June 20, 2025

Scattered Spider Attacks on Insurance Companies: Tactics and Mitigations

by
Nametag Team
North Korea Blog Post Header
press@nametag.co

Get in touch with our PR team.

Download media kit

Logos and graphics to help you cover Nametag.

Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Five stars in a line
Learn how

Scattered Spider is one of the fastest-moving threat actors of the modern era. In just the past month, the distributed threat cluster has pivoted three times: from breaching UK retailers to targeting U.S. retailers to now targeting U.S. insurance companies. Out of discretion we won't call out anyone specifically, but “multiple U.S.-based companies” have reportedly already been hit. Here’s what you need to know about Scattered Spider’s renewed attacks on American insurance companies, including their preferred tactics and effective mitigations you can implement today.

"When defending against Scattered Spider, hardening identity verification and authentication practices are of the utmost importance." – Mandiant

Scattered Spider’s Favorite Tactic: Helpdesk Social Engineering

Scattered Spider is particularly notorious for its effective use of social engineering on IT staff working for a company’s internal employee helpdesk. Security researchers at Mandiant, which track Scattered Spider as Threat Cluster UNC3944, specifically highlight the sophistication of Scattered Spider's social engineering:

"Mandiant has observed UNC3944 in multiple engagements leveraging social engineering techniques against corporate help desks to gain initial access to existing privileged accounts. Additionally, it has been noted that they already possessed the personally identifiable information (PII) of its victims to bypass help desk administrators' user identity verification.”

Indeed, what makes Scattered Spider especially dangerous is that they often don’t rely on technical exploits to gain access. Rather, they use human manipulation as their primary weapon, often succeeding even in environments where strong phishing-resistant MFA is already in place. This demonstrates the importance of securing not just the user credential, but the lifecycle operations tied to that credential. 

How Scattered Spider Socially Engineers IT Helpdesks

Social engineering attacks are particularly dangerous because they target the weakest link in any security chain: People. Even if you have strong security measures in place, social engineering attacks can still be successful because they bypass those controls.

"UNC3944 operators employed consistent social engineering tactics across various victims, often calling service desks to claim they were receiving a new phone, warranting a multi-factor authentication (MFA) reset. By interacting with service desk administrators, UNC3944 could not only reset passwords for privileged accounts but also bypass associated MFA protections."

Imagine a support call where an agent sees a familiar face on video or hears a familiar voice on the phone. It’s the right voice, the intonation is there, they sound stressed, and they gently push for an urgent MFA reset for a "new device." They answer all of the security questions easily. Everything seems legitimate, so the helpdesk agent goes ahead and completes the MFA reset.

Hours later, your networks are down and the attackers are demanding a ransom payment or they’ll post all of your customers’ PII on the dark web.

How Scattered Spider Uses Deepfakes in Social Engineering

One of the most disturbing evolutions in Scattered Spider’s toolkit is their apparent use of AI-generated deepfakes. Reports from Mandiant, Palo Alto Networks, and other threat intelligence researchers suggest that attackers are increasingly leveraging real-time deepfake voices and videos to more effectively impersonate legitimate employees during live support interactions. Even seasoned security professionals can be duped by modern deepfakes.

In high-value sectors like insurance, where sensitive customer and employee data is heavily regulated and financially valuable, deepfake impersonation represents a critical escalation. It renders traditional verification including phone and video calls nearly obsolete and exposes a major blind spot in many organizations’ security posture.

How to Stop Scattered Spider: 5 Effective Mitigations

Stopping Scattered Spider requires more than stronger passwords, better security questions, or routine endpoint monitoring. Insurance companies must update their identity threat models to meet a new breed of many-legged adversary. Here are key strategies that are proving effective at stopping Scattered Spider which you can start deploying today:

  1. Train your helpdesk on social engineering and deepfake threats. Your team must be able to recognize signs of impersonation, including subtle tells from AI-generated audio and urgency cues often used in Scattered Spider social engineering attempts.
  2. Implement phishing-resistant MFA with device-bound credentials. Companies like Beyond Identity and Cisco Duo specialize in protecting user accounts against man-in-the-middle attacks and other TTPs favored by Scattered Spider by verifying the actual person, not just their credential.
  3. Establish stronger authentication protocols at your IT helpdesk. Require out-of-band authentication during using channels that are inherently resistant to interception or impersonation. Avoid placing too much trust in channels that can be intercepted or deepfaked, such as video calls, push notifications, or call-backs to a trusted phone number.
  4. Equip your helpdesk with an easy-to-use identity verification console. Quickly verify users when they contact support without relying on subjective judgment, stealable information, or cloneable voices. Look for a helpdesk solution that uses advanced technology like Nametag's Deepfake Defense™ engine to prevent Scattered Spider actors from using AI-generated deepfakes to impersonate legitimate users.
  5. Protect your account recovery process with identity verification assurance. Companies like Nametag offer out-of-the-box solutions that deflect password and MFA reset tickets to self-service, eliminating the chance for Scattered Spider to socially engineer a helpdesk agent while reducing ticket burdens on your IT team.

Final Thoughts

Scattered Spider’s renewed focus on insurance companies should be a wake-up call across industries. Their tactics—particularly deepfake-enhanced social engineering—mark a shift in the cybersecurity threat landscape, where identity can no longer be confirmed by passwords or device checks alone.

Insurance groups must respond with urgency, not only by upgrading their technical defenses but also by reinforcing trust in every human-facing system. The attackers are evolving. Your identity protection strategy must evolve faster.

Contact us to learn more about how Nametag can protect your organization against Scattered Spider.

Secure your helpdesk against social engineering and impersonators.
Learn more about Nametag
Right Arrow Blue
We use cookies to provide, improve, and promote our services. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. Visit our Privacy Policy to learn more.
Decline
Accept All Cookies