SWATing 911 Calls

Starting around 2002, the increase in use of Internet technology to carry telephone traffic created a new practice: dialing public safety communications center, providing a false telephone number and address, and reporting a crime at a distant location. The practice is just like the age-old prank of ordering a pizza (or 10 pizzas) for someone, but this new style of prank creates an enormous risk for the public safety personnel who respond, and for the innocent homeowners who suddenly are faced with armed police.

The practice has become known as “SWATing,” in recognition of the hoped-for response by those making the calls. In most cases, however, a SWAT team does not respond, simply because there’s no time to assemble such a team before the situation is confronted. SWATing calls are sometimes made individually and without much planning. But an underground culture has also grown up around these calls, connected by Internet chat rooms and forums that explain technically how to make the calls, what to tell the public safety dispatcher, and later also publicize the SWATing calls among the group.

Essentially, there is no defense against individual, isolated attacks, although there are methods to mitigate against an all-out attack.

Offense

Overall, there have been perhaps 80 documented incidents where law enforcement has responded after a false call, according to law enforcement officials. There is no real record of these calls tallied by comm centers.

These attacks are not “hacks” or intrusions into the 911 systems themselves, despite media stories that use that word. Since the nation’s 911 systems are completely independent and not inter-connected, there is no ordinary way to actually intrude into a distant 911 system using either the local telephone network or the Internet.

Instead, all of the incidents have relied upon establishing a voice over Internet (VoIP) connection between the suspect’s computer and a distant telephone network, and then dialing 911 or 7-digit number to reach the distant public safety communications center.

The first series of very serious incidents occurred in summer 2006 when a group of persons were identified by the FBI and arrested for making a series of 911 calls to PSAPs all over the country, usually reporting a home invasion by armed suspects. In all cases there was a substantial police response, the homes’ occupants were confronted at gunpoint, and law enforcement officers never found any suspects at the locations. The FBI arrested suspects in Washington state, California, Ohio, Texas and New York state.

These suspects were charged in Texas, most pleaded guilty during 2007-2008 and were sentenced (read a press release here and here). You can listen to one of the hundreds of calls this group made here, to the Colorado Springs (Colo.) police comm center in 2005, reporting a suicidal gunman holding two hostages.

In Feb. 2009: Matthew Weigman, then 18 years old, pleaded guilty in a Texas federal court to several federal counts alleging 911 Swatting calls, witness intimidation and fraud. He received a sentence of 11 years in federal prison. He is serving his time at the Federal Correctional Institution (FCI) in Seagoville (Tex.) and is scheduled to be released in May 2018. Download (pdf) the U.S. Attorney’s press release.

A second significant series were identified in late 2006 and early 2007 involving a suspect in Washington state and a victim family in southern California. Randal Ellis was arrested for calling the Orange County (S. Calif) Sheriff’s Department from his home in Mukilteo (Wash.), reporting an armed robbery invasion at a home in the town of Lake Forest. The 19 year-old man was tracked down, arrested, charged, pleaded guilty and received three years in prison. The call for which he was arrested was allegedly just one of 194 prank calls he made over two years, law enforcement officials say. (Read story here and here and here).

A third, unsolved incident occurred in Dec. 2007 when the Monterey County (Calif.) comm center received a SWATing call from a man who claimed he was hiding in the closet of a Salinas apartment, and that three men with AK-47s were trying to break in. Dispatchers sent all 15 Salinas officers to the scene, along with a sheriff’s deputy, only to find a clueless family. Investigators say a 15 year-old resident had been on-line with a person from Chicago, and had given that person some personal information that the suspect used to target the boy’s apartment. In this case police say the suspect used a Skype connection to reach the county comm center, and to “spoof” (falsify) the address and phone number of the family’s apartment so it appeared authentic when the 911 call was answered by the dispatcher.

The term “spoofing” refers to falsifying the telephone number of the calling party so that the receiving party does not know from which device or location the call is originating. Download (pdf) a 2011 FCC report on spoofing for more info.

Finally, there were several low-level SWATing incidents during 2010, 2011 and early 2012, including one where police believe the caller was using a VoIP-spoffed number from a university building to call in street incidents, and one in Wisconsin reporting a hostage, shooting and kidnapping. In August 2010 a male caller talked to a Los Angeles (Calif.) sheriff’s dispatcher for 28 minutes, reporting a medical emergency, a shooting and then a hostage situation. Deputies found nothing and the suspect hung up without being identified. (read more, listen to the call).

Police said the suspect sent an on-line message to the teen occupant asking him if he heard sirens. The suspect later called a local pizza parlor and ordered $127 worth of pizzas delivered to the boy’s apartment. He also called back the comm center to ask why officers never arrived, but then hung up.

As of early-2012 there have been no serious consequences from the incidents, although in the Lake Forest incident the homeowner heard noises outside his home, armed himself with a knife and went outside at night to investigate. He was confronted by a heavily-armed force of police officers. Fortunately he was safely disarmed, and police then learned about the SWATing call.

In all these cases the suspect used a VoIP telephone line, and one or more techniques to spoof a phony telephone number and address to the comm center, which is then displayed as ANI/ALI information to the calltaker. At the PSAP, the call appears to be routine (often on a non-emergency telephone line), and indeed it is–the call appears to have originated locally, and the ANI/ALI displays a proper telephone number and address.

The victims are either known to the suspect in some manner, usually casually through Internet games or chat rooms, or they are complete strangers, selected randomly (although the suspect may actually have some type of criteria in mind when he/she picks the person or house).

Also check these current events:

• 2011 – Suspect calls St. Johns County Sheriff’s Office (Fla.), say he’s had an accident on I-95 and other incidents, used voice-alteration software, FBI investigation traced the calls to Mason Seckar in Milwaukee (Wis.). Case pending.
• 2011 – Suspect called an insurance agent using VoIP, agent dialed 911. Suspect said he was from England, his GPS was broken, his wife was ejected from car during accident near Westwood (Kan.).
• 2011 – An unknown suspect calls Greenville (SC) E911, stays on the line and then dials again to apparently try to tie up several 911 lines at once. An investigation is underway.
• 2012 – In February a caller to the Sarasota (Fla.) Sheriff’s comm center described a call from a “youth” who said he’d killed his parents, had a bomb and was suicidal. The incident was made to a non-emergency telephone line.
• 2012 – In April-May a dispute among political bloggers resulted in 3-4 SWATing calls being made to dispatchers, sending police to several bloggers’ homes. As a result, U.S. Sen. Saxby Chambliss (Geo.) sent a letter (pdf) to the U.S. Attorney General asking for an investigation.
• In the second half of 2012 and into the first quarter of 2013, a series of incidents occurred in the southern California area involving the homes of celebrities. In August 2012 the Los Angeles home of singer Miley Cyrus was reportedly the target of a call reporting a home invasion and shooting. In Nov.-Dec. a series of SWATing 911 calls sent police to the home of Los Angeles-area celebrities. A 12 year-old was arrested in Jan. 2013, but copycats continued the prank 911 calls (including Tom Cruise’s house). In early April 2013 there were four incidents in three days involving Justin Timberlake, Rihanna and Selena Gomez.
• In Oct. 2012 Michigan Gov. Rick Snyder signed legislation (pdf) that enhanced the penalties for making SWATing calls (read more).
• In Jan. 2013 a California legislator introduced a bill (SB333) to enhance penalties (felony) and require restitution for 911 SWATing incidents. It moved out of committee on April 3rd, the same day that the Los Angeles city council considered a law to require SWATing suspects to pay restitution for the costs of a law enforcement response. [State Sen. Ted Lieu’s explanation of the bill / bill fact sheet (pdf) ]
• In April 2013 the governor of Minnesota signed S.F. 1168 (pdf) to make illegal SWATing-type calls, and to enhance existing false call penalties. The law became effective August 1, 2013.
• In August 2013 Nathan Hanhsaw, 22, was charged with three counts related to making SWATing calls from Massachusetts to California. The U.S. Attorney said the calls were made to Colorado, New York and California to harass fellow on-line gamers. In one case Hanshaw telephoned a Los Angeles County sheriff’s dispatcher, claimed he was armed and holding hostages at a motel in Newbury Park (CA). Hanshaw was arrested when he was a juvenile for the same offense, according to police in Athol (Mass.) where he lives. Read the criminal information (pdf) and listen to one of his calls. Update: In Nov. 2013 Hanshaw agreed to plead guilty to  of making interstate threats, threatening to use explosives and threats to use a firearm. He was sentenced to 30 months in federal prison, less than the maximum because he agreed to cooperate with law enforcement to combat SWATing. He is also subject to significant supervision when he’s released, including prohibitions on using Internet-connected devices.. Read about his sentencing here.
• In Nov. 2013 the Los Angeles city council amended (pdf) city law to add SWATing incidents to those for which a city reward can be offered.
• Dispatchers in Marin County north of San Francisco (Calif.) received a call in Sept. 2014 reporting a gunman with hostages at a home in the tiny town of Fairfax.
• In Sept. 2014 a Connecticut man was arrested by the FBI for making calls to Boston area universities, Florida and other locations. Matthew Tollis, 21, of Wethersfield may have been assisted by others in the UK, officials said. Tollis was a member of a group consisting of Microsoft X-Box gamers, the criminal complaint says, who referred to themselves as “TCOD” (TeAM CrucifiX or Die). He used Skype to make hoax threats involving bombs, hostage taking, firearms, and mass murder, and was identified in at least six incidents. [documents: charges, bail, conditions of release, etc., pdf]
• In Nov. 2014 an on-line game playing led to a SWATing call in Kalamazoo County (Ohio), where a caller reported a shooting and hostage situation. The call was part of a series of six calls to various Ohio cities.
• In Dec. 2014 Royal Canadian Mounted Police (RCMP) officers arrested a 17 year-old SWATing suspect who allegedly made a call to the Polk County (Fla.) sheriff’s comm center, reporting a school shooting threat. The same teen is accused in other U.S. incidents, including those directed at a Stockton (N. Calif.) family.  
• In Aug. 2014 a male used an IP connection to dial the Seminole County (Fla.) sheriff’s comm center, and said he had shot his mother with an AR-15. [tape] 
• In Feb. 2015 Brandon Wilson was arrested in Las Vegas (Nev.) and charged with making hoax calls to the Naperville (Ill.) comm center.

Defense

At the moment, there is no technical defense against these VoIP/spoofing attacks for public safety comm centers who receive them. Technically, the VoIP provider simply transports the voice and any of the caller’s dialing commands across the Internet, and dumps them into the public telephone system at a distant location. There is no method for the VoIP provider to tag the transmission as coming from a VoIP line (or, for that matter, any method for PSAPs to receive such a data packet with today’s technology), or to identify the origin of the call while it’s being made. It’s possible that the planned Next Generation 9-1-1 network now in the early stages of planning will help eliminate these calls.

However, there are investigative methods for identifying the origin of VoIP calls afterwards, although it takes a considerable amount of expertise, time and multi-agency assistance to accomplish. In fact, this seems to be the biggest hurdle in the investigation of these incidents–the anonymity of the caller, a lack of law enforcement contacts at VoIP providers, no phone numbers or e-mail addresses to report such incidents, and lack of resources within VoIP provider companies for investigating these incidents. The U.S. Attorney in the Texas prosecution praised the 40 agencies which cooperated to arrest their suspects–not an unusual number of agencies in these types of incidents.

At the same time, these prank callers are adept at providing enough information to spark a police response, but not enough to identify themselves to the calltaker. The calls are always “in-progress” types of incidents, with the callers saying they saw intruders with guns entering a nearby home, they are holding a hostage, etc. In most cases, even with the best questioning techniques, the calltaker was unable to detect that the call was a prank.

So, here’s what’s common among the SWATing incidents, all intended to obscure the caller’s identify and to provoke a heavily-armed response:

• The caller is using a VoIP connection to make the call, either Skype or any of several other services. They can use a service such as SpoofCard to assume the identify of some other telephone or address when making the call.
• The caller is a witness and is reporting something they just saw, usually several armed people or
• The caller is the suspect, and says he’s just killed someone, or makes threats to shoot people, and describes a complex scene (bombs, suicidal threats, in hiding, suspects moving, etc.)
• The caller describes multiple, heavily-armed suspects, or says he has these weapons
• The caller is very detailed in the descriptions of the suspects and the situation
• The caller is cooperative, giving proper names and addresses (which they’ve usually researched prior to calling)
• The person may exhibit authentic-sounding emotions: suicidal, homicidal, remorseful, fear, anxiety, etc.
• The best tactic for handing these calls is the same for handling an authentic call—obtain as much specific information as you can about the caller, the location they’re reporting, the people and activity they see, etc. Do not make any assumptions about the authenticity of the incident, but simply obtain and document the information, and pass it along to the responding units for their appropriate analysis and action.

A dispatcher should also refer to all available databases of information to research the caller, the reported address and any other names. A telephone call to the premise may be advisable in order to avoid a confrontation between armed law enforcement and any innocent occupants of the location being reported. The call should be made at an appropriate time, for example, after officers have contained the premise and have “eyes-on.”

Your agency and comm center must have a pre-planned procedure for handling authentic incidents of this type, intended to mitigate the danger to involved and un-involved persons. These same procedures would be just as effective for prank calls.

In March 2012 a software start-up said it developed technology to analyze incoming telephone calls for various technical characteristics that could indicate a suspicious or prank call, including its VoIP origin.

In April 2013 the Los Angeles Police Dept. announced that it will no longer announce when SWATing incidents occur, with the intent to reduce any incentive for people to make false calls. The Los Angeles County Sheriff said he is considering such a policy, but for now is evaluating each incident and the public’s right to know. 

Investigation

If you discover that call was placed by a SWATing prankster, you should immediately begin a local law enforcement investigation, compiling all the available information about the caller, telephone calls, the reported incident sparking the response, and the public safety response.

You should also immediately seek out federal law enforcement resources for investigating the origin of the call. The FBI and Secret Service can contact your region’s multi-agency technical group that bring together law enforcement and private technology experts. These tech groups have the expertise, experience and Internet contacts to handle the inter-state tasks that are required to track down and prosecute SWATing suspects. These investigations are usually long-term, complex and usually inter-state. But arrests, prosecutions and convictions are possible.

WIRED Magazine has posted a long article on the culture of telephone hacking and SWATing, which provides great insight into their methods and thinking.

In Sept. 2009 “Rolling Stone” magazine published a long story on Matthew Weigman, who is now serving 11 years in federal prison for his telephone and 911 offenses. The story focuses on Weigman’s early years, his family upbringing and how his blindness affected his behavior.