TODAY'S PHONE HOAXES CAN BE DEADLY SERIOUS
May 10, 2016
By Audrey Fraizer
A popular prank call prior to the advent of caller ID was the question “Is your refrigerator running?” The unsuspecting “victim” who said “yes” to the question would be told “You better go catch it.” Sometimes, a prankster would call a pizza parlor and order an anchovy and sausage pizza for delivery to the home of a friend, now considered former for reasons only junior high students can understand.
Except for the interruption and unwanted pizzas, the pranks were silly and harmless, and—unless the victim was a frequent target of a spiteful caller—the phone pranks were nothing that provoked police surveillance or response.
“There’s nothing new about prank phone calls,” said Christopher Carver, NENA Director of PSAP Operations, during the free webinar on swatting sponsored by NENA and the National 911 Office. “They’ve been around a long time.”
And while refrigerators keep on running and pizza parlors verify delivery addresses, phone pranks are here to stay, and, in this day and age, they are ascending a gag ladder built on technology and social media.
Not all the gags are silly and harmless. Despicably aimed false 911 SWAT calls result in serious consequences.
Swatting is neither funny nor valuable to the common good. Swatting is the malicious act of deceiving an emergency service. Swatting goes hand-in-hand with cellphones (no pun intended) since the hard-wired landline phone system was immune to attack.
“Social media and the ability to create distance [from the actual source of the call] are unique components, along with advances in technology, that will probably make phony calls impossible to eradicate,” said Carver, retired, Deputy Director of Dispatch Operations for New York City Fire Department (FDNY). “We can take steps to reduce the frequency and lessen the impact, but they’re not going away.”
Swatting is not a new phenomenon.
Internet gamers are credited as among the original swatters. They could use gaming technology to hide behind online personas and fake names to deceptively report their online opponents had a gun and were taking hostages in the real world outside of the gaming platform. The response from law enforcement often drew full-scale SWAT teams to the location (thus the name swatting); the gamer could post the response on social media to impress and entertain others with his or her hoax.
Swatting also became a means of getting back at someone. The intent was spiteful. This was a game of evildoing.
In 2009, Matthew Weigman, then 19 years old, was sentenced to 11 years in federal prison for telephone conspiracy that included swatting. Weigman and co-conspirators—many receiving federal sentencing, also—were convicted of using social engineering and other scams to obtain a target’s personal data, impersonate telecommunications employees, and harass their victims to carry out dozens of swatting incidents, along with other crimes.1
Their hacking schemes were often variations of older scams and newer spoofing technology. They “pretexted,” pretending to be employees or customers of a phone company in order to obtain private information; they used war-dialing to dial thousands of phone numbers from a computer to gain system access; and they traded passwords with phone hackers known as “phreakers.”2
In a high-profile swatting hoax in California, gamer Nathan Hanshaw agreed to plead guilty to a federal charge of making interstate threats to use explosives and firearms. Tracing the calls would have taken months had it not been for information obtained from a second gamer initially suspected of the crime. The swatting calls had been placed through the Internet, and the caller was technologically savvy enough to shield the source computer by using a clone of a modem, according to reports.3
The state of California now requires those convicted in swatting cases pay restitution for the cost of the law enforcement response, which can run into the tens of thousands of dollars.
Weigman’s and Hanshaw’s technical abilities that included caller ID spoofing combined with their dogged determination went far beyond the skills of most phone phreaks, even the veteran hackers, and that’s the good news.
“If spoofing becomes a problem, this would be a bad, bad day,” said Mark Fletcher, Chief Architect, Worldwide Public Safety Solution.
Getting the goods on the target
A good swatter doesn’t make a call at the spur of the moment. A good swatter does his or her homework. A good swatter will know how to use social engineering and pretexting to learn as much as possible about the target before making the fake call. Swatters might be savvy enough to disguise their voice and, if not, they can buy cheap technology readily available to do it for them (social engineering).
In pretexting, another form of social engineering, the swatter obtains target data by creating an artificial, non-threatening scenario to mask true intentions and use the information to make the fake swatting story sound real. A swatter might find the target’s home address, phone number or IP address, and information about the target’s family by contacting customer service departments, such as Amazon and PayPal, and pretending to be a chat support agent or the customer targeted.
“They attack the weakest piece in the chain, the human element,” Fletcher said. “Swatters work on emotions. For 911 dispatchers, you have a caller crying out for help.”
The technological piece “caller ID spoofing” allows callers to deliberately falsify the telephone number and/or name relayed as the caller ID information to disguise the identity of the calling party.4 A caller ID spoof tricks the telephone network into giving a location that’s different from the actual location of the swatter. It’s not new technology, and spoofing services were originally created for valid reasons—for example, to show the general number of a multiple physician practice and not the individual numbers of the practicing physicians to discourage patients from calling back individual numbers or extensions for lab results or condition reports, Fletcher said.
Swatters can purchase prepaid spoof cards from spoofing services, and when ready to initiate the spoof call, they do so through the spoofing service provider’s website or app. The spoofing service provider calls the swatter back at the real phone number, calls the target’s number, and links the calls together, providing the spoofed caller ID information to the target.5
Spoofing makes the 911 swatting crime difficult for police, and spoofing services are not always eager to provide the names of their customers.
“After all, they are being paid for services that hide identity,” Fletcher said.
In any situation, however, there are giveaways, despite how meticulous the preparation. For example, in the age of cellphone preference, a tragic or otherwise monstrous event generally results in calls flooding the communication center. There’s more than one call to report the event.
“We have to treat everything as real,” Fletcher said. “But think about it, do you ever receive just one call to report a highway crash? Would someone take the time to look up a 10-digit number and use that to make that call? These are red flags. Something about the call doesn’t make sense.”
NENA guidance document
Swatting calls come from two sources, according to a guidance document released by the National Emergency Number Association (NENA)6: direct to the PSAP or relayed from a third-party through a telecommunications relay service or a “Good Samaritan” using social media.
If the incident is identified as a possible swatting, law enforcement will investigate, and the PSAP should be ready to provide the following information:
• Call recording (if a voice call)
• Call detail information from the 911 and telephone systems providers. Note: Some system logs are purged after a short period, and notifying these providers early may help to preserve evidence. Request info from each provider and work back through the path of call origination. This information may not be provided to the PSAP, but notifying the provider to capture the log information will assist the investigation.
• Information gathered from the calltaker and any additional notes (the elements that make the call suspicious, such as background noise the calltaker heard during the call and the tone of the caller’s voice)7
Communication centers can also take precautions to prevent caller ID spoofing, Fletcher said. If the call raises suspicions, the dispatcher can contact the cell tower and request the phone number to determine the caller of the incoming call. In the second approach, the dispatcher can call back the number of the incoming call using an unlisted number to check for a busy tone.
“If someone answers, it’s a tip-off for a suspected caller ID spoofing,” Fletcher said. “If the number is busy, it’s possible that the incoming call is truly coming from that number.”
Carver said dispatchers must rely on their skills.
“Keep the caller on the phone and collect as much information as possible,” Carver said. “Listen to background noises and the caller’s voice. These elements might provide valuable clues that this is not a legitimate incident. This information is important to give responders.”
Fletcher said finding the swatter involves following the breadcrumbs and working with other centers.
“Think of it as data forensics,” he said. “You need to have a suspect to look for a match. This is why Network IP tracing evidence needs to be collected and shared.”
The International Academies of Emergency Dispatch (IAED) does not have a specific protocol to handle these types of calls since it involves a false reporting of an incident with the intent to illicit a tactical response.
Protocol is not designed to support fabricated incidents, and any incident is up to local response configurations.
Although the ability to identify and respond to swatting is a local issue, protocol provides the ideal point of departure, said Shawn Messinger, Priority Dispatch System™ Program Administrator—Law Enforcement.
“Response can start with a good statement obtained from the CE [Case Entry] question ‘Okay, tell me exactly what happened,’” Messinger said. “Each agency has its own due diligence to determine a real incident from a false one, and, in the end, communication centers are only as good as the information provided to them.”
While protocols are the best tool for eliciting quality incident information from a caller, a person devious enough to make the call is generally devious enough to mask identity and perpetuate the mistruth. Weigman, for example, was known for his ability to imitate voices and maintain the intensity of the situation—fake from his angle—during the call.
“If a person intentionally wants to deceive a calltaker, that can be tough to defend against,” Messinger said. “That’s one reason why we teach the concept of foreseeability in the legal section of our universal materials.”
According to the law, “foreseeability requires only that we draw reasonable conclusions from the data given by the caller. That is the EMD [EFD/EPD] is not required to predict that a certain set of circumstances will result in findings reported at the scene that are not reasonably similar to the data given.”8
Furthermore, the IAED maintains that legal protection for the EMD/EFD/EPD lies with the concept of foreseeability and that “It is reasonable to assign dispatch priority based on what the caller says. If the caller’s information is incorrect, the EMD/EFD/EPD cannot be faulted, assuming that the EMD/EFD/EPD followed protocol and made reasonable efforts to obtain the appropriate information.”9
Make consequences clear
Carver recommended preparation.
“The best measures for an agency are taken ahead of time to stop these calls from happening,” he said. “Make sure you have strict enforcement and strong punishment. Enforcement is a critical, critical piece to let them know you’re taking this very seriously. There will be consequences.”
The NENA and National 911 Program guidance document provides several precautionary recommendations, and these include coordinating policies among responding and investigative agencies, reviewing PSAP policies and procedures, and updating training to cover information on swatting.10
1“The Crime of ‘Swatting’: Fake 9-1-1 Calls Have Real Consequences.” FBI. 2013; Sept. 3. https://www.fbi.gov/news/stories/2013/september/the-crime-of-swatting-fa... (accessed Sept. 15, 2015).
2McMillan R. “Blind Phone Hacker Gets 11-year Sentence.” IDG News Service. 2009; June 29. http://www.pcworld.com/article/167593/article.html (accessed Sept. 16, 2015).
3Healy P. “Online Gamer Sentenced in Ventura County “Swatting” Hoax.” NMCUniversal Media, LLC. 2013; Nov. 7. http://www.nbclosangeles.com/news/local/Irate-Online-Gamer-Sentenced-in-... (accessed Sept. 21, 2015).
4“Caller ID and Spoofing.” Federal Communications Commission. 2014; Dec. 30. https://www.fcc.gov/spoofing (accessed Sept. 21, 2015).
5O’Donnell A. “Why You Shouldn’t Trust Caller ID.” About.com. http://netsecurity.about.com/od/newsandeditoria2/a/Why-You-Shouldnt-Trus... (accessed Sept. 22, 2015).
6“NENA & National 911 Program Release Public Safety Swatting Resource.” NENA. 2015; June 27. https://www.nena.org/news/238892/NENA--National-911-Program-Release-Publ... (accessed Sept. 21, 2015).
7See note 4.
8Clawson J, Dernocoeur K, Rose B. Principles of Emergency Medical Dispatch. Fourth Edition. IAED. Salt Lake City. 2008.
9See note 4.
10See note 5.