Scattered Spider and the Insurance Industry
Defending against the new age of social engineering attacks
Social Engineering Attacks are not new and have been a mainstay in the cyber-attack arsenal for a number of years. The onslaught of increased sophistication in attack methods has again been wreaking havoc on US corporations, and in recent months, it has turned its attention to the Insurance Industry.
Scattered Spider is based out of the US & UK and is one of today's most notorious cybercriminal groups. Scattered Spider is not a state-sponsored actor; rather, it is a targeted collective, with an almost corporate-like structure, largely made up of teenagers and young men being recruited from online gaming communities like Roblox and Minecraft. Having first gained notoriety a few years ago with Casino hacks, then turned their attention to international airlines, and now, in recent months, they have made US-based insurers a priority target. Known for its blend of advanced social engineering and deep enterprise knowledge, the group has already caused significant disruption in financial services. They have made it very clear that an insurance company's unique technology landscape makes it especially vulnerable.
While Scattered Spider often dominates headlines in the cyber community, they are far from the only threat actors eyeing this sector. Others are already probing for weaknesses. The uncomfortable reality? This Scattered Spider is not the first and certainly won't be the last threat actor we face from a sector perspective.
The insurance sector faces a perfect storm of conditions that make it a lucrative and accessible target for threat actors:
- Legacy technology from decades of mergers and acquisitions creates systems that are often forgotten but still connected.
- Highly complex IT environments that even internal teams may not fully understand.
- High-value personal and financial data that can be monetized or used for future attacks.
- Personal health and identity information of not only the company's employees but also its insureds.
In short, attackers see insurance as a castle with many unguarded side doors.
Scattered Spider thrives on human manipulation, and the lack of attention as the industry we pay to the human threat vector. They specialize in tricking employees, contractors, or partners into granting access, bypassing even the most sophisticated firewalls. Once inside, they move fast, escalate privileges, and blend in with legitimate activity.
This lack of attention to the Human Threat Vector we have from an organizational cyber perspective is THE hard truth: We can't stop every attempt, and even the most secure environments are only as strong as their weakest human link.
Think of your company like a castle:
- The main gate is secure, but attackers will look for a side door.
- Defense in depth, a fortress is comprised of more than just a castle with a wall.
- In your treasure rooms? Keep fake jewels! Decoy data that distracts and slows attackers.
Cybersecurity in the insurance industry must shift from a prevention-only mindset to a containment and resilience strategy. The most challenging part isn't stopping an attack before it happens; it's limiting damage when it inevitably does.
At WWT, we work with leading insurers to modernize defenses, detect faster, and respond smarter. Our approach includes:
- Uncovering hidden points of weakness, on-premises, in the cloud, and legacy technologies, allows us to fortify those points.
- Modernizing identity and access controls to prevent lateral movement.
- Deploying deception technology that alerts security teams to intrusions in real time.
- Creating holistic human threat programs that help employees resist social engineering and phishing attempts.
- Establishing rapid incident response/recovery playbooks to clean up quickly and reduce impact.
By combining technology, process, and people, insurers can shift from being easy prey to resilient defenders.
Scattered Spider's rise signals a broader shift in cyber risk for insurance: technical defenses alone are no longer enough. The real measure of security is the ability to detect and contain an attack before it escalates.