The FBI’s Internet Crime Complaint Center issued a public service announcement on December 19 warning that scammers are impersonating senior U.S. officials in a malicious messaging campaign that funnels victims onto encrypted platforms, including Signal. The scheme, which dates back to at least 2023, uses text-based phishing and voice calls to try to steal credentials and gain access to accounts. The campaign’s focus on officials and other high-profile targets underscores how encrypted apps can be exploited as part of broader social-engineering fraud.
How the Scam Works: Smishing, Vishing, and Signal
The attack chain follows a consistent pattern. Fraudsters first contact targets through smishing, the use of deceptive SMS or text messages, or vishing, which involves fraudulent voice calls. These initial contacts are crafted to appear as though they come from trusted senior officials. Once a target responds, the attacker steers the conversation onto an encrypted messaging app such as Signal, where communications are harder for security teams to monitor or intercept.
This migration to encrypted platforms is not accidental. By moving victims off standard channels and onto apps with end-to-end encryption, scammers create a closed environment where impersonation is harder to detect and verify. The IC3 alert explains that these campaigns then attempt credential theft, seeking login information, personal data, or access tokens that can be used to compromise additional accounts or systems.
The technique is effective because it exploits trust at two levels. First, the victim believes they are communicating with a known official. Second, the encrypted platform itself signals legitimacy, since many government employees and journalists already use Signal for sensitive conversations. That built-in trust becomes the attacker’s best tool, allowing them to request passwords, one-time codes, or internal documents under the guise of urgent business.
A Campaign Running Since 2023
This is not a new threat. The IC3 alert confirms that these impersonation campaigns have been active since at least 2023. The sustained nature of the campaign indicates the operators have continued running it over time, and the FBI’s decision to issue a public warning highlights ongoing concern about the activity.
The longevity of the campaign also complicates defense. Over two years, attackers can study how officials communicate, what platforms they prefer, and which contacts are most likely to respond without suspicion. Each successful compromise yields new information that can be recycled into future attacks, creating a feedback loop that makes subsequent impersonations more convincing. A hijacked account may expose calendars, contact lists, and prior message threads, all of which can be mined for realistic pretexts.
Most phishing campaigns burn out quickly once awareness spreads or technical defenses catch up. The fact that this one has persisted long enough to warrant a dedicated IC3 bulletin suggests the attackers are adapting, possibly rotating targets, changing their pretexts, or shifting between smishing and vishing to avoid detection patterns. That adaptability makes it harder for organizations to rely on static training examples or simple keyword filters.
Why Officials and Journalists Are Prime Targets
The choice of targets is strategic. Senior government officials control access to sensitive policy discussions, classified briefings, and interagency communications. Compromising even one account can open a door to a much wider network of contacts who would trust messages appearing to come from that official. Attackers can then pivot, sending new smishing or encrypted messages that seem to originate from a familiar and authoritative source.
For journalists, the calculus is similar. Reporters routinely communicate with sources who expect confidentiality, and a hijacked journalist account could be used to extract information from those sources under false pretenses. A well-timed fraudulent message could pressure a source to share draft documents, confirm rumors, or reveal sensitive details, believing they are responding to a trusted reporter rather than a criminal.
The FBI describes spoofing tactics as among the most common fraud techniques, where attackers forge sender identities to trick recipients into taking actions they otherwise would not. When applied to high-profile figures, the potential impact can extend beyond individual credential theft. A compromised official account could be used to send convincing fraudulent messages to contacts who trust that identity.
This dynamic can raise broader security concerns beyond ordinary cybercrime. If attackers can impersonate senior officials on platforms trusted for secure communication, it can undermine confidence in sensitive communications. Every message from a known contact becomes slightly less trustworthy, and that erosion of confidence is itself a strategic win for the attackers, even when individual phishing attempts fail.
Encryption as a Double-Edged Tool
Signal’s end-to-end encryption is a genuine security feature that protects millions of users from surveillance and data interception. But the same properties that make it valuable for legitimate privacy also make it attractive to criminals. Once a conversation moves to an encrypted channel, institutional security filters, email gateways, and network monitoring tools lose visibility. The attacker operates in a space where only the two endpoints can see the content, and one of those endpoints is controlled by the fraudster.
This does not mean encrypted messaging is the problem. The vulnerability lies in the social engineering that precedes the platform switch. The smishing or vishing contact is the entry point; Signal is simply the destination where the actual theft occurs. Blaming the platform misses the real failure, which is the inability to verify identity before engaging in sensitive communication. In many cases, the same attack could be carried out over email or another app; encryption simply makes it harder to detect and investigate after the fact.
Still, the pattern raises a practical question for organizations that rely on encrypted apps for official business. If employees and officials are trained to trust Signal as a secure channel, they may lower their guard once a conversation migrates there. Security protocols need to account for this false sense of safety by requiring out-of-band identity verification, such as a separate phone call or in-person confirmation, before sharing sensitive information on any platform. Technical measures like contact verification codes and device safety checks can help, but they are only effective if users are trained to use them consistently.
What Agencies Recommend
The Cybersecurity and Infrastructure Security Agency has published guidance specifically aimed at disrupting phishing at its earliest phase, before victims click a link or respond to a spoofed message. The core principle is that early detection breaks the chain. If a target recognizes the initial smishing text or vishing call as fraudulent, the entire downstream attack, including the migration to Signal and the credential theft, never begins.
CISA also provides resources directed at organizations, urging them to train employees to spot red flags such as unexpected urgency, requests to move conversations off official channels, or demands for passwords and authentication codes. For agencies and newsrooms handling sensitive information, this kind of training should be tailored to the realities of their work, including the fact that legitimate contacts sometimes do use encrypted apps and out-of-hours messaging.
In practice, organizations typically rely on a blend of policy, technology, and culture. Clear rules about how senior officials will and will not request credentials can make it easier for staff to reject suspicious messages, even when they appear to come from a powerful sender. Technical controls, such as multifactor authentication and strict account recovery procedures, can limit the damage if credentials are exposed. Perhaps most importantly, organizations need a culture in which employees feel safe questioning unusual requests, regardless of the apparent rank of the person asking.
The FBI’s warning about impersonation on encrypted platforms underscores that even the most secure tools can be turned against their users. As attackers refine long-running campaigns that blend smishing, vishing, and Signal, the burden falls on institutions and individuals to adapt just as quickly. Strong encryption remains essential, but without equally strong verification and training, it can provide only the illusion of safety while attackers operate in the dark.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
