Try to picture a nice, quiet evening with your family. You and your partner just cooked a wonderful dinner and now you sit down to play some games with the kids. The games are just starting to get competitive when suddenly law enforcement bursts into your home with guns drawn, screaming "Freeze! Police! Everyone down on the floor!"
Your family is thrown into a state of panic. Everyone is thinking the same thing. What in the world is going on?! We were just having a relaxing evening and now this?
Police sweep the house, looking for anything suspicious. It's loud and the kids are crying.
Finally, the officers settle down and realize that something is not right. They were told there was an active shooter at this address, but there is only an alarmed family. The officers try to explain the situation to the family, and everyone slowly begins to realize what has happened.
They have all been victims of a swatting attack.
And the FBI says attacks like these are increasingly linked to stolen usernames and passwords.
What are swatting attacks?
A swatting attack is essentially a prank call to emergency services for the purpose of drawing a response from law enforcement (a police SWAT team) to a specific location.
The offender will use spoofing technology to make it appear his phone is the real victim's phone, calling emergency services and claiming there is a life or death situation that requires immediate action.
Swatting is most often used as a form of revenge, harassment, or a prank. Even as a prank, it is a serious crime that can result in deadly consequences.
There have been reports of confusion between homeowners and responding officers that caused health-related or even violent consequences. These attacks also pull limited resources away from real emergencies that require a response from law enforcement.
How is swatting actually happening?
The FBI is now warning about a new twist and trend in swatting attacks. Perpetrators are increasingly using victims' smart home devices, such as home video cameras and audio surveillance technology.
In order to gain access to these devices, the attackers look for people who re-use previously stolen emails and password for their smart home devices. They use these stolen credentials to hijack features of the device, such as live-streaming a camera or activating device speakers.
The FBI issued a bulletin which explains what perpetrators do next:
"They then call emergency services to report a crime at the victims' residence. As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms."
Defending against swatting attacks
The FBI says it will work with the manufacturers of these smart home devices to help guide customers in avoiding these attacks. They will also work with local law enforcement on how to appropriately respond to an incident like this.
The FBI says practicing good cyber hygiene can help protect users from this type of attack:
- "Because offenders are using stolen email passwords to access smart devices, users should practice good cyber hygiene by ensuring they have strong, complex passwords or passphrases for their online accounts, and should not duplicate the use of passwords between different online accounts. Users should update their passwords on a regular basis.
- Users should enable two-factor authentication for their online accounts and on all devices accessible through an internet connection in order to reduce the chance a criminal could access their devices."
And when you set up two-factor or multi-factor authentication (MFA), the FBI says it is highly recommended that your second factor be sent to a mobile device number and not a secondary email account.
Read the FBI swatting risk update for yourself.
