No malware, no problem—just pure social engineering. Scattered Spider Attacks on U.S. Insurance Firms (June 12–24, 2025)

July 8, 2025 | Cybersecurity

Incident Date: June 12–24, 2025

Targeted Organizations:

  • Aflac
  • Erie Indemnity
  • Philadelphia Insurance Companies

Overview of the Attack

Scattered Spider, a highly sophisticated threat actor group known for aggressive social engineering and living-off-the-land techniques, launched a coordinated campaign against major U.S. insurance firms in mid-June 2025.

Notably, no traditional malware or ransomware was used in the breach. Instead, the attackers leveraged human manipulation—specifically MFA fatigue attacks, Helpdesk impersonation (vishing), and SIM swapping tactics—to bypass multi-factor authentication and access sensitive systems.

Tactics, Techniques, and Procedures (TTPs)

  • MFA Fatigue Attacks
     The attackers initiated a barrage of MFA push notifications, wearing down victims until they approved one. This technique has been increasingly popular and effective, especially against employees unfamiliar with the threat.
  • Helpdesk Impersonation (Vishing)
     Scattered Spider actors called into internal IT support lines pretending to be employees who lost access to their accounts. Often armed with personal details to enhance credibility, their impersonations were convincing and successful.
  • SIM Swapping
     In some cases, attackers managed to transfer employee phone numbers to devices under their control, effectively intercepting SMS-based MFA codes.
  • No Malware, No Detection
     The attackers avoided using malware, which allowed them to evade antivirus and endpoint detection tools. Instead, they relied on legitimate admin tools and command-line operations.
  • Cloud Exploitation
     Once inside, they targeted cloud environments like Microsoft 365 and Google Workspace to extract documents, emails, and customer records.

What Was Compromised?

  • Personally Identifiable Information (PII)
  • Health insurance data
  • Policyholder financial records
  • Internal communications and business contracts
  • Sensitive Personal Information : (SPI) – HIPAA

Each dataset holds high value on dark web markets, both for resale and for facilitating follow-up fraud and identity theft.

Organizational Responses

  • Aflac
     Released a statement confirming unauthorized access to certain customer records but said core insurance platforms remained unaffected. They notified affected customers and began credit monitoring offers.
  • Erie Insurance
      Identified suspicious access to internal systems and customer portals. The company took affected systems offline, conducted an external forensic audit, and reset credentials across departments.
  • Philadelphia Insurance
     Acknowledged the breach within 48 hours, reporting to regulatory bodies including the NAIC and State Insurance Commissions. Their transparency was praised in industry circles.

Why Was This Attack Significant?

  • No malware or ransomware – This highlights the rise of ‘malware-less’ attacks exploiting human and configuration weaknesses rather than software flaws.
  • Human vulnerabilities over technical ones – Social trust and inattentiveness, not weak firewalls or outdated software, led to the breach.
  • Cross-industry ripple – These breaches triggered policy reviews across insurance and healthcare sectors due to the overlap in data categories.

Key Security Takeaways

  • Implement MFA that is resistant to fatigue attacks (e.g., FIDO2, physical keys)
  • Train employees on vishing and impersonation risks
  • Use behavioral analytics to detect anomalies in login patterns
  • Enforce least-privilege access policies in cloud environments
  • Regularly audit helpdesk protocols and telecom provider change requests

References and Further Reading