AI has proven itself to be a huge security risk — even US government officials aren’t safe.

The Washington Post reported Tuesday that an unknown individual used AI to pose as Secretary of State Marco Rubio and contact “at least five government officials, including three foreign ministers, a US governor, and a member of Congress.” The individual used the Signal app to send these officials voice and text messages crafted with AI to mimic Rubio. 

The Post gained access to a State Department cable dated July 3 that indicated the impersonator started trying to access privileged accounts and information sometime in mid-June, when they created a Signal account under the name “Marco.Rubio@state.gov” — which is not the Secretary’s email address. 

The State Department did not confirm to the Post specifically what AI tool the impersonator used. 

“The actor left voicemails on Signal for at least two targeted individuals and in one instance, sent a text message inviting the individual to communicate on Signal,” the cable clarified, adding that Rubio was not the only official impersonated. It also noted that other State Department personnel were impersonated using email. 

Signal was the subject of much scrutiny earlier this year when Defense Secretary Pete Hegseth used it to discuss classified military strike plans with other officials and inadvertently added Jeffrey Goldberg, editor-in-chief of The Atlantic, to the chat. While Signal is encrypted end-to-end, several defense officials considered the chat a serious security breach and noted that Signal is not sufficient for such sensitive government information. 

Protect yourself from AI cyberthreats 

Whether you’re using Signal or not, what happened to Rubio and other government officials is similar to a common security concern: business email compromise (BEC) — when fraudulent actors impersonate known employees or company leaders using their email accounts. 

Passkeys could be a solution to protecting against phishing and BEC attempts, as they limit the ways hackers could strike by reducing opportunities for information leaks. Unlike traditional passwords, “passkeys are a form of Zero Knowledge Authentication,” ZDNET’s David Berlind explained. “The relying party has zero knowledge of your secret, and in order to sign in to a relying party, all you have to do is prove to the relying party that you have the secret in your possession.”

However, the added layer of AI voice cloning can be more convincing than an email and often harder to protect against.

“AI voice cloning scams are dangerously convincing. All it takes is a five-second clip of your voice — usually downloaded from social media — and scammers can clone it to commit fraud,” said Michael Scheumack, chief innovation officer at IdentityIQ, an identity theft monitoring platform. He spoke to ZDNET about how to avoid falling victim to an AI voice scam and what you can do to protect yourself from having your voice cloned.

Source: https://www.zdnet.com/article/someone-used-ai-to-impersonate-a-secretary-of-state-how-to-make-sure-youre-not-next