Threatonomics Newsletter: July

Scattered Spider's Industry-Focused Strategy

The cybersecurity landscape has evolved dramatically, and one threat actor exemplifies this dangerous shift: Scattered Spider. Unlike traditional cybercriminals who cast wide nets with automated attacks, this sophisticated group employs real-time social engineering tactics that rival nation-state operations—and they're targeting entire industries at once.

Recent intelligence indicates Scattered Spider may have been targeting insurance companies as the July 1st transition date approached. This follows their devastating pattern of vertical-focused attacks:

• UK Retail (2025): Coordinated attacks causing £3.8 million in daily losses for M&S alone
• Gaming (2024): Systematic casino breaches across multiple operators
• Insurance (2025): Insurance sector targeting during critical business periods
• Possible Current Focus: Aviation ahead of the summer travel season

The key concern: When Scattered Spider hits an industry, they target the entire sector simultaneously, creating systemic risk that affects competitors, vendors, and customers alike.

How They're Bypassing Your Security

Scattered Spider has weaponized the very trust mechanisms organizations rely on for protection:

Advanced IT Impersonation

"Hi Sarah, this is Mike from IT. We're seeing account issues and need you to re-authenticate." They use LinkedIn profiles and corporate websites to make impersonation convincing, referencing internal systems and recent company announcements.

SIM Swapping + MFA Fatigue

By redirecting phone numbers to attacker-controlled devices, they bypass SMS authentication while flooding victims with MFA requests and calling as "IT support" to guide approval.

Insider Recruitment

They actively recruit company insiders through forums and social media, offering substantial payments for credentials, system access, or authentication bypass assistance.

Building Resilient Defenses

Technical Foundations

• Phishing-resistant MFA: Deploy FIDO2-compliant physical security keys
• Zero trust architecture: Assume no user or system is trustworthy by default
• Real-time monitoring: Detect unusual access patterns as they happen

Human-Centered Security

• Out-of-band verification: Require multiple communication channels for IT requests
• Targeted training: Focus on help desk staff and privileged users
• Questioning culture: Make it safe for employees to verify suspicious requests

What Leaders Should Do Today

Immediate Actions:

1. Audit your MFA implementation—is it truly phishing-resistant?
2. Review help desk procedures for identity verification
3. Assess third-party access controls and monitoring
4. Test incident response plans for social engineering scenarios

Strategic Planning:

• Invest in human-centered security training
• Review cyber insurance for social engineering coverage
• Plan for industry-wide attack scenarios in business continuity

The Bottom Line

The threat landscape has fundamentally shifted. Scattered Spider represents a new class of cybercriminal that combines nation-state sophistication with organized crime profit motivation. Their industry-focused approach means when they come for your sector, they're coming for everyone at once.

The organizations that survive will be those that build defenses designed for human-centered attacks, not just technical ones.

Thank you for reading. Before you go...

Did you enjoy this month’s issue? Let us know your thoughts in the comments below. Also, don’t forget to subscribe so you don’t miss our next issue. For more trends and insights from Cyber Resilience experts, follow our LinkedIn page for weekly blog posts, risk intelligence insights, and more!

Want more content like this? Explore the Threatonomics blog for insights on threat trends, risk management strategies, and lessons for building organizational cyber resilience.