The Federal Bureau of Investigation (FBI) recently warned of a widespread deepfake phishing campaign targeting U.S. federal and state officials and their affiliates. Namely, cybercriminals are leveraging AI tools to impersonate cabinet-level figures realistically.
The impersonation is done in two stages. First, the scammers initiate contact using AI-generated voice calls or smishing texts that mimic senior U.S. officials to establish credibility.
Then, they redirect the victim to a controlled environment, either a fake login page or an encrypted messaging app, where they can extract sensitive information and escalate their attack. In some cases, attackers are referencing real government programs or recent political developments to add more credibility to their requests.
Deepfake phishing fraud attempts like these have become increasingly common. Just three years ago, they constituted only 0.1% of all fraud attempts. Now, that number is 6.5%, an increase of 2137%.
This particular campaign comes at a critical point. 2025 marks a year of mid-term election preparations, which is always followed by higher contractor activity and communication between officials, marking a great opportunity for cybercriminals to strike.
But the danger of deepfake phishing goes way beyond elections and the defense sector. Virtually all organizations, whether public or private, are affected. Deepfake technology is still very new and evolving, which means most companies lack the training and protocols to respond accordingly.
Deepfake Phishing Is Becoming Organized and Persistent
While defenders are lagging behind, cybercriminals are making deepfake technology a core component of their social engineering playbook. Security researchers have observed coordinated, well-resourced operations involving deepfakes, suggesting that these techniques are now being adopted by Advanced Persistent Threats (APTs).
APTs are generally overseen by state-sponsored threat actors that seek to establish long-term footholds in victims’ environments. If APTs are leveraging deepfakes, it’s almost certain that the technology is being massively adopted by the broader cybercrime ecosystem, including well-organized, financially motivated actors.
Most new campaigns are no longer opportunistic. Instead, they show clear signs of strategic planning, including careful persona management and extensive reconnaissance before initial contact.
New and Alarming Trends
The warning from the FBI highlights a new trend cybercriminals are using to increase their success rate. Rather than targeting a single individual from an organization, they are going for multiple employees simultaneously.
The goal is to gather information or access from one victim and use that information to build credibility with others. Deepfake phishing enables this by making impersonations alarmingly accurate and each interaction feel legitimate.
While not part of the specific campaign that the FBI advisory points to, the agency also warns against video deepfakes. These are beginning to appear in phishing operations, often generated using Synthesia-style tools.
Why Traditional Defenses Fail
Despite warnings from the security community (and now the FBI), most organizations still view phishing as only an email problem. That mindset is what leads to employees ignoring clear warning signs, simply because the message came through a voice call rather than text in the inbox. The lack of security awareness training around deepfake-related threats only makes matters worse.
What makes deepfake phishing more dangerous than your standard email is the ability to influence victims in the moment. Since the communication is happening in real time, employees can easily hand over OTPs (one-time passcodes) or tokens, effectively bypassing MFA (multi-factor authentication), a core security measure.
Another problem is the lack of incident playbooks for such scenarios. Organizations haven’t yet incorporated deepfake-specific threats into response protocols, leaving them unprepared to identify or contain these types of attacks when they occur.
What the FBI and Experts Recommend
The FBI outlines clear instructions for U.S. officials in its latest advisory, but the guidance is just as relevant for businesses, contractors, and organizations in the private sector.
The best way to stay safe is to pause and verify every request, no matter how convincing and natural it sounds. If a request is out of the ordinary and not something you would typically receive through that channel, it should raise immediate suspicion, or at least prompt a verification process.
Clicking on links or downloading attachments from someone you don’t know opens the door for a compromise, and is usually the end goal of an attack that originally starts as a deepfake impersonation.
As the threat escalates, organizations must consider incorporating deepfake phishing in their security awareness programs to help employees understand and deal with this dangerous form of social engineering.
If any incident occurs, report it immediately to the FBI's Internet Crime Complaint Center (IC3) or your local authorities.
Conclusion
Deepfake technology has evolved to a point where it’s very difficult to distinguish real from fake, especially in a high-pressure situation. Those funny posts on social media impersonating celebrities or politicians are built on the same tools used by cybercriminals to manipulate victims.
The U.S. government's deepfake campaign is just an early warning sign that the threat is here, and organizations must act now to strengthen their protocols and train employees to recognize the signs of deepfake phishing.