Successfully Resolving an Attempted Swatting Attack: A TorchStone Case Study
By TorchStone Senior Analyst, Ben West
Over our years of experience in Executive Protection and Residential Security, TorchStone has accumulated extensive experience in handling sensitive situations and preventing them from becoming bigger problems. Swatting attacks are an example of sensitive situations that require a competent, experienced security team to handle them successfully. In this week’s edition of The Watch, we highlight lessons learned from our experience dealing with swatting attacks and provide a case study on how Residential Security Teams can best handle them—even as the attackers adjust tactics to make their hoaxes appear more credible.
Improving responses to swatting attacks is key to minimizing their disruptive potential and removing the incentive for hostile actors to use the tactic in the first place.
Swatting can be highly disruptive and incidents over the past year demonstrate that politicians, celebrities, schools, houses of worship, and businesses are all vulnerable to the tactic. Recent incidents have led to tense situations and, in many cases, negative publicity. Security teams tasked with protecting high-profile individuals or organizations must prepare for the threat of a swatting attack.
Key Insights for Handling a Swatting Incident
- Plan and Prepare: As we’ve noted in previous guidance on swatting, security teams protecting high-profile or influential clients should anticipate that their client’s residences/businesses will be targeted by swatting attacks—if they haven’t already. Prepare for that contingency by coordinating with local law enforcement ahead of time and flagging addresses as potential targets for swatting attacks. This will help to quickly de-escalate a tense situation in the case of a later swatting attack.
- Give Respect, Get Respect: As in any situation, engage law enforcement with respect and courtesy. When confronted by law enforcement, security team members should clearly identify themselves as on-duty plainclothes security agents and specify whether they are armed. Always carry relevant credentials and offer them to responding law enforcement. The more professional the security team behaves during the encounter, the more likely responding law enforcement officers will respect their judgment.
- Be Clear and Firm: Prevent any actions that could miscommunicate granting law enforcement access to the property under unusual circumstances. When possible, make contact with responding law enforcement at a perimeter gate without opening it. Engaging law enforcement outside the perimeter can allow the security team to collect more information and better assess the situation while avoiding unnecessarily disruptive intrusions.
- Always Use Discretion: Refrain from identifying the protectees and cite any legal limitations such as NDAs that prevent you from discussing their identities. Law enforcement body camera footage and emergency dispatch communications can be accessible via Freedom of Information Act requests. In many cases, swatting attacks are an attempt to embarrass the targets, so avoid mentioning their names or affiliations.
- Coordinate and Communicate: When confronted with unexpected requests from law enforcement, immediately utilize local law enforcement contacts to collect more information and determine the root of the issue. Responding officers do not always have access to all the information and are acting on instructions from dispatchers. By informing yourself, you can also assist and inform the responding officers of any unusual circumstances.
Case Study
The following case study highlights what an effective response looks like and helps others deal with the same threat.
The Residential Security Team (RST) for a high-profile individual’s residence first became alarmed when multiple law enforcement vehicles approached the front gate. There had not been any prior communication with law enforcement and their arrival was unexpected. The law enforcement officers (LEOs) requested access to the property to check on the welfare of a person reportedly in distress inside.
After identifying themselves, the RST respectfully denied entry to the LEOs, stating that it was not in their client’s best interest and outside their scope of duty to allow an outside search when there was no cause for concern. The security team advised that there was no one on-site by the name LEOs provided and that the team had just conducted a full patrol of the residence and perimeter check. The property was actively alarmed and monitored by video, and there was nothing unusual happening at the residence at the time to suggest that anyone was in danger. After some discussion at the front gate, the LEOs eventually revealed that they were responding to a report that the person was being held hostage at gunpoint inside the home. The security team offered to conduct an additional sweep of the property for safe measure. The LEOs agreed to this.
Meanwhile, suspecting that the residence may be the target of a swatting attack, the lead shift agent for the RST contacted the duty officer for the local law enforcement agency to request additional information. The duty officer was aware that the address was associated with a high-profile individual based on previous notes. The hostage-taking report had originated from an email sent to a local official, who had then forwarded the report to the local law enforcement agency. Both the lead agent and duty officer agreed that this was an unusual way to report a hostage-taking situation and, when considering the targeted residence, concluded that the incident appeared to be a swatting attack.
After the additional sweep of the property did not discover anything unusual, the officers involved in the response at the residence also agreed that the incident was a swatting attack. The responding LEOs departed just over an hour after they had arrived. The security team had prevented a potentially invasive police search of the individual’s property that could have attracted unnecessary negative publicity.
The next day, LEOs arrived at the residence again, this time in response to a direct call to the 911 dispatch about a violent attack at the residence and a threat of additional violence. The security team on shift engaged similarly with the LEOs, insisted that there had been no unusual activity, and offered to conduct another walk-through to confirm. Since the residence had been targeted in a swatting attack less than 24 hours prior, everyone involved quickly recognized that this was likely another swatting attack. However, in the second incident, the call came in directly to the dispatch rather than the unusual email channel through a local official. This indicates that the “reporter” did not get the response they were looking for from the first attempt, so they tried again.
Evolution in Swatting Tactics to Increase Believability
It is likely that the original email report through the local official was an attempt to increase attention to the call and make it more credible. Channeling reports of an emergency through reputable offices (such as local officials) appears to be a novel tactic that could be used more in the future to increase the disruptive nature of swatting attacks.
In a separate incident on Nov 11, Washington State Patrol responded to a call from someone claiming to work for a security monitoring company reporting an armed burglary in progress at a local business. After a significant police response and search of the premises, the call was determined to be a hoax. As local authorities adjust to the increase in swatting calls, the people behind those calls will adjust their tactics to make their reports sound more credible. Posing as security companies or local officials are examples of how swatting attackers can increase the credibility of a report.
There are many motivations for swatting calls, ranging from financial compensation, public humiliation, harassment, and even physical harm. In most cases, it is impossible to know the motivation of a caller during a swatting attack – and the callers behind many swatting attacks are never identified. However, by anticipating and preparing for the threat, security teams can prevent swatting attackers from achieving their goals. And the less effective the tactic is, the less likely hostile individuals will use it in the future.