Finance and insurance sectors are increasingly in the crosshairs. Over the past month, a wave of cyberattacks has targeted major organizations using sophisticated social engineering techniques to breach internal systems, steal sensitive data, and deploy remote access tools.
These campaigns, many linked to the threat group Scattered Spider, reflect a shift in attacker strategy. Rather than relying solely on malware or brute-force tactics, these actors use real-time impersonation, help desk fraud, and trusted communication platforms to bypass controls and exploit human trust.
In one of the latest campaigns, Scattered Spider has widened its scope, targeting the airline industry in addition to finance and insurance. According to reports, the group is actively engaging in credential harvesting, social engineering, and supply chain exploitation aimed at airline infrastructure and personnel. This follows recent breaches like the one at Hawaiian Financial Federal Credit Union, where attackers impersonated IT staff via Microsoft Teams to gain access through Quick Assist.
Rapid7’s VP of Threat Detection & Response, Jon Hencinski, recently shared how these tactics play out in real time:
“The attacker posed as IT support, gained access through Microsoft Quick Assist, ran recon commands… and deployed RMM tools across other systems.”
Read the full post on LinkedIn.
These are human-first attacks. They succeed not through technical complexity, but by leveraging context, timing, and familiarity.
1. Social engineering isn’t just phishing anymore
Phishing remains a common starting point, but today’s attackers are adapting to business workflows and platform behavior. They use everyday tools like Teams, Slack, and Zoom to impersonate help desk staff, third-party vendors, or even internal colleagues.
In Scattered Spider’s case, the group is known for real-time impersonation tactics and for targeting collaboration platforms. They have successfully posed as IT support to trigger password resets and MFA approvals. Rapid7’s Inside the SOC breakdown of related campaigns shows how quickly these impersonations can lead to access.
Scattered Spider is a loose collective of English-speaking hackers known for their expertise in social engineering. They commonly trick help desks, bypass multi-factor authentication, and gain deep access to corporate environments. Once inside, they steal credentials, escalate privileges, and exfiltrate data. In many cases, they partner with DragonForce, a Ransomware-as-a-Service (RaaS) group. Scattered Spider gains initial access, DragonForce deploys the encryption payloads, and together they combine intrusion with extortion to maximum effect.
These campaigns work because they feel authentic, not because they are technically complex.
2. AI is making attacks more scalable and convincing
Generative AI has changed the game. It allows attackers to create polished phishing emails, spoofed documents, and persuasive messages with little effort. They no longer need deep knowledge of your business - a scrape of LinkedIn and a model prompt can do the rest.
In our blog Retail Under Siege, we explored how attackers mimic trusted entities to breach environments. This same tactic is now being used in insurance and finance, where customer data and financial systems offer high-value returns.
In Rapid7’s Q1 2025 Incident Response Report, Microsoft Teams was identified as a common social engineering vector:
“Threat actors are posing as IT staff and tricking users into installing remote access tools,” Hencinski noted.
3. Real-time platforms are now primary attack vectors
Collaboration platforms give attackers a fast and believable way to engage users. In the Hawaiian Financial FCU case, the attacker struck up a live conversation via Teams, then initiated Quick Assist to take control of the endpoint.
Because these environments are built for speed and trust, they’re ideal for social engineering. And since interactions often seem “routine,” they bypass the suspicion a phishing email might trigger.
Once inside, threat actors move fast. In a recent Black Basta campaign, attackers deployed remote monitoring tools like Synchro RMM and ScreenConnect after gaining access further reinforcing how social engineering is often a gateway to deeper compromise (Rapid7 analysis blog).
What security teams can do now
Social engineering attacks are evolving rapidly. But there are practical ways to stay ahead:
Map your human attack surface: Identify high-risk roles, over-permissioned users, and likely targets
Test more than just phishing: Run simulations that include impersonation, collaboration tool abuse, and MFA fatigue
Improve detection of behavioural anomalies: Look for login approvals at odd hours, MFA overload, or repeat access requests
Restrict access and review shared accounts: Reduce lateral movement opportunities from compromised identities
Focus on high-frequency, relevant training: Make sure users know what modern impersonation looks and sounds like
As we noted in our latest threat blog, even ransomware groups now see social engineering as a more reliable entry point than malware alone.
Trust is the real attack surface
The recent attacks on financial and insurance institutions highlight a simple truth: attackers go where trust lives. And right now, that’s in Teams chats, Zoom calls, and service desk conversations.
Social engineering is no longer a tactic of convenience. It’s a deliberate, strategic first step. Security teams must match that intent with the right controls, visibility, and education, because when an attacker sounds helpful, knows your tools, and asks for something reasonable, the damage often starts before a red flag is ever raised.