What PEOs Should Know About the Latest Cyber Threat
In the ever-evolving landscape of cybersecurity, a name that continues to resurface is Scattered Spider—a sophisticated threat group now setting its sights on U.S. insurance companies. While the group’s tactics are not new, the focus of its campaigns is shifting and PEOs in the insurance space need to pay close attention.
First seen by Google: A rising threat
The latest signal flare came from Google's Threat Intelligence, which identified a surge in credential phishing, social engineering, and ransomware delivery methods tied to this group. Google’s findings show that Scattered Spider, also tracked as UNC3944 and Muddled Libra - is continuing to evolve in sophistication, often leveraging SMS-based phishing, known as “smishing,” and even direct phone calls to support agents to reset credentials.
Who is Scattered Spider?
Scattered Spider is a cybercrime group believed to be composed mostly of young adults. They gained prominence for their attacks on major hospitality, telecom, and tech enterprises, often gaining initial access via MFA fatigue attacks or by impersonating IT personnel.
What sets this group apart is their use of highly personalized social engineering, sometimes even recruiting insiders to help them breach corporate systems.
The Insurance Industry: A treasure trove of risk
Over the course of five days in June 2025, at least three major insurance companies reported cyber incidents tied to tactics resembling those used by Scattered Spider:
· Erie Insurance identified “unusual network activity” and began isolating systems.
· Philadelphia Insurance Companies acknowledged a disruption in operations due to unauthorized access.
· Aflac—which covers tens of millions—confirmed that sensitive customer data, including health information, had been compromised
While these breaches weren’t ransomware-driven, the damage was still significant, eroding trust, disrupting systems, and compromising vast databases of policyholder and health information.
The Bigger Picture: Why Insurance and PEOs are at risk?
The recent Scattered Spider activity highlights a broader trend, and it’s not just insurers who should be paying attention. Here’s why PEOs, too, should consider themselves part of the high-risk category:
1. Data is a prize
The global cyber insurance market was valued at $13 billion in 2023, and projections suggest it will exceed $22.5 billion by 2025. With such high-value data under management, insurers—and the PEOs who support them—have become top targets for cybercriminals seeking financial leverage.
2. Social engineering over malware
Unlike more traditional ransomware groups, Scattered Spider is not primarily focused on malware deployment. Their success comes from phishing, smishing (SMS phishing), vishing (voice impersonation), and MFA fatigue attacks—tactics that rely on exploiting human behavior rather than system vulnerabilities
3. PEOs are within reach
PEOs manage payroll, benefits, claims, compliance, and more. Their systems contain rich troves of personally identifiable information (PII) and employer data, making them valuable targets. With many PEOs relying on shared vendor platforms and cloud integrations, a compromise in the insurance ecosystem could easily extend into PEO environments.
4. Human risk Is high
According to data from Cobalt.io, 74% of data breaches involve human error, credential misuse, or privilege abuse. For a group like Scattered Spider—whose strategy hinges on manipulating people rather than machines—that statistic represents a significant opportunity.
Defending against the Spider
For PEOs, this is not a time to panic, but it is time to act! Defending against Scattered Spider requires more than antivirus software or stronger passwords. It requires a cultural shift toward zero trust, process control, and employee empowerment.
Here’s where to start:
Strengthen Multi-Factor Authentication (MFA)
Use phishing-resistant MFA like hardware tokens or authenticator apps. Avoid simple push notifications, which are vulnerable to "MFA fatigue" attacks.
Monitor Admin and Vendor Access
Limit the scope and duration of privileged access. Use just-in-time access tools and activity monitoring to catch misuse.
Run Regular Social Engineering Simulations
Phishing simulations aren’t enough - test voice phishing and impersonation scenarios too.
Revisit Your Incident Response Plan
Ensure your plan includes credential compromise, impersonation, and insider threat components. Practice it often.
Final Thoughts
The insurance world, along with the PEOs that serve it, is entering a new era of cyber risk. Attacks are no longer about outdated firewalls. They’re about trust, timing, and human behavior. Scattered Spider is only the latest example of what happens when cybercriminals evolve faster than we do. For PEOs, now is the moment to evolve too, before your organization becomes the next entry point in a broader cyberattack!
References:
[1] Google Cloud Threat Intelligence. (2025). Threats Overview. Retrieved from https://cloud.google.com/security/threats?sr=CgQSAlVTEBw
[2] CPO Magazine. (2024). Scattered Spider Threat Group Has Moved on to Targeting U.S. Insurance Companies. Retrieved from https://www.cpomagazine.com/cyber-security/scattered-spider-threat-group-has-moved-on-to-targeting-us-insurance-companies/
[3] The Wall Street Journal. (2025). Insurers Under Siege by Notorious Hacking Group. Retrieved from https://www.wsj.com/articles/insurers-under-siege-by-notorious-hacking-group-7cb68a8e
[4] New York Post. (2025). Aflac Customer Data Breached by Cybercriminals in Hit to U.S. Insurers. Retrieved from https://nypost.com/2025/06/20/business/aflac-customer-data-breached-by-cybercriminals-in-hit-to-us-insurers
[5] MarketsandMarkets. (2023). Cyber Insurance Market by Offering and Industry. Retrieved from https://www.marketsandmarkets.com/Market-Reports/cyber-insurance-market-47709373.html
[6] Cobalt.io. (2023). Retrieved from https://www.cobalt.io/resources/the-state-of-pentesting-report
