Discover more from The Emergency Management Network
THREAT ANALYSIS- FTO/Cyber: Internationally Originated, Domestic “SWATTING” Fictitious Disasters/Incidents
Swatting consists of false/fictious emergency calls to 911 or other public safety officials, often appearing to come from the site in question, claiming that a violent crime in in progress.
The National Security Policy and Analysis Organization (NSPAO) at American Public University facilitates critical engagement in national security, international affairs, and intelligence issues by engaging with national security experts, promoting an informed exchange of ideas to develop analytical skills, and produce meaningful analyses relevant to the defense community. The CEMIR provides Emergency Management Intelligence (EMINT) analysis to the NSPAO. This is one of those tradecraft pieces.
As part of a standard “SWOT” Analysis – Threats can produce obstacles to continuity of operations, generate political and governmental impacts, as well as cause adverse environmental, emotional and mental health effects. These threats can occur in every nation’s all-hazards Disaster Readiness (aka resiliency) - along the standard (and sometimes spiral) path of Protect/Prevent/Prepare, Respond, Recover and Mitigate – and those disaster readiness measures taken must include partnerships with other groups including potentially those in other countries. Currently there is a deficiency in operational communications up and down (and across) multiple and diverse levels of jurisdictions, along with a lack of collaboration and coordination – to and from the military and civilian intelligence agencies – which is specifically needed to assist U.S. state, local, tribal, and territorial (SLTT) law enforcement officials (LEOs) and Emergency Management practitioners (EMs) at all levels of government.
This Emergency Management Intelligence (EMINT) analysis is specifically on the threat of Swatting, with a focus on threats originating in other counties. It is crucial that Emergency Managers – not just local law enforcement officials – gain the knowledge of and action on the risks of any threat. The possibility of a Swatting attack can adversely impact not only the public they serve, but their own workforce (inclusive of all elements of their incident command and control structures, not just Operations). This threat can have hazards which adversely impact targeted allied partners such as healthcare and academia, as well. While on the surface, Swatting appears to be a fictitious (false alarm/false flag) disaster threat, it has now become a complex coordinated attack threat, and one with national security implications.
SWATTING INCIDENTS IN THE U.S.
WHAT IS SWATTING?
Swatting consists of fake emergency calls to 911 or other public safety officials, often appearing to come from the site in question, claiming that a violent crime in in progress in hopes that police will send SWAT teams to the home or business of the individual being swatted.
(Vile, 2018, p. 1)
Real-world Impacts from Swatting
This analysis will cover a number of case studies for real-world impacts from Swatting. These calls are generally not treated by public safety officials like another (generally/historically) fictitious disaster threat: bomb threats. This is due – in very large part – to the accelerated rise in actual active assailant attacks in public spaces, especially K-12 and higher educational institutions. It may also be the response protocols to a (real) bombing attack would initially be as much by local fire departments, as it is by local law-enforcement. The protective and preventative elements of those two distinct public safety groups against bombing post-blast hazards (fire suppression, extrication, collaboration with utilities for shut-off, etc.) are very different from guns and rescue task forces. At the least, this fictitious disaster is already categorized into more of an overall emergency management response, rather than one considered primarily law-enforcement missioned, especially as it tends to drive towards an “all-hands” approach.
Active Assailant protocols in many of the community policing, as well as first responder entities now accelerate the rapid response of resources to the scene, regardless of whether the dispatched call for assistance is founded (real-world attack) or unfounded (the result of a Swatting call only). The death of someone from these events could lead to severe legal issues for all parties involved. When a person engages in the (possible) illegal act of Swatting, they may face additional legal complications when the matter involves multiple states. There are currently no federal laws against Swatting (although there is legislation in the U.S. House of Representatives, referred to a subcommittee as of November, 2022).
Additional U.S. Federal legislative efforts, discussed in the media:
The critical analysis of current public safety missions to prevent or reduce the adverse impacts of Swatting will align with the public safety missions associated with the active assailant attack in “real life”. There are certain elements of protection and prevention which are not the same, nor interdictions/disruptions which are applicable to actual active assailant attacks only, and not Swatting calls. For example, correcting problems with metal detectors and other search devices has a significant positive impact to reduce actual attacks and acts of violence at sites but will have little or no effect on a Swatting call and its potential adverse impacts to that same site. If anything, the addition of protective elements which are not coordinated with local emergency responders, can create a “fortress” effect (Rollwagen, 2016) and possibly prevent first responders from their missions in both a real attack, as well as their ability to validate that the call is false/disaster is fictitious.
 In an open-source report such as this one, we are not going to recommend or discuss any law-enforcement tactics, which could be considered Law-Enforcement Sensitive.
Case Study - RaidForums: An International Hacker Forum Used for Swatting
In 2022, the U.S. Department of Justice seized “the Raidforums website, a popular marketplace for cybercriminals to buy and sell hacked data and unsealed criminal charges against RaidForums’ founder and chief administrator, Diogo Santos Coelho, 21, of Portugal.” (U.S. Secret Service - USSS, 2022).
“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “This is another example of how working with our international law enforcement partners has resulted in the shutdown of a criminal marketplace and the arrest of its administrator.”
“This global investigation signifies the remarkable dedication of the U.S. Secret Service and highlights our partnerships with our foreign law enforcement counterparts essential to disrupting sophisticated networks of cyber criminals,” said Special Agent in Charge Jason D. Kane of the U.S. Secret Service’s Criminal Investigative Division. “This case exemplifies teamwork at all levels of law enforcement to stop these cyber criminals from defrauding citizens of the United States and in our partner countries.”
Prior to its seizure, RaidForums members used the platform to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally. At the time of its founding in 2015, RaidForums also operated as an online venue for organizing and supporting forms of electronic harassment, including by “raiding” – posting or sending an overwhelming volume of contact to a victim’s online communications medium – or “swatting” – the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response. (USSS, 2022).
The Dark Web will always be out there. What needs to be done - in the same way that K12 educators, local law enforcement leaders, and others did to significantly curtail ‘sexting’: the illegal distribution of child pornography amongst minors via smartphones and social media – is a systemic approach to stop people (minors and adults) from generating a Swatting call – or soliciting another person to do so on their behalf.
Case Study – Online Video Game Retaliation via Swatting
About ten years ago there was an alarming uptick in Swatting incidents originating as retaliation by online gamers against each other. There was even a ‘points’ system assigned from some online gamer forums for what emergency response assets were brought to the scene (more points for helicopters, fire apparatus, SWAT vehicles, etc.).
LONG BEACH, N.Y. - Police descended upon a home in Long Island, N.Y. Tuesday after receiving a 911 call from a man who said he had shot several of his relatives inside the house, but it turned out the call was a hoax and part of a game called "Swatting," reports CBS New York.
Police in Long Beach received the call around 3 p.m. from a man who said he had shot members of his family and was threatening to kill others, according to the station.
Nassau County, Long Beach, and MTA police responded with their SWAT teams and hostage negotiators, but when police entered, they found everyone inside safe and unharmed.
A 17-year-old boy who was playing the video game "Call of Duty" inside the house was the apparent victim of the prank, according to the station. He had been playing against someone else online, police said.
In the game of Swatting, the losers of the video game get back at the winner by faking an emergency call from the winner's house.
"In this ... bizarre world of Swatting, you get points for the helicopter, for the police cars, for the SWAT team, for the type of entry," said Michael Tagney, Long Beach police commissioner. "It's very sophisticated. Unfortunately, it's very dangerous."
"They see what they can do about getting the police response, helicopters, et cetera," Long Beach Police Lt. Edward Ryan told CBS New York. "While the gamers may be playing in a world of fantasy, we deal with nothing but hardcore reality. We take it very seriously. There was no way to know that if, in fact, it was any kind of a hoax."
Nassau County District Attorney Kathleen Rice issued a statement Wednesday vowing to hold anyone placing the phony calls accountable while seeking restitution for the cost of a massive emergency response. According to CBS New York, officials said Tuesday's response cost an estimated $100,000.
"Incidents like this are a dangerous and outrageous waste of law enforcement resources and taxpayer dollars," she said. "Through a collaboration with our law enforcement partners, we will use every tool we have to track down whoever threatens public safety like this. 'Swatting' is a serious crime that endangers first responders and those in legitimate need of their help."
Authorities are searching for the person who placed the call and Tangney said the teen whose house was targeted has been cooperating with the investigation.
"He has given us some property that we are using to solve the crime and he couldn't be more helpful," Tangney told CBS New York. He said the caller, who could be anywhere in the world, used Skype to phone in the bogus report to police. (CBS News, 2014)
This may be one of the focal origin points of Swatting in the United States, but the exponential growth in threat capability is now an agile (Denning, 2018) one. There is significant concern that gaming platforms – and the encrypted messaging services many utilize for player-to-player communications – can be the conduit for furthering the ideation process for generating Swatting calls. International violent extremist groups are infiltrating this entertainment market, providing them with an easy source of funding (including crypto-currency) to distribute false messages - even images and video - to provide a more realistic false threat.
Swatting Calls from Overseas Locations, Through the Internet
New technology has added to the problem of false calls to public safety officials, and the global virtual community has exponentially added new difficulties to this already complicated fictitious disaster threat. The previously mentioned legal consequences generally apply only to U.S. residents, as the jurisdictional reach of law enforcement generally stops at national borders. A bad actor over the internet can utilize Voice Over Internet Protocol (VOIP) software to generate a telephone call to a U.S. domestic public safety access point (PSAP), commonly known as 911 centers, many also serve as police/fire/emergency medical services dispatchers. Calls have come from foreign nationals in other countries, mimicking a local call at or near a K12 school or college/university in the United States. This can happen in succession at unrelated schools simultaneously, and there is precedent of these calls occurring right after a real-world active assailant attack occurs. Those bad actors can also use software to mask their voice, generate additional threat sounds (gunshots, screams, etc.), and also generate false signals that the call was originated locally – even from the impacted site itself.
All this technology can also be used by a domestic bad actor, but those overseas have the advantage of time, distance, and shielding:
- The time it takes to investigate such calls, involving multiple layers of multiple governments benefits the bad actor.
- The distance from the impacted site adds not only to the reduction in the investigative capabilities but also the implied connection between the threat originator and their intended target. A Case example below will provide an insight into another difficulty evolving from the global virtual community: Swatting for hire.
- Overseas bad actors may be shielded by their own governments from investigation and prosecution, depending on the political relationship between that country and the United States.
Section 702 of the Foreign Intelligence Surveillance Act
One tool in the proverbial toolbox of federal officials is Section 702 of the Foreign Intelligence Surveillance Act. While its current use is extremely limited, regulated and monitored, its primary focus is on terrorism by foreign nationals in foreign countries:
Although all Section 702 targets must be non-United States persons reasonably believed to be located outside the United States, Congress has always recognized that such targets may send an email or have a phone call with a United States person. For this reason, Section 702 requires specific procedures to minimize the acquisition, retention, and sharing of any information concerning United States persons. “Minimize,” however, does not always mean “eliminate” – if, for example, a foreign terrorist indicated that a United States person was a key member of an ongoing terrorist plot, this information would be appropriately shared to allow the FBI to take further investigative steps. Congress also amended Section 702 to require specific procedures to ensure the querying of any Section 702-acquired information is consistent with the Fourth Amendment. (Office of the National Director of Intelligence, n.d.)
Basics of how Section 702 works – and examples of its successful thwarting of potential plots, can be found here. There are certainly criticisms today on its usage (and potentially misusages), and research has not found any systemic application of Section 702 for anti-Swatting efforts. Currently, Section 702 is set to expire in 2024, unless reauthorized for an extension by Congress.
How Section 702 can be applied to the possible disruption beforehand and/or the furtherance of investigative aspects afterwards for Swatting attacks, is the overarching question. Is it an act of terrorism to make a Swatting call? Not legally, at this point. This goes to victimization – if one is a victim of a Swatting attack, it does not matter if where it emanates from or by whom.
Intelligence Community Directive 191
The U.S. Office of the Director of National Intelligence (which by the way is a political appointment, and the entire office’s existence is subject to the will of the current U.S. President) has established an Intelligence Community Directive (similar to a Presidential Executive Order, in structure) number 191, which outlines how all of the members of the federal-level intelligence agencies and units within other departments will provide warning regarding threats to specific individuals or groups of intentional killing, serious bodily injury, and kidnapping. The question of whether Swatting meets this criterion is an open one. Since this is a fictitious disaster – with no real physical threat (as delineated in ICD 191 - to individuals including first responders, to the schools or the staff and children within), there may be a question regarding duty to warn. This aspect is regarding both the IC’s ability to monitor (see Section 702 above), intercept, or possibly disrupt real-time communications from foreign locations over the internet (through VOIP calls from specific IP addresses or groups of IP addresses); as well as their potential ability to inform local law enforcement officials of the more generic, less time-bound threats from actors overseas in different locations, who are conducting Swatting attacks to U.S. locations.
Questions about whether “the information resulting in the duty to warn determination was acquired from a foreign government with whom the U.S. has formal agreements or liaison relationships, and any attempt to warn the intended victim would unduly endanger the personnel, sources, methods, intelligence operations, or defense operations of that foreign government” (Director of National Intelligence, 2015) also are applicable to the question of overseas originated Swatting attacks. Once Swatting is designated as a U.S. federal crime, ICD 191 should be applied to Swatting threats.
Intelligence Community Directive 191 – the “Duty to Warn” – can certainly have immediate life safety consequences for individuals, if not performed properly or in a timely manner. OSINT from the Knight Institute and the Committee to Protect Journalists questioned whether the Central Intelligence Agency (CIA), Department of State (DOS), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Office of the Director of National Intelligence (ODNI) failed to warn Jamal Khashoggi of threats to his life and liberty. “Khashoggi—a U.S. resident, Washington Post journalist, and prominent critic of Saudi Arabia—was killed in the Saudi embassy in Istanbul on October 2, 2018. News reports indicated that, before Khashoggi’s killing, U.S. intelligence agencies intercepted communications of Saudi officials discussing plans to capture him. Intelligence Community Directive 191 provides that when a U.S. intelligence agency learns of an impending threat to an individual’s life or liberty, the agency must ‘warn the intended victim.’” https://knightcolumbia.org/cases/knight-institute-and-cpj-v-cia
Impacts to/from Emergency Management Intelligence
There are mitigation strategies and reporting procedures available to emergency management entities across the United States. Emergency Management officials can visit the USDHS’ Homeland Security Information Network’s (HSIN’s) Emergency Services community, and search for “Swatting” to find tips and techniques from numerous fusion centers and law enforcement entities around the country. Information on HSIN is generally marked sensitive but unclassified (SBU) and For Official Use Only (FOUO), so specifics will not be disclosed in this analysis.
One report was made public through the U.S. Department of Education, from the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC). It contained several mitigation techniques and tips to “aid schools and public and private sector partners in mitigating swatting, a pervasive threat impacting schools, hospitals, shopping malls, and private residences throughout the nation” (NJCCIC, n.d.). This report also contains excellent “yellow” and “red” flags to help PSAP dispatchers identify possible Swatting calls.
State, Local, Tribal, and Territorial (SLTT) Emergency Management entities need to visit HSIN regularly, subscribe to their e-mails, follow guidance and directives from the FBI, U.S. Secret Service, and others for overall preparedness (protection and prevention) techniques and tactics (U.S. Department of Justice Federal Bureau of Investigation National Center for the Analysis of Violent Crime, 2017), as well as response mission protocols and procedures to be performed on a uniform, collaborative and communicative way. SLTTs need to plan, organize, equip, train, and exercise their Emergency Management teams more frequently, consistently, and collaboratively. And more EMINT curation needs to be added to this channel of intelligence flow – for real-time alerts and notifications to move from the top of the collection points internationally to the bottom of the distribution points domestically.
PSAPs have their own issues to deal with – a recent survey of PSAP operators, did not even record Swatting as a concern (overwork, a myriad of non-emergent call volume impacting public safety dispatching, and lagging interoperable technology were some of the items that these operators are dealing with now). PSAP Operators do not have the capability (and in most cases the legal authority) to determine that a call is suspected of being a Swatting call. This is an EMINT gap which must be addressed, at the very least to slow down the mobilization of law enforcement and other responders once a call is determined to be false.
Using EMINT lessons from Bomb Threats
Swatting incidents are somewhat like phoned-in bomb threats, especially in that they need clear procedures and protocols for the receivers of these calls to implement, as steps towards tactical decisions by both first responders and the impacted public. As a society, we have learned not to “send everything, all at once” to a bomb threat – and at the same time we are cognizant that such a threat call could be a precursor to a different type of attack (for example, to draw evacuees out of a building for a ramming or sniper attack), an attack elsewhere (get the community’s first responder resources mobilized to a school or schools, then rob a bank in another part of town), or even both at the same time. The consequence management planning cannot stop, even when the threat is unfounded.
Swatting has similarities to mass bomb threats, in that many of the indicators are the same:
Threats lack specificity and realism,
Often delivered via email, phone, or social media,
Phone threats are likely to have automated voices,
Media reports indicate similar and simultaneous threats.
Bomb threats generally involve massive investigative actions, including physical searches, interrogation of the receiver of the calls (or the person making the threat), and sometimes even the evacuation of the potentially impacted people. More and more though, the risks of an evacuation outweigh the probable outcomes of the bomb threat.
What is dramatically different is the first responder’s response to Swatting, as perceived to be an active shooter incident in progress. With the possible singular exception of a bomb squad (and most communities across the country do not have one of these themselves), there is no expectation that any other type of first responders will stop a bomb from blowing up at a site (that’s the stuff of tv shows and movies, but not reality) – but there is an expectation that first responders will stop an active shooter from causing harm to others.
The guidance on what actions both the impacted public and first responders should perform at a bomb threat is very different than what is performed during an active shooter incident. The U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency’s Office for Bombing Prevention recommends assessing (i.e., curating emergency management intelligence) all possible situations and then either discounting, locking down the site, searching, and/or evacuating depending on assessed risk.
This should be applied to Swatting incidents as well – rather than rapidly moving forward with Active Shooter Protocols – since the threat is dramatically different between a false claim of an active shooter and a real one.
Recommendations for increased EMINT
There are a number of full cycle (before, during, and after) Preparedness/Protection/Mitigation recommendations against the adverse impacts of Swatting - including ways to reduce life safety risks to responding law enforcement officers (physical, legal, etc.). Other first and emergency responders will benefit from this, as well. Better quantitative data on both the mobilization (when teams are “spun up” – i.e., dispatched to scene versus not, due to flagging as a false incident by dispatchers and/or others before they arrive on-scene) and the de-escalation/demobilization en route and even on-scene - once Swatting was validated - would benefit emergency response and recovery organizations across the nation.
The FBI has begun to collect, analyze, and report on Swatting incidents as part of their Law Enforcement Public Contact Data Collection. This will help researchers, policy makers, and commanders develop better protocols and procedures.
Implement Threat Assessment and Threat Management Multidisciplinary (TATMM) teams in as many organizations as possible – to include a local law enforcement element. The USSS has an NCTC First Responders Toolkit area on this. What is also key, is for these TATMM teams to be responders themselves to a Swatting incident and have access to the collaborative systems other first responders utilize – all of this workflow needs to factor in Swatting. A yellow-flag could be generated if TATMM targets are identified as potential Swatters or ideate a Swatting threat. This can be performed while preserving civil rights. Buy-in by organizations for comprehensive interdiction and disruption processes and teams/systems, must exist for these to work. As is the case for active assailant cases with threats, the Swatting threat also needs to be considered as another yellow or red flag for possible escalation or intervention. In other words, a Swatting call should not be treated in a vacuum or as an isolated incident. Swatting calls can be on the ideation pathway to real-world violence.
Institutions of Higher Education (IHE) and other sites subject to federal reporting requirements, should include Swatting Incidents – both those committed by students/faculty/staff at other locations and those adversely impacting their campuses as part of their Clery Act reporting requirements.
Information sharing on post-Swatting impacts should benefit community partners, school districts, and the public alike. Many times – even without any violence or accidents, there is a tremendous mental health and wellness impact to a geographic and organizationally diverse group of people, from Swatting attacks.
Overcommunicate the fact that this is a fictitious disaster – and not a “real one”
PSAPs – especially Next-Gen 9-1-1 call centers, need advanced software to implement anti-swatting capabilities.
The agile threat of deep fake swatting attacks – for example still images and even video purported to be real (but in fact is digitally manipulated to appear real) will come to Swatting threats. Every tool in the toolbox is needed to combat these Swatting attacks. That includes a full spectrum of solutions – from new technology to “immunize images so as to make them resistant to manipulation”, making it harder (and more time-consuming and expensive) for the potential Swatter to utilizing real-time deep-fake detection software as part of PSAP workflow of receiving and actioning on photos from text messages, attached videos, and even potential live-stream video from bad actors.
Word-of-mouth is still the fastest and most impactful method of risk communication and coupled with social media and other methodologies, can be the most effective in redundant and validated crisis communications to those impacted. So, both non-LEO organizations and public safety officials need to collaborate and coordinate on the communications they perform to urgently verify to end-users that this is a false incident and one where there is no ‘real’ threat. Worried parents should not rush to schools, for Swatting incidents.
More to come. This open-source TLP: Green analysis is just one facet of the current Swatting threat – and as previously noted, is an evolving threat which has so far outpaced any advances to fully interdict and disrupt it. When it comes to threats emanating from foreign persons (or possibly even nation-states or foreign terrorist organizations), which are detected via the U.S. Intelligence Community as active, live threats (i.e., an intercepted call through to a local U.S. jurisdiction’s critical infrastructure key resource, such as a school, hospital, and most importantly a PSAP), all of the subordinate and allied entities must receive this actionable intelligence, including emergency management entities at the local level where the threat is directed. If interdiction and disruption is possible, it must be urgently and immediately performed – and if not, then the curation of EMINT – including the dissemination of red flag warnings – must be made. A whole-community approach is needed to solve for this – one where there is a future state of multiple layers and systems for Anti-Swatting.
If you have input and ideas on how to help combat Swatting, please reach out to the author at firstname.lastname@example.org. Learn more about the NSPAO at
CBS News. (2014, April 24). FBI joins New York “Swatting” prank investigation. Accessed online on November 30, 2022, from https://www.cbsnews.com/news/fbi-joins-new-york-swatting-prank-investigation/
Cybersecurity & Infrastructure Security Agency. (n.d.). Mass Bomb Threats. Accessed online on November 30, 2022, from https://www.cisa.gov/sites/default/files/2022-11/Mass%20Bomb%20Threats_v6%20508a%20%281%29.pdf
Denning, S. (2018). The Age of Agile. AMACOM.
NJCCIC. (n.d.). Swatting: Mitigation Strategies and Reporting Procedures. Accessed online on November 30, 2022, from https://rems.ed.gov/docs/WA_Swatting.pdf
Office of the Director of National Intelligence. (n.d.). Targeting Under FISA Section 702. Accessed online on August 19, 2023, from https://www.intelligence.gov/foreign-intelligence-surveillance-act/1242-targeting-under-fisa-section-702
Office of the Director of National Intelligence. (2015, July 21). Intelligence Community Directive 191 Duty to Warn. Accessed online on November 30, 2022, from https://www.dni.gov/files/documents/ICD/ICD_191.pdf
Rollwagen, H. (2016). The Relationship Between Dwelling Type and Fear of Crime. Environment and Behavior, 48(2), 365–387. https://doi.org/10.1177/0013916514540459
U.S. Department of Justice Federal Bureau of Investigation National Center for the Analysis of Violent Crime. (2017). Making Prevention a Reality: Identifying, Assessing, and Managing the Threat of Targeted Attacks. https://www.fbi.gov/file-repository/making-prevention-a-reality.pdf
U.S. Secret Service. (2022, April 12). U.S. Leads Seizure of One of the World’s Largest Hacker Forums and Arrests Administrator. Accessed online on November 30, 2022, from https://www.secretservice.gov/newsroom/releases/2022/04/us-leads-seizure-one-worlds-largest-hacker-forums-and-arrests
Vile, J. (2018). The First Amendment Encyclopedia. Free Speech Center at Middle Tennessee State University. Accessed online on November 30, 2022, from https://www.mtsu.edu/first-amendment/article/1578/swatting