My Dad Got a Deepfake Scam Call. Marco Rubio Got One, Too.
AI impersonation is going mainstream, and Trump’s government isn’t ready.
A few months ago, my father got a phone call and heard a voice he never expected to hear in distress: his grandson’s—my son. The voice was rushed, panicked, pleading. There had been a misunderstanding, it said. He’d been arrested. He needed bail money wired immediately. The call didn’t last long—just long enough to create a moment of fear.
But the call wasn’t real. My son was fine. The voice, however, sounded enough like him to make my father hesitate. And that’s all the attacker needed.
Luckily, my dad did not provide the caller any information. He phoned me, and I was able to confirm that my son was safe and the call had been a fake. That revelation—that a stranger had cloned his grandson’s voice convincingly enough to provoke panic—was as disturbing as the idea of an arrest itself.
Most of us have encountered the lower-tier versions: scam texts posing as your bank, urgent payment demands from unknown numbers, messages claiming your Apple ID has been compromised. They’re often crude, easy to spot. But those are the spam-level probes—nuisances that test the inattentive. The real danger is something else entirely: sophisticated, targeted impersonation designed not to scam individuals but to compromise governments.
And though ordinary people like my father can be forgiven for hesitating in a moment of panic, there is no excuse when the same tactics penetrate the highest levels of national leadership.
According to a leaked sensitive but unclassified cable sent to U.S. embassies and consulates on July 3, an individual impersonated Secretary of State Marco Rubio using AI-generated voice and text. The impostor contacted at least three foreign ministers, a U.S. governor, and a member of Congress. In at least two cases, the messages included synthetic voicemails. At least one received a text urging continued contact via the infamous encrypted messaging app Signal.
This wasn’t a scam for cash. It was an infiltration attempt at the highest level of U.S. diplomacy. According to the July 3 cable, the goal was to gain “access to information or accounts.”
This incident follows an earlier one involving Susie Wiles, President Donald Trump’s chief of staff. In May, attackers who seemed to clone her voice and exploit her contacts, reached out to senators, governors, and business leaders and solicited requests for pardons and funds.
Both episodes—Wiles and Rubio—point to a deeper vulnerability: access to private numbers of senior officials and foreign dignitaries. This isn’t something scraped from LinkedIn. It suggests either insider access, exploitation of auto-synced contact lists in apps such as Signal, or compromise of a government system that stores diplomatic directories.
There’s increasing evidence that these operations are not just the work of freelance scammers or cybercriminals. U.S. officials familiar with the Rubio impersonation incident point to actors affiliated with the Russian Foreign Intelligence Service, suggesting a foreign intelligence operation probing U.S. verification protocols and exploiting institutional blind spots.
The risk is amplified by who now has access. The Department of Government Efficiency (DOGE), created under Trump and overseen by Elon Musk, was granted sweeping access to many federal IT systems. That includes the State Department’s Bureau of Diplomatic Technology—home to secure messaging tools and contact databases. Whether or not DOGE played a role in these incidents, the security implications are real. Any lapse in access controls, offboarding, or activity logging—whether during DOGE’s tenure or carried forward into current systems—might have enabled persistent targeting of officials.
The timing is no coincidence. As AI-powered impersonation becomes more precise, the federal government’s defensive capabilities are being stripped. The Cybersecurity and Infrastructure Security Agency is projected to lose nearly one-third of its workforce under the fiscal 2026 budget—cuts that will hollow out programs focused on disinformation, deepfake detection, and other crucial security threats.
The State Department says it will carry out “a thorough investigation” so as “to prevent this from happening in the future.” The White House response is still pending—but if history is any guide, and with this administration it often is, it might resemble the reaction to the earlier Susie Wiles incident. When asked in May about that impersonation, Trump said: “She can handle it.”—his characteristic substitute for offering any concrete plan or accountability.
What You Can Do—Until Washington Wakes Up
While federal coordination falters, researchers and agencies have issued clear guidance to the public. Here’s what works:
1. Don’t trust voices—verify identities.
Even if it sounds like someone you know, double-check through a second contact method. Hang up and call back on a confirmed number. AI impersonation isn’t obvious. That’s the point.
2. Be wary of urgency—especially lost phone claims.
Scammers often explain a new number by saying their phone was lost or broken. Then they move quickly: a supposed arrest, a banking crisis, an urgent travel problem. The pressure to act fast is the scam itself. Don’t play along.
3. Never click on links in unsolicited texts.
Text message links are one of the oldest tricks in the playbook, and they’re still effective. They can trigger malware downloads or redirect you to phishing sites. If your bank or service provider is trying to reach you, go to their official site or call them directly.
4. Limit your voice exposure.
Avoid sharing long, high-quality audio clips in public. If you’re a public figure, consider creating a verified voiceprint baseline with your institution or firm.
5. Avoid sharing information.
Never share sensitive information or send money, gift cards, cryptocurrency, or other assets to people you do not know or have met only online or over the phone.
6. Report the incident.
It probably seems futile—given the disarray in Washington—to report something as small as a suspicious message or impersonated voice. But it’s not. The truth is, the rank and file in federal agencies are still doing their jobs. They just need the public’s help to do it better.
If you receive a message or call that feels even slightly off—whether it claims to be from a public official, a relative, or a trusted organization—report it to the FBI’s Internet Crime Complaint Center at ic3.gov. IC3 isn’t a tech support desk. It’s how law enforcement builds a picture of emerging threats.
The data you submit, even without an immediate follow-up, helps track larger campaigns, connect cases, and guide national responses. From 2020 to 2024, IC3 logged over $50 billion in reported losses. That number will grow if we fail to push back.
Brian O’Neill, a retired senior executive from the CIA and National Counterterrorism Center, is an instructor on strategic intelligence at Georgia Tech. His Safehouse Briefing Substack looks at what’s ahead in global security, geopolitics, and national strategy.
 | A guest post by
|
Once again, Dr O’Neill, you’ve given us the best information and guidance. Couple of things I’d include: if it comes in on your computer saying you have to call (your bank, etc), consider it a scam and unplug the computer to turn off the voice. The other: my daughter and I have secret words to assure us of the other’s panic call. Just a couple of extras …. Thank you again.
Great information, thank you!