Rapid response · 2 MIN READ · AARON WALTON · JUN 20, 2025 · TAGS: Guidance / in the media
TL;DR
- Threat group Scattered Spider is in the news again for an increasing volume of attacks against financial services and insurance targets, on top of their standard targets against various industries
- Expel has been tracking Scattered Spider’s movements for a few years now, and remains vigilant against their common tactics to protect our customers
- Be cognizant of your password reset process and monitor unusual requests, authentications, and MFA device additions carefully, especially in finance and insurance
The threat group Scattered Spider is making waves in the news cycle once again, ringing alarm bells for security teams across industries. We’re sharing context around who they are and what we’ve seen firsthand to help operators better understand what they’re up against, starting with the “who.”
The name Scattered Spider comes from CrowdStrike’s threat actor naming convention, which uses “Spider” to indicate a cybercriminal group (as opposed to a nation sponsored entity). “Scattered” represents their decentralized nature.
The actors behind Scattered Spider are one part of a larger group of English-speaking cybercriminals who refer to themselves as “The Community” or “The Com.” The group consists of one to two thousand members, mostly males between the ages of 16 to 25. Members tend to specialize in SMS phishing and SIM card swapping. Some of these offshoot groups—such as Scattered Spider—are also known for physical violence, with members engaging in reckless and/or illegal activity to gain clout within the group. When it comes to cyber attacks, the actors favor harassment, attempting to show the same bravado without regard for others.
They originally made headlines for their involvement in a ransomware attack against MGM and Caesars in 2023. More recently, in May 2025, researchers attributed multiple cyber incidents against popular UK retailers to the group. Since then, multiple reports confirm that Scattered Spider is shifting its focus back to the financial services and insurance industry, while still targeting multiple other industries.
What have we seen?
At Expel, we’ve seen the actor target organizations in our customer base over the last few years. In 2024, Scattered Spider primarily leveraged credential harvesting web pages and sent SMS messages to trick users into inserting their credentials. Once the credentials were stolen, the actors would attempt to access the environment within a few minutes. In 2025, Scattered Spider shifted to target organizations by calling the IT help desk. In this style of attack, the attacker calls the help desk impersonating a user, asking for their password to be reset, and in some cases even going so far as to spoof the victim organization’s phone number. If the passwords are reset, the actors may use SIM swapping or MFA push-fatigue attacks to gain access to the account. If they’re successful, attackers register their own MFA devices to retain access.
What can we do?
It’s important to strengthen and monitor authentication processes. When organizations implement strong authentication policies, like requiring all authentications to originate from managed devices, they can stop attacks dead in their tracks. We’ve seen it happen.
Policies—especially during this time of heightened activity—should also be placed around the password reset process. These actors are notoriously well-informed about the victims they impersonate to complete knowledge-based authentication (like questions about their manager or role). Expel monitors anomalies in a user’s authentications, such as logging in from a new location, resetting passwords, and adding MFA methods, but for orgs hoping to keep Scattered Spider out of their environments—and keep themselves out of the headlines—robust procedures and policies can serve as powerful preventative measures.
