15-05-2025
FBI Warns iPhone, Android Users—Do Not Reply To These Messages
You have been warned — this nightmare is now real.
We were warned. Forget looking for telltale signs, the latest set of AI-fueled attacks are so sophisticated you need to check everything to ensure you're not being attacked. In the last 24-hours, we have seen Gmail and Outlook users warned that malicious emails are now so 'perfect" that they're impossible to detect, and that calls which seem to come from people we know, could be a dangerous deception.
That's the latest warning to come from the FBI, after the discovery of 'an ongoing malicious text and voice messaging campaign.' This has used texts and voice messages purporting to come from 'senior U.S. officials," tricking victims, many of who are also 'current or former senior U.S. federal or state government officials and their contacts.'
The bureau's warning is serious enough that you are now being told: 'If you receive a message claiming to be from a senior U.S. official, do not assume it is authentic.' The goal of the attacks is to steal credentials through links that seem to be message related.
According to Cofense's Max Gannon, 'it is important to note that threat actors can also spoof known phone numbers of trusted organizations or people, adding an extra layer of deception to the attack. Threat actors are increasingly turning to AI to execute phishing attacks, making these scams more convincing and nearly indistinguishable."
The FBI's advice is wider ranging than just this latest attack, and links back to its recent warnings on the proliferation of AI attacks.
All that said, the FBI acknowledges that 'AI-generated content has advanced to the point that it is often difficult to identify.' Sometimes it will just come down to common sense. Is this a call I could reasonably expect, and am I being asked to do something that would advantage a cybercriminal or scammer. Can I deduce what their take might be. How can I hang up and call back using normal channels. How do I verify the caller.
Ryan Sherstobitoff from SecurityScorecard told me 'to mitigate these risks, individuals must adopt a heightened sense of skepticism towards unsolicited communications, especially those requesting sensitive information or urging immediate action.'
Often these texts, calls and voice messages lead to a link. This is the attack, which will phish for credentials or trick you into installing malware. 'Do not click on any links in an email or text message until you independently confirm the sender's identity," the bureau warns. And "never open an email attachment, click on links in messages, or download applications at the request of or from someone you have not verified.'
