An unidentified individual used artificial intelligence to impersonate U.S. Secretary of State Marco Rubio, contacting foreign ministers, a U.S. governor, and a member of Congress via voice and text messages, according to a State Department cable first seen by The Washington Post.
The impersonator cloned Rubio’s voice using AI-powered software, then reached out through Signal, the encrypted messaging app favored by many officials for its security. The messages mimicked not only Rubio’s voice but also his writing style.
The display name, “[email protected], wasn’t a real email address, just another layer in a calculated deception.
According to the cable, dated July 3 and distributed to all diplomatic and consular posts, the campaign began in mid-June. The impostor contacted at least five individuals. Three foreign ministers, one U.S. governor, and one member of Congress.
In at least two cases, the actor left voice messages that sounded convincingly like the Secretary of State. In another, a text message invited the recipient to continue the conversation on Signal.
The State Department confirmed it is investigating. In a public statement, the agency said it “continuously takes steps to improve the department’s cybersecurity posture to prevent future incidents.”
No Direct Cyber Threat
“There is no direct cyber threat to the department from this campaign,” the cable noted. “But information shared with a third party could be exposed if targeted individuals are compromised.”
Officials don’t yet know who is behind the impersonation effort. But they suspect the goal was to manipulate senior officials in order to gain access to sensitive information or systems. The tactics (using realistic audio, coupled with encrypted messaging) show how AI can be wielded to exploit trust in both digital identity and communication platforms.
A senior U.S. official told CBS News the campaign was “not very sophisticated” and ultimately unsuccessful, but nonetheless alarming for what it represents: a new wave of social engineering powered by generative AI.
Secretary Rubio has not commented publicly on the matter.
Voice Cloning Meets Espionage
The attack is a sharp reminder that the technology for real-time AI voice impersonation isn’t just coming — it’s already here. With just a short sample of a public figure’s speech, voice cloning tools can replicate tone, rhythm, and cadence with eerie accuracy. Combine that with writing models trained on public speeches or social media, and you have a full-spectrum impersonation kit.
Encrypted platforms like Signal were designed to protect the contents of conversations, not verify the identities of participants. This gap is now being tested by threat actors blending AI and deception.
As deepfake campaigns evolve, so too must our methods for verifying who we’re talking to, even, and perhaps especially, when it sounds like someone we know.
Past AI Impersonation of Politicians
This isn’t the first time AI has crossed into political impersonation.
- Fake Biden robocalls (2024): In September 2024, the FCC fined political consultant Steve Kramer $6 million for using an AI-generated clone of President Joe Biden’s voice in robocalls intended to dissuade voters in New Hampshire’s primary. Kramer admitted to commissioning the calls “as a test.”
- Kamala Harris deepfake videos (2023): A viral deepfake showed Vice President Harris stumbling through a fictional press briefing, sparking debate over whether platforms should more aggressively police synthetic media.
- Sen. Ben Cardin impersonated via deepfake Zoom call (Sept 2024): In September 2024, an unknown subject impersonated Dmytro Kuleba, who was once the foreign minister of Ukraine, and targeted Senator Benjamin Cardin, the chairman of the Foreign Relations Committee, over a Zoom call, in a suspected attempt at election interference,
As these technologies become cheaper and more accessible, political impersonation has shifted from elaborate state-sponsored psy-ops to a tool anyone with an internet connection can wield. What used to require studios and voice actors now takes a laptop and a few clicks.
The Risk Is Growing
Even if this latest impersonation failed to cause direct harm, experts warn it’s a sign of things to come. The barrier to entry for voice cloning is dropping. Trust in official communications, which is already fragile, risks further erosion.
For the U.S. diplomatic corps and elected officials, voice alone can no longer serve as proof of identity. AI is learning how we talk. It’s time we learn how to verify.
It’s Messaging-based, Not a Live Call
Alex Quilici, CEO at YouMail, says: “If AI can fool senators, government officials, and foreign ministers just by mimicking a well-known voice, imagine what it could do to everyday consumers. Tools like Live Voicemail actually open the door wider (risk more) for these scams. What stands out here is that it’s messaging-based, not a live call. Short, AI-generated voice clips are easy to pull off today. Longer back-and-forth conversations are tougher, but increasingly within reach. Fooling someone with short voice messages is fairly easy given the current state of AI, however, keeping up longer interactive conversations is still harder, though it might still be possible.”
Widely Available Tools
This impersonation is alarming and highlights just how sophisticated generative AI tools have become, adds Thomas Richards, Infrastructure Security Practice Director at Black Duck. “The imposter was able to use publicly available information to create realistic messages. While this was, so far, only used to impersonate one government official, it underscores the risk of generative AI tools being used to manipulate and to conduct fraud. The old software world is gone, giving way to a new set of truths defined by AI and global software regulations; as such, the tools to do this are widely available and should start to come under some government regulation to curtail the threat.”
It Missed the Right Moment
Although this impersonation attempt was ultimately unsuccessful, it demonstrates just how easily generative AI can be used to launch credible, targeted social engineering attacks, comments Margaret Cunningham, Director, Security & AI Strategy at Darktrace. “This threat didn’t fail because it was poorly crafted—it failed because it missed the right moment of human vulnerability. People often don’t make decisions in calm, focused conditions. They respond while multitasking, under pressure, and guided by what feels familiar. In those moments, a trusted voice or official-looking message can easily bypass caution.”
She says the use of generative AI to create deepfake audio, imagery, and video is an increasing concern. While media manipulation isn’t new, AI has dramatically lowered the barrier to entry and accelerated both the speed and realism of production. What once required significant time and technical skill can now be done quickly, cheaply, and at scale—making these tactics accessible to a far wider range of threat actors.
“This underscores a shifting threat landscape: trust signals like names, voices, and platforms have become part of the attack surface. As AI tools become more powerful and accessible, attackers will continue testing these weak points. We can’t expect people to be the last line of defense. Security strategies must evolve to reflect how decisions are made in the real world, and technology must be at the center of defending against these threats, especially to keep pace with a problem that is moving at machine speed,” Cunningham explains.
Challenge the Authenticity
Trey Ford, Chief Information Security Officer at Bugcrowd, says whether you receive inbound email, phone calls, text, or snail-mail (all of which is spam, or could be phishing) – the question we have to ask is “who is this from?”. “This challenge of authenticity is the notion of “identity proofing” which is the process of verifying a person’s claimed identity by collecting and validating evidence of their identity.
Around election time (at least in the US) we all receive messages claiming to be from candidates. Asking “is this real?” is a healthy, natural response. Celebrities, executives, and public figures will be more prone to having their identity faked – the cost and efficacy of fabricating a compelling synthetic, adopted identity is both cheaper, and easier with the advent of generative AI.”
Ford says when receiving unexpected communications from an unknown individual, or from an expected entity over an unexpected communications channel, the process of identity proofing before taking any action is prudent.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.