The FBI is warning of a new spear phishing campaign where cybercriminals are using AI-generated voice and text messages to impersonate US senior officials – known as vishing and smishing – all to target other former US government officials.
The Federal Bureau of Investigation (FBI) published an alert on Thursday, warning the public of the three-pronged social engineering campaign, which was first observed in April.
Apparently, the threat actors behind the ruse are said to be specifically targeting former senior US federal or state government officials, as well as their contacts, in hopes of gaining access to their personal accounts, such as email and phone contacts, and even to solicit funds and sensitive information.
The malicious actors are conducting the spear phishing attacks using two social engineering tactics, vishing and smishing, to gain the victims' trust under false pretenses.
In spear phishing, attackers will first selectively choose a victim and then proceed to gather details about them, often using open-source information from the web, to craft a personalized attack.
“If you receive a message claiming to be from a senior US official, do not assume it is authentic,” the FBI warns.
The #FBI #IC3 is warning the public to beware of an ongoing smishing and vishing campaign. The technique involves sending bogus text messages and AI-generated voice messages that impersonate senior U.S. officials. Learn more here: https://t.co/RwrC0kYpvz pic.twitter.com/kdHsq4PrPK
undefined FBI Los Angeles (@FBILosAngeles) May 15, 2025
Max Gannon, Intelligence Manager at Cofense, said Thursday's FBI alert highlights the growing threat of deceptive text messages and AI-generated voice calls. “Threat actors are increasingly turning to AI to execute phishing attacks, making these scams more convincing and nearly indistinguishable from legitimate communication,” he said.
As for traditional phishing attacks, Gannon noted that Cofense has observed a 70% increase in Business Email Compromise (BEC) attacks from 2023 to 2024, which he also attributes to the increased use of AI.
Attackers try to build rapport wth victims
In this particular campaign, the vishing attacks target the victim with a voicemail impersonating a US official – presumably one the victim would know, or at least not be surprised about being contacted by.
The FBI says the smishing attacks - in which a text message claiming to be a US senior official is sent to the victim – follow the same strategy by attempting to establish some sort of rapport with the victim.
The fake voice messages are most likely generated using an AI-voice cloning tool, while spoofing software is often used to generate phone numbers not attributed to a specific mobile phone or subscriber, both of which are readily available online, the FBI said.
Gannon said it is important to note that “threat actors can also spoof known phone numbers of trusted organizations or people, adding an extra layer of deception to the attack.”
Additionally, Gannon pointed out that phone filtering does not typically detect when a number is being spoofed, “giving a false sense of security to users who rely on their phones to tell them when something is a scam call.”
The FBI said it observed the threat actors gaining access to the victim accounts "by sending targeted individuals a malicious link under the guise of transitioning to a separate messaging platform," another common tactic used in spear phishing attacks.
The bad actors gaining access to the personal or government accounts of US officials can lead to further targeted attacks simply by using the information found in previous correspondence. These attacks can target other government officials, as well as the victim’s contacts or associates, the FBI said.
Gannon explained that while email and SMS phishing are more commonly recognized, vishing remains "an under-the-radar yet equally dangerous threat."
"As phone and remote communications become more integral to our daily lives, individuals must remain vigilant to these manipulation tactics to protect their sensitive information," he said.
How to protect yourself
The FBI has provided several tips to help individuals avoid becoming victims of these types of social engineering attacks, including how to identify a suspicious message and protect your personal information.
To spot a fake message, the FBI says to always:
- Verify the identity of the person calling you or sending text or voice messages.
- Carefully examine the email address; messaging contact information, including phone numbers; URLs; and spelling used in any correspondence or communications.
- Look for subtle imperfections in images and videos, ie. distorted hands or feet, unrealistic facial features, unrealistic accessories, inaccurate shadows, watermarks, voice call lag time, voice matching, and unnatural movements.
- Listen closely to the tone and word choice to distinguish between a legitimate phone call or an AI generated message from a known contact.
The FBI also reminds the public to never share sensitive information or an associate's contact information with someone you have only met online or over the phone. That includes sending money, gift cards, cryptocurrency, or other assets.
Furthermore, do not click on any links, open an attachment, or download anything in an email or text message unless you independently confirm the sender's identity, and always use two-factor (or multi-factor) authentication on accounts that offer it.
To be extra secure, the FBI said you can even create a secret word or phrase with your family members and friends to verify their identities.
When in doubt, the agency said to contact your relevant security officials or your local FBI offices for help. To make an online fraud complaint or report other suspicious activity, contact the FBI’s Internet Crime Complaint Center at www.ic3.gov.
Last month, the FBI warned that cybercriminals impersonating agents from the IC3 were targeting unsuspecting victims and offering to help them recover lost funds, but were stealing their financial information instead.
Your email address will not be published. Required fields are markedmarked