most essential.”

Two other companies—Erie Indemnity Corp. and Philadelphia Insurance Companies—were hit by cyberattacks in June. Both experienced network outages and business disruption as a result of the attacks, CyberScoop reported.

“There is definitely a stream of insurance company targeting,” said cybersecurity firm Dispersive VP Lawrence Pingree in an emailed statement. “My assumption is that this is due to the plethora of data that these entities hold, and additional context that can be gleaned for other types of attacks seem attractive to the initial access brokers. But for sure it's a bit of a guessing game until they start using the data.”

 Scattered Spider targets one sector at a time in waves of attacks. It previously struck retailers, including alleged involvement in attacks against Dior, Harrods, the Co-Op Group, and Marks & Spencer.

Since 2023, “we have regularly observed UNC3944 conduct waves of targeting against a specific sector, such as financial services organizations in late 2023 and food services in May 2024,” a GTIG summary said. “Notably, UNC3944 has also previously targeted prominent brands, possibly in an attempt to gain prestige and increased attention by news media.”

 

Focus on Weapon Selection

Fast Facts: The 5 Steps in a Use-of-Force Continuum

Always Armed, Rarely Drawn: Rethinking Firearms in Executive Protection

Training Builds Frameworks of Support for Armed Security Personnel

Leveraging Lockers: The Future of Weapons Storage is Here

5 Nonlethal Weapons Used by Private Security

Best of Security Management

The Fundamentals of Alerting Employees About Their Daily Commutes

Add EP Value for Female Principals by Being Considerate

AI and the Future of Venue Security

How to Make a Weapon Selection When Arming Your Security Team

Does Your Crisis Preparedness Plan Need to Change for Deepfake Threats?

Fast Facts: What is Concierge Security?
arrow_upward