Internet Crime Complaint Center (IC3) | Senior U.S. Officials Continue to be Impersonated in Malicious Messaging Campaign

Activity dating back to 2023 reveals malicious actors have impersonated senior U.S. state government, White House, and Cabinet level officials, as well as members of Congress to target individuals, including officials' family members and personal acquaintances. If you receive a message claiming to be from a current or former senior U.S. official, do not assume it is authentic and follow the below recommendations to identify suspicious messages.

How It Works

Diagram showing the activity flow of the impersonation campaign. An actor impersonates a high-ranking official, and uses an encrypted application to do one or more of the following: discuss current events, request a wire transfer, propose a meeting with high-ranking officials, note an appointment to company leadership, request copies of personal documents, or ask about U.S. policy.

Since at least 2023, malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior U.S. official to establish rapport with targeted individuals. In the scheme, actors contact and individual and briefly engage on a topic the victim is versed on, with a request to move communication to a secondary, encrypted mobile messaging application happening almost immediately. Once communication is established on an encrypted messaging application, actors continue to engage the victim in any number of ways, including but not limited to:

Discussion on a topic the victim is well-versed in, current events, or bilateral relations, including asking about trade and security policy negotiations;
Propose scheduling a meeting between the victim and the president of the United States or other high-ranking officials; or
Note the victim is being considered for a nomination to a company's board of directors.

Actors have also requested victims take certain actions, such as:

Provide an authentication code that allows the actors to sync their device with the victim's contact list¹;
Supply Personally Identifiable Information (PII) and copies of sensitive personal documents, such as a passport;
Wire funds to an overseas financial institution under false pretenses; and
Request the victim introduce the actor to a known associate.

In most cases, actors make initial contact with a victim via SMS and request the conversation be moved to encrypted mobile applications, such as Signal, Telegram, and WhatsApp. An example of an initial message is below.

Simple diagram of a smartphone with a generic text-messaging app interface. The message reads: [redacted content] let's schedule a Signal call. My Signal no is [redacted content] You have a message from the [redacted content]'

Smishing is the malicious targeting of individuals using Short Message Service (SMS) or Multimedia Message Service (MMS) text messaging. Vishing which may incorporate AI-generated voices, is the malicious targeting of individuals using voice memos. Both smishing and vishing use tactics like spear phishing, which uses email to target specific individuals or groups.

Recommendations

The following guidance can be used to identify a suspicious message and help protect yourself from this campaign.

Spotting a Fake Message

Verify the identity of the person calling you or sending text or voice messages. Before responding, research the originating number, organization, and/or person purporting to contact you. Then independently identify a phone number for the person and call to verify their authenticity.
Carefully examine the email address, messaging contact information, including phone numbers, URLs, and spelling used in any correspondence or communications. Scammers often use slight differences to deceive you and gain your trust. For instance, actors can incorporate publicly available photographs in text messages, use minor alterations in names and contact information, or use AI-generated voices to masquerade as a known contact.
Look for subtle imperfections in images and videos, such as distorted hands or feet, unrealistic facial features, indistinct or irregular faces, unrealistic accessories such as glasses or jewelry, inaccurate shadows, watermarks, voice call lag time, voice matching, and unnatural movements.
Listen closely to the tone and word choice to distinguish between a legitimate phone call or voice message from a known contact versus AI-generated voice cloning, as they can sound nearly identical.
AI-generated content has advanced to the point that it is often difficult to identify. When in doubt about the authenticity of someone wishing to communicate with you, contact your relevant security officials or the FBI for help.

How to protect Yourself from Potential Fraud or Loss of Sensitive Information

Never share sensitive information or an associate's contact information with people you have only met online or over the phone. If contacted by someone you know well via a new platform or phone number, verify the new contact information through a previously confirmed platform or trusted source.
Do not send money, gift cards, cryptocurrency, or other assets to people you do not know of have only met online or over the phone. If someone you know (or an associated of someone you know) requests that you send money or cryptocurrency, independently confirm their contact information prior to taking action. Also, critically evaluate the context and plausibility of the request.
Do not click on any links in an email or text message until you independently confirm the sender's identity.
Be careful what you download. Never open an email attachment, click on links in messages, or download applications at the request of or from someone you have not verified.
Set up two-factor (or multi-factor) authentication on any account that allows it and never disable it. Actors may use social engineering techniques to convince you to disclose a two-factor authentication code, which allows the actor to compromise and take over accounts. Never provide a two-factor code to anyone over email, SMS/MMS text message, or encrypted messaging application.
Create a secret word or phrase with your family members to verify their identities.

Victim Reporting and Additional Information

For additional information, see FBI's guidance on Spoofing and Phishing as well as a previous Public Service Annoucement about how "Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud". Cybersecurity and Infrastructure Security Agency (CISA) has published the following resources "Phishing Guidance: Stopping the Attack Cycle at Phase One | CISA" and "Teach Employees to Avoid Phishing | CISA".

If you believe you have been the victim of the campaign described above, contact your relevant security officials. The FBI requests victims report any incident to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/.

Disclaimer

The information in this document is being provided "as is" for informational purposes only. The FBI does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI.