Unify Security Operations
Go Back

Unify Security operations

Reduce Alert Noise and False Positives

Automate Security Operations

Dark Web Monitoring

Maximize Existing Security Investments

Beyond MDR

Secure Multi-Cloud Environments

Secure Mergers and Acquisitions

Secure Operational Technology

Eliminate Mundane SecOps Tasks

Unify Your Security Operations

Whether you’re starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Why ReliaQuest
Go Back

The ReliaQuest GreyMatter Platform

Detection Investigation Response

Threat Hunting

Threat Intelligence

Model Index

Automated Response Playbooks

Breach and Attack Simulation

Digital Risk Protection

Phishing Analyzer

Technology Partners

AI Agent for SecOps

Why ReliaQuest?

Whether you’re starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore the GreyMatter Platform
Learn
Go Back

Learn

Blog

Threat Research

Case Studies

Data Sheets

eBooks

Industry Guides

Research Reports

ShadowTalk Podcast

Solution Briefs

White Papers

Videos

Events & Webinars

ReliaQuest Resource Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

Leadership

No Show Dogs Podcast

Make It Possible in the Community

Careers

Press and Media Coverage

Become a Technology Partner

Contact Us

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Back to blog

Report Finds 50% of Scattered Spider Phishing Domains Targeted Finance & Insurance

Alex Capraro 22 January 2025

person in business attire writing on a document or tablet

infographic highlighting top attack technique from first half of 2024

We’re thrilled to unveil our latest threat landscape report for the finance and insurance sector, offering in-depth analysis of the evolving cyber threats facing this industry.

In this blog, we’ll preview the report’s highlights and give insights into social engineering campaigns leveraging impersonating domains and our predictions for the threats shaping 2025.

Phishing Remains Top Tactic, Fueled by Teams Abuse

bar chart comparing the prevalence of various cyberattack techniques between H2 2023 and H2 2024 Figure 1: Top attack techniques in true-positive customer incidents for finance & insurance sector, H2 2024 vs H2 2023

Phishing dominated cyber attacks in H2 2024, accounting for over 90% of incidents across industries due to its simplicity and effectiveness. Attackers exploited misconfigured Microsoft Teams instances using tools like “TeamsPhisher” to bypass email defenses, with groups like “Black Basta” leveraging this method for months. GreyMatter Phishing Analyzer submissions revealed finance-related keywords such as “request,” “account,” and “payment” as common phishing lures, highlighting the sector’s vulnerability. In this industry, a single compromised account can trigger large-scale phishing campaigns, causing reputational damage, financial losses, and regulatory penalties.

Domain Impersonation: Low-Cost, High-Reward

bar chart comparing the frequency of cybersecurity threats between H2 2023 and H2 2024 Figure 2: Top true-positive alerts for finance and insurance sector, H2 2024 vs H2 2023

Impersonating domains and subdomains remain a persistent threat, especially for GreyMatter Digital Risk Protection (DRP) customers in the finance and insurance sector. In H2 2024, 20–25% of “Scattered Spider’s” impersonating domains targeted finance and insurance sectors, while 25–30% mimicked cryptocurrency platforms, representing 50–55% of their activity. By replicating platforms like single sign-on (SSO) portals or VPNs, hosting the fake sites with bulletproof providers, and using personalized phishing lures, attackers bypass security defenses and gain unauthorized access to critical systems.

The One to Watch: RansomHub

By H2 2024, “RansomHub” surpassed “LockBit” as the most active ransomware group targeting the finance and insurance sector, responsible for 15% of the 150 named victims in the industry. Known for its lucrative 90/10 profit-sharing model, RansomHub exploits the sector’s interconnected systems, sensitive data, and trust-based operations as vulnerabilities. It employs tools like AnyDesk and ScreenConnect for remote access, Nmap and Angry IP Scanner for reconnaissance, and RClone for data exfiltration. Stolen data is weaponized in double-extortion schemes, with ransom demands averaging $6–9 million.

To defend against RansomHub:

Audit and monitor remote-access tools—often used by IT teams in the finance and insurance sector but exploited by RansomHub affiliates—to detect unauthorized use. Limit access to approved applications, enforce strict controls, and set alerts for suspicious activity to protect financial systems.
Deploy advanced data exfiltration controls to block high-value data transfers to cloud platforms in double-extortion schemes. Use DLP tools to flag unusual data flows, restrict cloud storage access, and monitor for exfiltration attempts to prevent fines and reputational damage.
Harden your network against reconnaissance attacks by isolating high-value assets like databases and payment systems. Use early detection tools like honeypots or CanaryTokens to counter attackers using tools like Nmap and Angry IP Scanner.

What’s Next

Impersonating domains, ransomware campaigns by groups like RansomHub and Scattered Spider, and phishing via Microsoft Teams highlight how attackers refine tactics to exploit trust and evade defenses. These methods enable unauthorized access, credential theft, and ransomware deployment, severely disrupting operations and eroding customer trust. With a 152% rise in exploited network-edge vulnerabilities, securing unpatched systems has never been more critical.

Looking ahead to 2025, adopting proactive measures will help organizations address these evolving threats:

Social Engineering Surge

Social engineering attacks are expected to rise, fueled by the use of impersonating domains to steal credentials and infiltrate systems. Scattered Spider has shown the profitability of these tactics, inspiring others to scale them. Organizations should implement domain monitoring, enforce DMARC policies, and train employees to recognize social engineering methods.

Escalating State-Sponsored Threats

With tougher sanctions anticipated, North Korean groups like “Lazarus” are likely to intensify attacks on financial services. To counter these threats, organizations should adopt defense-in-depth strategies with MFA, network segmentation, endpoint protections, and continuous monitoring.

AI Model Poisoning Risks

AI-driven fraud detection systems will face increasing threats from model poisoning attacks aimed at enabling large-scale fraud. To mitigate this, organizations should employ robust data validation, adversarial testing, and real-time monitoring to detect and respond to anomalies.

Resources

Related Blogs

Threat Intelligence | Threat Research

All Blogs

See GreyMatter in Action

Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.

Request a Demo

GreyMatter's security operations platform dashboard