Scattered Spider Targets Insurance: How to Defend Against the Real Threat of Credential-Based Attacks

Let’s get one thing clear: Scattered Spider isn’t “back” – they never left. You’ve seen the headlines. MGM, Marks & Spencer, and others all fell victim to their schemes. Now, this relentless cybercrime collective has a new target in its crosshairs: the U.S. insurance industry. With recent cyberattacks rattling major providers like Aflac, Erie Insurance, and Philadelphia Insurance Companies, the threat isn't just looming; it's here. As it always has been.

As Google Threat Intelligence Group's Chief Analyst puts it, "the threat I lose sleep over is Scattered Spider.” For defenders, it’s time to cut through the noise and face the hard truth. These attackers aren’t deploying zero-day exploits or groundbreaking malware. They’re walking right through the front door using valid credentials.

They win by mastering the art of social engineering and exploiting the soft spots most enterprises still rely on: MFA push fatigue, help desk fraud, and phishable credentials. If your security posture hinges on the idea that "our MFA is good enough," it might be time for a stark reality check on current adversarial techniques. This guide will break down their playbook and give you a definitive strategy to fight back.

Meet the Apex Predator: Who is Scattered Spider?

Before you can build a defense, you need to know your enemy. Scattered Spider is not a typical state-sponsored group. They are a nimble and amorphous collective of young, English-speaking cybercriminals, reportedly affiliated with a larger network known as "The Com." Their defining characteristic is their methodical approach. They focus their expertise on one industry at a time, learning the sector's unique processes, lingo, and technology stacks. This allows them to craft attacks with terrifying precision and efficiency.

After a string of successful extortion campaigns against major retailers, Google's Threat Intelligence Group has warned that Scattered Spider has pivoted. Their new hunting ground is the insurance sector, and it's a target rich with opportunity. Think about the data insurance companies hold: a treasure trove of claims information, sensitive health records, Social Security numbers, and other personally identifiable information (PII). For cybercriminals, this data is gold, whether for extortion or sale on the dark web

The Scattered Spider Playbook: Anatomy of a Credential-Based Attack

To understand the threat Scattered Spider poses, you have to dissect their Tactics, Techniques, and Procedures (TTPs). Their success isn't magic; it's a repeatable, three-act play designed to dismantle traditional security controls by targeting the most vulnerable asset: people.

The Weapon of Choice: Hyper-Personalized Social Engineering

At its core, social engineering is the art of psychological manipulation to trick people into divulging confidential information or bypassing security protocols. But Scattered Spider has taken this to a new level, especially with the "turbo boost" provided by Generative AI.

Gone are the days of poorly worded emails with suspicious links. Today's phishing/social engineering attacks are masterpieces of deception. By mining public data about employees from sources like LinkedIn, company websites, and social media, attackers can craft highly convincing and customized phishing lures within minutes. These messages use the right tone, contain local context, and are largely indistinguishable from legitimate communications.

The Weakest Link: Exploiting Help Desks and Credential Resets

Scattered Spider knows that the fastest way around a fortified wall is to find someone to open the gate for you. Their prime target for this is the IT service desk. These teams are often the unsung heroes of an organization, but they are also understaffed, overwhelmed with requests, and fundamentally trained to be helpful – a perfect storm for exploitation.

The scenario plays out like this: An attacker, armed with a dossier of personal information scraped from the internet, calls the help desk. They might pose as a high-ranking executive with an urgent request or an employee who has lost their phone and is locked out of their account. They leverage this information to sound credible, create a sense of urgency, and deceive the service agent into resetting the legitimate employee’s password or MFA device. Just like that, the attacker is handed the keys to the kingdom, bypassing layers of security without triggering a single alert.

The Final Blow: Bypassing Legacy MFA with Adversary-in-the-Middle (AitM) Attacks

"But we have MFA!" This is the common refrain from organizations that believe they are protected. The chilling reality is that most traditional MFA methods, passwords, SMS one-time passcodes (OTPs), and even push notifications, are fundamentally phishable. Attackers can trick users into giving up OTP codes or exploit "push fatigue" by spamming a user's device with approval requests until one is accepted by mistake.

This is where easily accessible tools like Evilginx come into play.

What is Evilginx? Think of it as the ultimate digital eavesdropper. It’s a phishing framework that operates as an Adversary-in-the-Middle (AitM). Here’s how it works:

1. The attacker sends a phishing link that directs the victim to the Evilginx server, which hosts a pixel-perfect replica of the real login page (e.g., your Microsoft Entra ID portal).
2. The Evilginx server acts as a reverse proxy, transparently passing all traffic back and forth between the victim and the legitimate service. The user sees the familiar login screen, complete with a valid TLS lock icon.
3. The user enters their username and password, which Evilginx captures.
4. The legitimate service then prompts for MFA. The user enters their OTP or approves the push notification, which Evilginx also intercepts and forwards.
5. Here’s the knockout blow: Once the user is successfully authenticated, the real service sends back a session cookie to authorize the user's browser session. Evilginx snatches this cookie.

With this stolen session cookie, the attacker can now directly access the user's account, completely bypassing the need for credentials or MFA. They have full control, and the victim may not realize it until it's too late.

The Modern Defense: A Three-Pronged Strategy to Neuter Scattered Spider

Fighting an adversary that targets identity requires a defense built on strong identity assurance. The probabilistic security controls of the past, which can only guess if a user is legitimate, are failing. You need a deterministic approach that proves with certainty that a person is who they claim to be. This modern defense is built on three core principles.

Principle 1: Make Credentials Un-stealable with Phishing-Resistant MFA

The single most effective way to stop Scattered Spider’s primary attack vector is to adopt a simple philosophy: if a credential can't be moved, it can't be stolen. This is the foundation of true phishing-resistant, multi-factor authentication.

The Solution: HYPR's phishing-resistant authentication is built on the FIDO standards, the gold standard for secure authentication, and leverages passwordless technology like passkeys.

How it Defeats Credential Theft:

• Public-Private Key Cryptography: When a user enrolls with HYPR, their device creates a unique public-private key pair. The private key is stored securely in the device's hardware and never leaves. To authenticate, the device simply proves it possesses this secret key without ever revealing it, making it impossible for an attacker to intercept.
• No Phishable Fallbacks: HYPR eliminates vulnerable, phishable factors. It only uses phishing-resistant FIDO methods and never falls back to easily compromised shared secrets like OTPs or knowledge-based questions.

Principle 2: Eliminate Help Desk Social Engineering Attacks with True Identity Verification

Securing the front door with phishing-resistant MFA is crucial, but what about the back door? Credential recovery and reset processes are a glaring vulnerability that Scattered Spider ruthlessly exploits. Relying on knowledge-based authentication (KBA), "What was the name of your first pet?", is a recipe for disaster in an era where AI can scrape the internet for answers in seconds.

The Solution: You must verify the person, not the information they know. HYPR Affirm provides Multi-Factor Verification (MFV), a modern approach to identity proofing that makes adaptive, risk-based verification a core part of the identity lifecycle.

How it Secures Recovery: Instead of asking flimsy questions, HYPR Affirm uses a layered, deterministic process to verify a user’s identity with high assurance before allowing a credential reset:

• Document Verification: The user is prompted to scan a government-issued ID (like a driver's license or passport) with their smartphone.
• Biometric Matching & Liveness: The user then takes a selfie, which is biometrically matched against the photo on the ID. A "liveness" check ensures it's a real person and not a photo or deepfake.
• Configurable Steps: For high-risk scenarios, additional factors like a live video chat with a manager or service desk agent can be required.

This process ensures that only the legitimate account owner can ever perform a reset, turning the help desk from a vulnerability into a fortified checkpoint.

Principle 3: Guarantee Endpoint Integrity with Continuous Device Trust

A user's identity is only one part of the security equation. The health and integrity of the device they are using to authenticate is the other. A legitimate user on a compromised device is still a massive risk.

The Solution: HYPR Adapt adds an intelligent, continuous layer of risk analysis to every authentication event.

How it Adds Protection:

• Real-Time Risk Signals: HYPR Adapt is a powerful risk engine that continuously analyzes a wide array of signals from the user's device, their behavior, and the broader threat landscape.
• Adaptive Response: It checks if the device is managed or unmanaged, if its security posture is up to date, and if the user's behavior is unusual. If it detects a high-risk signal, like an authentication attempt from a jailbroken device or an impossible travel scenario, it can automatically step up authentication requirements or block the attempt entirely. This provides an essential layer of protection that ensures the entire access journey, from user to device to application, is secure.

Your Go-Forward Strategy: A Modern Defense Against Scattered Spider

Scattered Spider’s assault on the insurance industry is a clear signal that the old ways of security are no longer sufficient. Their strategy isn't revolutionary; it's a methodical exploitation of the trust we place in outdated and phishable identity technologies. Relying on legacy MFA and weak, KBA-based recovery processes is leaving your organization dangerously exposed.

The path forward is not about adding more layers of complexity; it's about shifting to a foundation of certainty. By implementing a modern identity assurance strategy built on three pillars, phishing-resistant MFA, true identity verification, and continuous device trust, you can move from a reactive defensive posture to a position of dominance. You can build a fortress that doesn't just deter attackers like Scattered Spider but makes their entire playbook obsolete.

Ready to build a defense against Scattered Spider? Subscribe to our updates for the latest insights on identity assurance and cybersecurity.