Ex-FBI agent warns insurers: Beware ‘Scattered Spider’ cyber attacks

As a major international cybercrime organization known as Scattered Spider sets its sights squarely on the insurance industry, a former FBI agent and current head of cyber practice at Kroll is warning insurers to shore up their defenses.

“Awareness is key because oftentimes Scattered Spider is effectively exploiting people who are not security experts, but who are in very important and sensitive positions and help-desk-type environments. Their job is to facilitate access for people, so it’s kind of against their nature to not do that, but awareness is key, getting them trained up,” Adam Malone, global head, acute events in Kroll’s cyber risk practice, said.

Scattered Spider first emerged around 2021, when it began targeting major companies. It later began targeting insurance companies in 2023 but went quiet for about a year after U.S. law enforcement was able to make some arrests and disrupt their operations.

But now, the criminal organization is back. It’s already suspected of being behind a series of cyber attacks on U.S. insurers like AFLAC, Philadelphia Insurance Company, and Erie Insurance — all within just the last two to three weeks.

“Recently, we saw them come back on the scene targeting retailers in Europe, primarily the U.K., a couple of big cases suspected to be Scattered Spider. And now, the industry has started to notice a trend targeting insurance. One thing about Scattered Spider is they typically do stick with the sector for some period of time, for various reasons, before they move on to other victim types,” Malone said.

But the good news is insurers do have methods to protect against potential attacks, such as ensuring they have adequate training and internal cybersecurity plans in place. They can also leverage services like those provided by Kroll to have expert support in making sure their defenses stack up.

Scattered Spider’s unique threat

Scattered Spider poses a unique threat because it’s primarily English-speaking and exceptionally competent in social engineering. There have been signs that some of this group’s perpetrators are American young adults, which Malone described as an “unusual” and “worrisome” trend.

“Scattered Spider essentially was a group of people who formed this criminal group who were primarily English speakers and had very good skills in social engineering. They also had a lot of hands and feet that could do things like use identity theft to gain access to stolen phones and SIM cards, could call and speak with help desks in native English, and were good at impersonating people,” he explained.

The group began with different types of crimes but eventually partnered with ransomware groups to facilitate getting access into companies — and ransomware attacks can “bring a company to its knees for a matter of weeks, if not months.”

What insurers should watch out for

Malone, who also leads Kroll’s global digital forensics, incident response and intelligence functions, cautioned insurers that Scattered Spider’s specialty is in using company technology against itself.

“Their goal is to gain access to corporate assets masquerading as a corporate employee, typically or ideally an IT employee. They’re very good at using social engineering tactics — phone calls, text messages, spoofed domains to act like help desk or IT people in a company and gain access to people’s accounts and multi-factor capabilities to log in with very little difficulty into corporate networks,” he said.

They can even trick a cell phone provider into sending them a SIM device or SIM chip, enrolling a phone onto someone’s account and allowing them to bypass a lot of the legitimate controls companies have deployed.

Once they gain access to a company’s system, they very quickly use generalized IT knowledge that the company has documented against them. For example, they may consume intelligence from internal knowledge bases or ticketing systems, gathering usernames and passwords that are documented in manuals or policies and coding documents to facilitate their access.

“They pivot very quickly to trying to find the most sensitive information in an organization. Oftentimes, that’s regulated information or sensitive financial information that they will take in order to extort the company to increase their chances of being paid. And then, the last thing they’ll do is deploy ransomware,” Malone said.

Preparation is the best defense

To ensure they’re best prepared to rebuff a cyber attack, insurers should work with cyber experts within companies or through vendor relationships and empower them to develop a robust security plan.

Malone suggested insurers:

• Think about what a cyber attack would look like and what bad actors would do
• Assess and test their internal controls to see how effective those are
• Plan out how they would respond to an attack (whether to pay ransom, how much to pay, who signs off, etc.)

“But all that comes second to education, having good policy, making sure people understand the controls that are in place and follow procedures appropriately and if they see something, say something,” Malone said.

Insurers can also work with companies like Kroll, which can help test their defenses, understand how to protect their most sensitive data and prepare overall.

Kroll is an international financial advisory services and risk management firm founded in 1932 and based out of New York, NY. It ventured into the cyber aspect of business in the early 2000s and currently sits on over 80 cyber insurance panels to provide specialized services and advice.

© Entire contents copyright 2025 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.

Rayne Morgan is a journalist, copywriter, and editor with over 10 years' combined experience in digital content and print media. You can reach her at [email protected].