The insurance industry faces a new and urgent threat. Following a string of attacks on major UK retailers including Marks & Spencer, Co-op, and Harrods, Google’s Threat Intelligence Group has warned that hackers known as Scattered Spider are now targeting multiple US insurance companies using sophisticated social engineering tactics.
For UK insurance companies, this warning should serve as a wake-up call.
The latest government data shows that 50% of businesses in the finance or insurance sector have incident response plans. However, social engineering attacks exploit human vulnerabilities that technology alone cannot address.
This shift – from purely digital attacks to blended approaches that combine online manipulation with physical intrusion attempts – represents a significant escalation in cybercriminal tactics.
What Makes This Threat Different
The Blended Attack Evolution
Modern social engineering has evolved beyond simple phishing emails. Attackers now combine digital manipulation with physical presence, using fake credentials, uniforms, and convincing cover stories to gain access to buildings and sensitive areas. This multi-pronged approach makes detection and prevention significantly more challenging.
The Scattered Spider Approach
Scattered Spider (just one name for this particular collective of threat actors) employs sophisticated social engineering attacks to bypass mature security programmes. They use tactics that include:
- Phishing,
- SIM-swapping,
- And MFA fatigue attacks for initial access.
What sets this group apart is their use of native English speakers. Since they can convincingly impersonate employees, the group’s deception is particularly effective against UK and US targets.
Why Insurance Companies Are Prime Targets
Insurance companies handle vast amounts of sensitive personal data, financial records, and health information. This goldmine, combined with complex organisational structures and extensive outsourced IT functions, creates multiple attack vectors that criminals can exploit.
Insurance companies often have large help desks and outsourced IT functions that are also susceptible to social engineering attacks, which align directly with Scattered Spider’s competencies.
Understanding Social Engineering Tactics
Digital Manipulation Methods
Social engineering begins with research. Attackers scour company websites, social media profiles, and public records to gather information about employees, organisational structure, and internal processes. They use this intelligence to craft convincing impersonation attempts.
Common digital tactics include:
- Pretending to be new employees who need system access
- Claiming to be from IT support requiring password verification
- Posing as senior executives demanding urgent assistance
The pressure tactics they’ll use often involve artificial urgency (‘your account will be deleted in 24 hours’), appeals to authority (posing as a CEO), or threats of consequences for non-compliance.
Physical Site Engineering
Physical intrusion attempts are also becoming increasingly sophisticated. Attackers may pose as delivery drivers, maintenance workers, job applicants, or visiting consultants. They often carry props like clipboards, uniforms, or fake identification badges to appear legitimate.
Tailgating remains one of the most effective physical social engineering tactics. Attackers simply follow authorised personnel through secure doors, often carrying coffee or packages to appear like fellow employees. Most of us instinctively hold doors open for others, making this technique surprisingly successful.
Pretexting and Impersonation
Skilled social engineers create elaborate backstories to justify their requests. They might claim to be conducting security audits, updating employee records, or troubleshooting system issues. These pretexts are carefully crafted to explain why they need access to sensitive information or secure areas.
The most dangerous impersonations involve claims of authority or emergency situations. Attackers might pose as auditors from regulatory bodies, law enforcement officers, or senior executives dealing with urgent crises. These scenarios create a level of additional psychological pressure that can override normal security protocols.
Common Helpdesk Exploits
Password Reset Manipulation
Attackers often pretend to be employees needing password resets or access, using urgent language and pressure tactics. They exploit the helpful nature of IT support staff by creating convincing scenarios about locked accounts, forgotten passwords, or urgent business needs.
These attackers research their targets thoroughly, using publicly available information to make their requests seem legitimate. They might reference recent company announcements, mention specific colleagues by name, or demonstrate knowledge of internal systems to build credibility.
That’s why it’s so important to work with an IT department you know is undertaking regular security awareness training.
Multi-Factor Authentication Bypass
Modern social engineers have developed techniques to bypass MFA protections, too. They use MFA fatigue attacks, repeatedly sending authentication requests until users approve them to stop the notifications. Some attackers call users directly, posing as IT support and walking them through “security updates” that actually compromise their accounts.
SIM-swapping attacks even allow criminals to intercept SMS-based authentication codes by convincing mobile phone providers to transfer phone numbers to attacker-controlled devices.
Urgency and Authority Exploitation
Attackers often create artificial time pressure to prevent careful consideration of requests. They might claim that systems need immediate updates, accounts require urgent verification, or security incidents demand immediate action.
This urgency causes what’s known as ‘cognitive tunnelling’, where you focus so acutely on the task directly in front of you that you miss other key information – for example, the fact that your company handbook clearly states that no financial information will be requested via email without secondary verification. This is why people you’d never expect to can end up bypassing normal verification procedures.
In addition, appeals to authority exploit staff members’ (especially newer staff members’) natural deference to senior management. Attackers claiming to be executives, board members, or important clients can often obtain assistance that would normally require additional verification.
Physical Security Vulnerabilities
Reception Area Weaknesses
Reception areas are one of your most important security checkpoints, yet many organisations fail to train front desk staff to do anything more than greet whoever enters with a smile. Attackers exploit this by presenting convincing cover stories, fake appointments, or claims about forgotten access cards.
Effective reception security requires staff who understand the importance of verification procedures and feel that they can ask visitors questions without fear of seeming unhelpful or rude.
Tailgating Prevention Challenges
Preventing tailgating requires both technical controls and cultural change. While security doors and access card systems provide basic protection, they cannot prevent authorised users from allowing unauthorised access.
Creating a security-conscious culture where employees feel comfortable challenging unfamiliar faces requires ongoing training and leadership support. Staff need to understand that security verification takes precedence over not momentarily inconveniencing guests.
Vendor and Visitor Management
Legitimate vendors and visitors create opportunities for social engineers to blend in. Attackers might pose as delivery drivers, maintenance workers, or consultants to gain building access.
Robust visitor management systems should verify all appointments, require photo identification, provide temporary access credentials, and ensure escorts accompany visitors in sensitive areas.
Red Flags and Warning Signs
Behavioural Indicators
Suspicious behaviour often provides early warning of social engineering attempts. Key indicators include:
- Excessive nervousness
- Reluctance to provide identification
- Vague job titles or company affiliations
- Unusual urgency about accessing specific areas or information
Physical indicators might include:
- Inappropriate clothing for claimed roles
- Lack of proper equipment or identification
- Unfamiliarity with standard procedures or terminology
Communication Patterns
Social engineering communications often contain specific patterns that trained staff can recognise. These include appeals to authority, artificial urgency, requests for information that should already be known, and resistance to standard verification procedures.
Email and phone communications might include generic greetings, pressure tactics, unusual sender addresses, or requests to bypass normal procedures for “special circumstances”.
Access Request Anomalies
Unusual access requests deserve special scrutiny. These might include requests for access beyond normal job requirements, attempts to access multiple systems simultaneously, or requests that arrive outside normal business hours.
Patterns of requests that escalate quickly, involve multiple staff members, or claim emergency situations should trigger additional verification steps.
Building Effective Defences
Staff Training Programmes
Comprehensive security awareness training must address both digital and physical social engineering tactics. Training should include realistic scenarios, regular updates about emerging threats, and clear guidelines for verification procedures.
Effective programmes combine formal training sessions with ongoing awareness campaigns, simulated attacks, and regular reminders about security protocols. Training should be role-specific, with reception staff, IT helpdesk teams, and executives all receiving targeted guidance.
Top tip: Don’t run training sessions on a Friday. 70% of training content is forgotten within a day, meaning by the time Monday rolls around, everything your employees have learnt will be a distant memory. Read more.
Verification Protocols
Multi-step verification procedures create multiple opportunities to detect social engineering attempts. These protocols should require verification of identity through multiple channels before granting access or assistance.
For helpdesk requests, verification might include callback procedures using known phone numbers, supervisor approval for sensitive changes, and documentation requirements for access modifications. Physical access should require valid identification, appointment confirmation, and escort assignments.
Technology Solutions
While social engineering primarily targets human vulnerabilities, technology can provide valuable support. Access control systems, visitor management platforms, and identity verification tools create barriers that attackers must overcome.
Modern solutions include biometric authentication, behaviour analysis systems, and artificial intelligence tools that can detect unusual patterns in access requests or communication attempts.
AI-Enhanced Options
AI-powered visitor management systems strengthen identity verification by comparing photos against employee databases and flagging unknown individuals. These systems detect suspicious behaviour like loitering or multiple entry attempts.
Smart booking platforms require advance registration with photo uploads and sponsor verification. AI analysis can then identify unusual patterns like extended visits or off-hours access attempts.
Keep in mind that if you’re implementing biometric systems, you’ll have to balance security benefits with privacy compliance rules.
Creating a Security Culture
Building effective defences requires organisational commitment to security awareness. Leadership should model security-conscious behaviour, support staff who ask verification questions, and recognise that security procedures protect business operations.
Regular communication about security threats, success stories from prevented attacks, and clear escalation procedures help maintain awareness without creating paranoia or fear.
Working with Security Partners
Managed Service Providers
Many insurance companies work with managed service providers (MSPs) to supplement internal capabilities. These partnerships should include social engineering awareness as part of comprehensive security programmes.
Regular coordination between internal teams and security partners ensures consistent messaging, coordinated response procedures, and appropriate escalation protocols.
What Your Employees Should Know
Verification Requirements
All staff should understand when and how to verify identity before providing assistance or access. This includes knowing which types of requests require additional approval, how to contact supervisors for guidance, and appropriate responses to pressure tactics.
Clear guidelines help staff feel confident about asking verification questions without seeming rude or obstructive.
Escalation Procedures
Staff need to know when and how to escalate suspicious situations to security teams or management. Clear procedures should specify contact information, documentation requirements, and appropriate responses while waiting for assistance.
Reporting Mechanisms
Encouraging reporting of suspicious activities requires clear procedures, protection against retaliation, and recognition for staff who identify potential threats. Make reporting as simple as possible and provide feedback about investigation results when appropriate.
Personal Security Awareness
Employees should understand how their personal information might be used in social engineering attacks. This includes awareness of what information they share on social media, understanding of pretexting tactics, and knowledge of how attackers research their targets.
The Bottom Line
Your employees are your strongest defence against social engineering attacks, but they’re also the most vulnerable target. The criminals now targeting insurance companies understand this perfectly – they’re counting on exploiting human trust, helpfulness, and time pressure to bypass your technical security measures.
The key to success lies in recognising that social engineering exploits human nature rather than technical vulnerabilities. While technology provides important support, the primary defence involves educating staff, establishing clear procedures, and creating environments where security verification is valued rather than seen as an obstacle.
To talk to us about strengthening your cyber security posture, get in touch today.
