The Federal Bureau of Investigation (FBI) has issued a renewed cybersecurity warning as the hacker group known as Scattered Spider continues to expand its attacks across critical US industries, Forbes reports.
The alert follows a surge in two-factor authentication (2FA) bypass attempts and a shift in the group’s focus from retail to the transportation and insurance sectors, including aviation.
The FBI confirmed that Scattered Spider, a financially motivated cybercrime group, is now targeting the airline industry and its broader supply chain. The group’s approach heavily relies on social engineering, using impersonation techniques to deceive IT help desks into adding unauthorized devices to compromised accounts—bypassing the protections offered by 2FA and multi-factor authentication (MFA).
In a statement shared with Forbes and posted to X (formerly Twitter), the FBI said:
“The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.”
The agency is actively collaborating with aviation partners to contain the threat and urges any organization that believes it may have been targeted to contact its local FBI office.
Scattered Spider exploits human vulnerabilities rather than technical weaknesses. According to the FBI and cybersecurity analysts, the group impersonates trusted parties—such as employees, contractors, or IT staff—often during live calls to help desks. These actors are trained with detailed scripts and real-time support, making their deception highly convincing. Once access is granted, attackers request the addition of new MFA devices, which grants them continued control over the target systems.
A June 26 analysis by cybersecurity firm Halcyon flagged the group’s expanding focus on sectors such as food production, manufacturing, and transportation, while new reports from Google’s Threat Intelligence Group and Reliaquest point to rising activity in the insurance industry as well.
Scattered Spider has been active for several years and is affiliated with broader cybercrime networks, including The Community and ransomware operators like ALPHV, RansomHub, and DragonForce. The group’s tactics are notable for their professionalism and attention to cultural detail—its members are selected based on language fluency and even accent neutrality to blend in seamlessly with U.S. businesses.
A report from Reliaquest notes that 81% of domains used by the group impersonate tech vendors, targeting high-value individuals like system administrators and executives. The group also uses phishing frameworks such as Evilginx to facilitate credential theft.
Looking ahead, security researchers anticipate that Scattered Spider may soon incorporate AI-driven methods to refine impersonation strategies and automate interactions with victims.
Although the FBI’s warning centers on aviation and transportation, experts emphasize that the threat is not limited to those industries. Scattered Spider is known to infiltrate supply chains, using smaller or less-secure third-party vendors as stepping stones to reach larger targets. This strategy increases the risk for companies that may not consider themselves high-profile but are indirectly connected to critical infrastructure or enterprise networks.
Jon Abbott, CEO of ThreatAware, warned that the rise in attacks on US insurers is a sign of a broader trend:
“This is a warning for other industries to stay vigilant.”
Richard Orange, a vice president at Abnormal AI, echoed this sentiment, stating that the group “bypasses traditional security controls by manipulating people, such as posing as IT staff or trusted partners.”
In light of the growing threat, cybersecurity professionals urge businesses to:
Review and reinforce 2FA/MFA policies
Train employees to recognize and report social engineering attempts
Implement strict access controls and verification protocols
Ensure third-party vendors follow robust cybersecurity practices
The FBI continues to monitor the situation closely and encourages organizations to maintain a high level of cyber hygiene and skepticism—particularly in interactions involving access credentials and authentication processes.
