Human Risk Roundup: Scammers use AI to imitate Marco Rubio 

This edition of Human Risk Roundup includes AI-driven impersonation scams targeting high-ranking officials, sophisticated breaches of third-party systems and physical-digital hybrid attacks. These incidents underscore the urgent need for security leaders to adopt multi-layered defenses, enhance employee training, and stay ahead of emerging threats. Read more about four recent cases that highlight the diverse tactics cybercriminals are employing, plus actionable insights to fortify your organization against these risks.

Impostor uses AI to impersonate Rubio and contact foreign and U.S. officials

The State Department has warned U.S. diplomats about AI-driven impersonation attempts targeting Secretary of State Marco Rubio and other officials, with scammers using text, Signal, and AI-generated voice messages to contact foreign ministers and U.S. officials. While the hoaxes were deemed unsophisticated, these incidents highlight growing concerns over AI misuse for deception, prompting calls for improved cybersecurity and media literacy.

What happened

The State Department alerted U.S. diplomats about attempts to impersonate Secretary of State Marco Rubio and other officials using AI-generated text and voice messages. Scammers targeted foreign ministers, a U.S. senator, and a governor through platforms like Signal and voicemail, though the hoaxes were described as unsophisticated. 

The FBI also warned about malicious campaigns involving AI-generated impersonations of senior U.S. officials. This is not the first time Rubio has been targeted, as a previous deepfake video falsely attributed controversial statements to him. The growing prevalence of AI-driven scams has sparked discussions about solutions, including criminal penalties, improved media literacy, and the development of tools to detect deepfakes.

Why it matters

These incidents are a critical concern for cybersecurity professionals. The use of advanced AI to mimic high-ranking officials demonstrates how malicious actors can exploit technology to deceive and manipulate targets. Such incidents emphasize the need for robust cybersecurity measures to protect sensitive communications and prevent unauthorized access to information. 

The increasing sophistication of AI-generated deepfakes and voice messages poses challenges in identifying and mitigating these threats. For cybersecurity employees, this underscores the importance of staying ahead in the "arms race" between AI tools used for deception and those designed for detection. It also calls for proactive strategies, such as enhancing media literacy, implementing stricter security protocols, and developing advanced tools to identify and counteract AI-driven scams.

4 practical tips for security leaders

1. Enhance training on AI threats, including how to identify deepfakes and suspicious communications.
2. Strengthen verification protocols such as multi-factor authentication and secure communication channels.
3. Invest in deepfake detection tools such as advanced AI systems designed to detect and counteract deepfakes.
4. Collaborate on cybersecurity standards with government agencies, tech companies, and industry peers.

Learn more about this threat.  

Allianz Life suffers third-party CRM breach affecting 1.4m

Allianz Life Insurance Company of North America experienced a data breach affecting the majority of its 1.4 million customers due to a social engineering attack on a third-party cloud-based CRM system. The breach exposed sensitive customer data.

What happened

On July 16, 2025, Allianz Life Insurance Company of North America suffered a data breach when hackers used social engineering techniques to compromise a third-party cloud-based CRM system. This breach exposed sensitive data belonging to most of its 1.4 million customers, including financial professionals and employees. 

Allianz SE, the parent company, confirmed that the breach was contained to its North American subsidiary and did not affect its global operations. Internal systems, such as the policy administration platform, remained secure, and the company promptly notified the FBI and affected individuals. Allianz has offered credit and identity monitoring services to those affected by the breach.

Why it matters 

This incident shows the critical importance of securing third-party systems, as they are often the weakest link in an organization's cybersecurity defenses. Social engineering attacks, like the one used in this breach, demonstrate how attackers exploit human vulnerabilities to gain unauthorized access. The breach also emphasizes the need for robust vendor risk management practices, as third-party platforms can serve as entry points for attackers to access sensitive data. 

The incident also illustrates the growing complexity of supply-chain attacks, which can compromise multiple organizations through a single vulnerability. Finally, it underscores the importance of proactive communication and support for affected individuals to mitigate the long-term impact of such breaches.

4 practical tips for security leaders

1. Strengthen third-party risk management to assess and monitor the security practices of third-party vendors, especially those handling sensitive customer data.
2. Enhance social engineering awareness for employees and partners to recognize and respond to social engineering tactics.
3. Implement robust access controls such as multi-factor authentication and limit access to critical systems.
4. Prepare incident response plans to quickly contain breaches and communicate effectively with stakeholders.

Learn more about this threat.  

Scattered Spider is targeting victims' Snowflake data storage for quick exfiltration

The Scattered Spider cybercriminal group is targeting organizations' Snowflake data storage systems by impersonating IT help desks to gain access credentials and exfiltrate data. Despite recent arrests, the group continues to evolve its social engineering tactics, posing significant challenges for cybersecurity defenses.

What happened

Scattered Spider, a loosely affiliated hacker group, has been targeting organizations' Snowflake data storage systems to steal large volumes of data. They gain access by impersonating IT help desks and using social engineering tactics to trick employees into providing credentials. 

The group has also been observed using remote access tools like AnyDesk and deploying malware to maintain access and conduct reconnaissance. Recent campaigns have disrupted industries like retail, insurance, and airlines, causing significant operational and security challenges. Despite the arrests of some members, the group is still active, leveraging spearphishing and vishing techniques to target high-value accounts. 

Why it matters 

By targeting IT help desks and leveraging spearphishing, this group exploits human vulnerabilities. Their use of remote access tools and malware further complicates detection and response efforts, requiring advanced threat-hunting capabilities. For cybersecurity personnel, the attacks underscore the importance of proactive monitoring, employee training, and multi-layered defenses to mitigate risks.

4 practical tips for security leaders

1. Enhance employee training to recognize and respond to social engineering tactics like phishing and vishing.
2. Implement MFA, particularly those with access to critical systems like Snowflake.
3. Monitor for suspicious activity such as unauthorized account misuse, risky logins, and unusual access patterns.
4. Secure third-party access to sensitive systems, ensuring credentials are managed securely and updated frequently.

Learn more about this threat.  

Hackers connected Raspberry Pi to ATM in bank heist attempt

Hackers from the cybercrime group UNC2891 attempted a bank heist in the Asia-Pacific region by physically installing a 4G-enabled Raspberry Pi onto a network switch connected to an ATM, enabling remote access to the bank's internal systems. Although their sophisticated attack, which included anti-forensic tactics and custom malware, was thwarted, the group demonstrated advanced technical expertise and persistence in bypassing traditional security measures.

What happened

This device allowed hackers to bypass perimeter defenses and gain remote access to the bank's internal IT systems. They used advanced anti-forensic techniques, such as Linux bind mounts, to conceal their activities and maintain stealthy lateral movement within the network. The attackers aimed to manipulate ATM switching servers to enable unauthorized cash withdrawals. 

Despite their efforts, the attack was detected and stopped before they could execute their plan. However, the attackers maintained persistence through a backdoor on the bank's mail server, highlighting the challenges of fully ejecting them from the network.

Why it matters

This incident underscores how cybercriminals are now combining physical access with advanced digital techniques to breach networks. The use of inexpensive, off-the-shelf hardware like Raspberry Pi demonstrates how low-cost tools can be weaponized for high-stakes attacks. The attackers' use of anti-forensic methods and custom malware reveals the increasing sophistication of cyber threats, requiring advanced detection and response capabilities. 

Persistent access through backdoors emphasizes the need for thorough incident response and post-breach analysis. For cybersecurity personnel, this case serves as a reminder to adopt a multi-layered defense strategy that addresses both physical and digital vulnerabilities.

4 practical tips for security leaders

1. Secure physical access points for critical infrastructure like ATMs and network switches to prevent unauthorized device installations.
2. Monitor for unusual network activity to detect anomalies, such as unexpected devices or unusual traffic patterns.
3. Enhance incident response plans to quickly identify and remove backdoors or other persistent threats after an attack.
4. Educate staff and partners on recognizing and reporting suspicious activities, including physical tampering with devices.

Learn more about this threat.