Flash Report: Swatting Attacks Wreaking Havoc on Executives and Organizations

Key Findings

• Swatting of executives and organizations, particularly educational institutions, has recently been on the rise across multiple geographic locations.
• The key personnel being targeted are not always well known, indicating that threat actors are doing their homework to find out who they are and where they reside.
• Educational institutions are a relatively new target for swatting attacks, with a marked increase in attacks over the last several months.
• Swatting has previously been known to put targets in dangerous situations, and there have been incidents in which targets have been killed.

Analyst Commentary

In 2008, the Federal Bureau of Investigation released its first notice on the practice of “swatting,” whereby bad actors make a hoax call to emergency services (typically by dialing 9-1-1) for the purposes of triggering a law enforcement response—often by a Special Weapons And Tactics, or “SWAT,” team.^[1][2] Since then, swatting has become a regular issue for law enforcement, organizations, and private citizens, with several high-profile incidents impacting celebrities and politicians.^[3] Frequently, these incidents are a result of a prank or a targeted action following online gaming disagreements. In rare instances, swatting has resulted in the deaths of innocent residents after law enforcement was led to believe they were being called into a hostile environment.^[4]

Swatting is often precipitated by “doxxing” attacks, which is the internet-based act of researching and publishing private or personally identifiable information (PII) of individuals or organizations, often with malicious intent. This PII can include full names, addresses, email addresses, and phone numbers. Doxxing discloses the information threat actors need to target swatting victims; they can then spoof the phone number of the victim and provide law enforcement with an accurate address to show up to during the swatting attack.

Swatting attacks do not solely target individuals at their homes; these attacks can also take place at businesses and cause disruptions to operations. The public may perceive a business negatively due to the need for law enforcement’s presence. A nearby swatting attack can also physically impact business, as SWAT teams and emergency responders may have to close down a specific area if they believe a threatening situation is actively occurring.^[5]

Anatomy of a SWAT Attack

Swatting attacks have escalated toward key personnel in multiple industries, with a significant uptick in attacks over the last several months. Many of the victims are not well-known, prominent figures—indicating that threat actors are doing their research to identify the executives, combing through doxxed data, dark web disclosures, and/or data aggregators and people search sites to find their residential information in order to target them in swatting attacks.^[6]

Educational institutions are a newer target that have also been the victim of swatting attacks, with schools regularly being disrupted by such attacks over the last several months. The attacks have ranged from coordinated targeting of schools in the same geographic area to random attacks in sporadic areas to copycat attacks by perpetrators who have observed other successful swats.^[7] These attacks have caused significant disruptions to school districts, which are frequently unprepared for the attacks and then must handle the ensuing trauma to students, teachers, and parents.

Swatting attacks can have both short and long-term impacts. The short-term impacts include disruption to residences, businesses, and school schedules. In addition, swatting leads to the interruption of legitimate law enforcement services—potentially pulling police officers and emergency responders away from actual emergencies in order to deal with the swatting attack. Longer-term impacts can include reputational issues and facility repair; bolstering of residential or organizational security programs; emotional damage from the turmoil of the swatting attack; and, in the worst cases, major injuries or fatalities.

Recommendations

• Maintain awareness of executive data exposures online and work to have them removed wherever possible. ZeroFox disruption services can assist with this removal. When such data cannot be removed, executive security teams should maintain awareness of how much these disclosures reveal.
• Liaise with local law enforcement in order to construct security preparedness plans in the event of a swatting attack.
• Conduct a comprehensive Executive Threat Assessment on organizational key personnel at least once per year. An Executive Threat Assessment can be requested via the RFI button in the ZeroFox platform.
• Leverage the ZeroFox ForgetMe Service to keep executive and key personnel’s PII secure.

^[1] hXXps://archives.fbi[.]gov/archives/news/stories/2008/february/swatting020408

^[2] hXXps://www.fbi[.]gov/news/stories/the-crime-of-swatting-fake-9-1-1-calls-have-real-consequences1

^[3] hXXps://www.bbc[.]com/news/technology-36804242

^[4] hXXps://www.cnn[.]com/2019/09/14/us/swatting-sentence-casey-viner/index.html

^[5] hXXps://www.schumer.senate[.]gov/newsroom/press-releases/nationwide-rash-of-swatting-attacks-now-threatening-local-rochester-residents-costing-law-enforcement-thousands-of-dollars-when-wrongdoers-call-in-false-threats_schumer-introduces-new-bill-to-crack-down-on-swatting-and-deter-alarming-new-crime-trend-over-12-swatting-attacks-in-rochester-have-triggered-police-swat-teams-to-respond-to-homes

^[6] hXXps://www.prweb[.]com/releases/2023/2/prweb19158312.htm

^[7] hXXps://www.edweek[.]org/leadership/chaos-disruption-as-more-schools-respond-to-hoax-swatting-reports/2023/02