Image by vecstock, from Unsplash
Scattered Spider Hackers Now Target U.S. Insurance Companies
Reading time: 2 min
Last Updated: Jun 18, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
The cybercriminal group Scattered Spider, which operates under the alias UNC3944, has started attacking insurance companies throughout the United States
In a rush? Here are the quick facts:
- Scattered Spider is now targeting U.S. insurance companies.
- The group uses phishing, SIM-swapping, and MFA fatigue attacks.
- The hackers impersonate helpdesk staff to access internal systems.
The Threat Intelligence Group at Google (GTIG) has confirmed multiple recent intrusions that match the group’s typical methods, which use advanced social engineering tactics to overcome robust cybersecurity systems.
“Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry,” John Hultquist, Chief Analyst at GTIG, told Bleeping Computer.
Because Scattered Spider tends to strike one sector at a time, Hultquist warns that “the insurance industry should be on high alert.”
Previously, the group attacked major U.K. retailers like Marks & Spencer and Harrods through phishing, SIM-swapping, and MFA fatigue tactics to gain system access for deploying ransomware like DragonForce and RansomHub. These tools are designed to extract valuable data, while demanding ransom payments to restore access to essential systems.
The hackers start their attacks by pretending to be help desk staff while using AI-generated communications to deceive their targets, according to GTIG and other experts. The attackers gain access to elevate their privileges before they move across different systems within the company.
The group operates with financial goals while using direct communication methods to target organizations that have big IT and customer service teams, which they can manipulate through social engineering.
GTIG advises organizations to strengthen their identity protection measures while enhancing authentication protocols and providing staff training about impersonation tactics across email, phone, and messaging systems.
Organizations should implement active monitoring for abnormal login activities while reviewing their helpdesk credential reset procedures for employees who possess high-level system access.
The cybersecurity community recognizes UNC3944 as a major threat because the group maintains enough resources to send scam messages to almost every American citizen several times throughout the year.
Previous Story
Latest articles 
