Google threat analysts have warned that the malefactors behind the recent spate of attacks against the UK retail sector have turned their attention to the insurance sector.
The cybercriminal group known as Scattered Spider, infamous for its fast-talking social engineering schemes and high-impact ransomware, appears to be expanding its hunting ground. This time, it’s targeting insurance firms.
According to Mandiant’s Chief Analyst John Hultquist, attackers “bearing the hallmarks of Scattered Spider” are now probing the insurance industry. “They have a habit of working their way through a sector,” Hultquist posted. “Insurance companies should be on the lookout for social engineering schemes targeting their call centers.”
Google has echoed the alert, urging the sector to remain on “high alert.”
The warning comes hot on the heels of high-profile attacks against British retailers.
Recently, the Co-op was hit by a major cyberattack, reportedly involving a massive data breach that impacted operations and customer services. Not long before, Marks & Spencer suffered an attack that went undetected for 52 hours, exposing sensitive employee data.
Following these incidents, Mandiant released a hardening guide in early May for security teams focused on Scattered Spider’s techniques.
Now, insurers are feeling the heat. A growing number of digital break-ins, suspicious network activity, and extended outages suggest something serious is afoot.
Ransomware and Help Desk Hoaxes
Scattered Spider is known for striking fast and quickly. Their attacks often begin with impersonation: fake help-desk calls to manipulate employees into handing over credentials. Once inside, they steal data and deploy ransomware. In several recent intrusions, a strain called DragonForce was seen.
Following the retail sector incidents, Google released security guidance to help organizations defend against the group’s tactics. But that hasn’t stopped the latest wave.
Two Weeks of Downtime, and Counting
The insurance industry may already be under siege.
Two major US insurers, Erie Insurance and Philadelphia Insurance Companies (PHLY), are still grappling with serious network outages.
Erie, the twelfth-largest home and auto insurer in the U.S., first detected “unusual network activity” on 7 June. The company disclosed the incident in a June 11 SEC filing, confirming an “information security event” that forced it to shut down systems across the board.
“We’re confident in our actions,” Erie said in a 14 June update, “but this work is complex and takes time.” It confirmed it is working with law enforcement and top-tier cybersecurity experts to investigate the breach and restore services.
More than a week later, customers still cannot access key online functions. The company has repeatedly warned policyholders not to click links or give information over the phone during the outage.
PHLY, part of Tokio Marine North America, is in a similar position.
On 9 June, the company’s IT team received an alert about suspicious activity. They quickly found evidence of unauthorized access, shut down systems, and kicked off a forensic investigation. In a public statement, PHLY apologized to customers and said it was working “around the clock” to bring systems back online.
Its parent company, Tokio Marine North America, which also owns First Insurance Company of Hawaii (FICOH), later confirmed the breach extended across multiple subsidiaries. The firm activated incident response protocols and notified law enforcement. As of 17 June, investigation efforts were still ongoing.
Too Coincidental?
Google hasn’t directly attributed these incidents to Scattered Spider. But the timing, techniques, and scale are suspicious. So far, no group has claimed responsibility, and neither Erie nor PHLY has confirmed ransomware was involved.
Still, the warning signs are hard to ignore.
Scattered Spider has a pattern. It works its way through sectors, exploiting human error as much as technical weaknesses. It moves quickly, leverages insider access, and rarely stops after one hit.
First came telecoms. Then came retail. Now it’s insurance.
For an industry that thrives on assessing and pricing risk, this moment is a sobering reality: Cyber risk isn’t an abstract idea. It’s here, and it’s operational.
Companies that once saw themselves as low-risk targets must now confront a sophisticated adversary exploiting the soft underbelly of modern business, the people on the phones, and the trust they carry.
As Hultquist bluntly put it: “Be on the lookout.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.