Thursday, July 10, 2025
Latest:
ZDNet | Security

Someone used AI to impersonate a secretary of state – how to make sure you’re not next

TH Author
gettyimages-2223532443

Andrew Harnik/Getty Images

AI has proven itself to be a huge security risk — even US government officials aren’t safe.

The Washington Post reported Tuesday that an unknown individual used AI to pose as Secretary of State Marco Rubio and contact “at least five government officials, including three foreign ministers, a US governor, and a member of Congress.” The individual used the Signal app to send these officials voice and text messages crafted with AI to mimic Rubio. 

Also: Best data removal services: Delete yourself from the internet

The Post gained access to a State Department cable dated July 3 that indicated the impersonator started trying to access privileged accounts and information sometime in mid-June, when they created a Signal account under the name “Marco.Rubio@state.gov” — which is not the Secretary’s email address. 

The State Department did not confirm to the Post specifically what AI tool the impersonator used. 

“The actor left voicemails on Signal for at least two targeted individuals and in one instance, sent a text message inviting the individual to communicate on Signal,” the cable clarified, adding that Rubio was not the only official impersonated. It also noted that other State Department personnel were impersonated using email. 

Also: The best identity theft protection and credit monitoring services of 2025

Signal was the subject of much scrutiny earlier this year when Defense Secretary Pete Hegseth used it to discuss classified military strike plans with other officials and inadvertently added Jeffrey Goldberg, editor-in-chief of The Atlantic, to the chat. While Signal is encrypted end-to-end, several defense officials considered the chat a serious security breach and noted that Signal is not sufficient for such sensitive government information. 

Protect yourself from AI cyberthreats 

Whether you’re using Signal or not, what happened to Rubio and other government officials is similar to a common security concern: business email compromise (BEC) — when fraudulent actors impersonate known employees or company leaders using their email accounts. 

Passkeys could be a solution to protecting against phishing and BEC attempts, as they limit the ways hackers could strike by reducing opportunities for information leaks. Unlike traditional passwords, “passkeys are a form of Zero Knowledge Authentication,” ZDNET’s David Berlind explained. “The relying party has zero knowledge of your secret, and in order to sign in to a relying party, all you have to do is prove to the relying party that you have the secret in your possession.”

Also: How passkeys work: The complete guide to your inevitable passwordless future

However, the added layer of AI voice cloning can be more convincing than an email and often harder to protect against.

“AI voice cloning scams are dangerously convincing. All it takes is a five-second clip of your voice — usually downloaded from social media — and scammers can clone it to commit fraud,” said Michael Scheumack, chief innovation officer at IdentityIQ, an identity theft monitoring platform. He spoke to ZDNET about how to avoid falling victim to an AI voice scam and what you can do to protect yourself from having your voice cloned.

Also: AI phone scams sound scary real. Do these 5 things to protect yourself and your family

Here are his top tips: 

  • For starters, limit what you share online. “Scammers use public data and social media audio to build convincing voice clones,” Scheumack noted. “The less they have, the harder it is to imitate you.”
  • Verify a suspicious call immediately. “If you receive a call from a loved one asking for money or personal information, especially if the call has a sense of urgency and seems suspicious, hang up and call them back directly,” Scheumack advised. “You can also establish a ‘family password’ that only you and your loved ones know that acts as a verification code for authentication that you’re actually speaking to your family member.”
  • Invest in an identity protection service. “They are the first line of defense to protect your identity by monitoring for signs of fraud across your financial accounts, credit reports, and personal data,” Scheumack noted. These are some of ZDNET’s recommended options. 

Get the morning’s top stories in your inbox each day with our Tech Today newsletter.

READ MORE HERE