Police are receiving fake calls about violent crimes in the homes of tech executives. Photo / Sarah Mazzetti, The New York Times
Online forums carry personal details of potential targets like industry leaders and their families. The police are struggling to find a solution.
Over the first week of November, the police in San Francisco and New York responded to a series of telephone calls claiming that hostages were being held inthe homes of Adam Mosseri, a senior Facebook executive.
The calls appeared to be coming from inside the homes. Officers arrived in force and barricaded the streets outside. Twice. But after tense, hourslong standoffs, they realised the calls were hoaxes. There were no hostages, and no one in the homes had called the police.
Mosseri is one of a number of tech executives who have been targeted recently in so-called swatting incidents. Swatting is online lingo used to describe when people call the police with false reports of a violent crime of some sort inside a home, hoping to persuade them to send a well-armed SWAT team.
These episodes have become more common in communities rich with tech companies and their billionaire executives, like the Bay Area and Seattle, according to six police departments contacted by The New York Times.
Exact numbers are unclear, the police say, because there is no central repository of information for these sorts of attacks. But as online discourse has become more combative and more personal, some in the industry aren't surprised that tech executives — the people who decide what is posted on social media and who is barred from it — have become regular targets.
Swattings have spiked at Facebook in particular, according to local police departments and security officials at the company, which in recent years has cracked down on false accounts, threatening language and other types of content that violates its rules. They spoke on the condition of anonymity because of the sensitivity surrounding the attacks.
Mosseri declined to comment, and a Facebook spokesman, Anthony Harrison, said in a statement that "because these things deal with security matters and our employees, we are unable to comment."
"Like any other type of crime, when the cost is zero and the deterrent is very low, you've created a perfect opportunity for people to pour time and resources into that crime," said Brian Krebs, a swatting victim who writes a widely read blog, Krebs on Security.
The attacks have been aided by forums that have sprung up both on the public internet and on the camouflaged sites of the so-called dark web. These forums name thousands of people, from high-ranking executives to their extended families, who could be targets, providing cellphone numbers, home addresses and other information. Some even discuss techniques that can be used — like cheap, online technology that can spoof a phone number and make the police believe a 911 call is coming from a target's home.
In the eight months since one online forum was started, nearly 3,000 people have joined.
"Who should we do next?" read one message on the forum last month. The responses included gun emojis — the symbol, in swatting forums, for an attack in which the police were successfully called to the target's home. Many of the responses were laced with profanity, as well as suggestions for ex-girlfriends who should be swatted.
One forum names at least two dozen Facebook employees as potential targets. They range from executives to product engineers. Some forum participants said that they had been barred from Facebook or Instagram, and that Facebook employees were fair game because they "think they are god."
On another forum, new names of potential swatting victims are added daily. With each new entry, there is — at a minimum — a home address. Some entries contain more details, including the best time of day to catch the person at home or information about the children's school.
"Lol, sick," read many of the replies.
Swatting started in the combative world of online gaming. It was a way to terrorise someone more famous, get even with a rival or retaliate against someone with different political views.
Provoking a heavily armed police response presents obvious risks. Last year, a 26-year-old California man was sentenced to 20 years in federal prison for calling in dozens of fake emergency calls, including one that led to the fatal police shooting of a Kansas resident, Andrew Finch.
Because few people carrying out swattings are ever caught, the police and tech companies can only guess at their motivations. They have seen, however, a correlation between removals of large numbers of accounts for threatening behavior or hate speech and what they believe to be retaliatory attacks against the executives responsible.
As more police departments recognize the threat, some have already found practical solutions. In Seattle, people who believe they are at risk of being swatted can include their information and that of their families on a police registry. When an emergency call about a potential threat comes in, the police check to make sure the home isn't in the registry. If it is, they call the home first to see if they can reach someone inside, and check with neighbours to see if there are any corroborating reports of shots fired or other disturbances.
"The registry is a voluntary thing we created, and it is a small but effective step for people who know they are at risk of being targeted," said Carmen Best, the police chief of Seattle. "Swatting is not a new thing. It's been around for a long time, and it weaponises our 911 system. It's a lot more than a hoax or a prank."
In addition to the registry, the Police Department has trained 911 operators to pick up cues to potential swatting in calls, Chief Best said. It has also begun educating officers on the importance of responding to questionable calls with a limited amount of force.
Seattle's approach is unusual. None of the other police departments contacted by The Times had a similar registry, or had even heard of the idea, despite the recent swattings against tech executives in their jurisdictions.
Because swattings are largely organised online, the people behind them can live anywhere in the world. And despite numerous attempts to create federal legislation banning the practice, there is no specific statute that allows swatting to be investigated and prosecuted as a federal crime.
Facebook, Google and Twitter did not respond to requests for comment on measures they have taken to protect their employees from swatting. In recent months, all three companies have held discussions with employees who they believe are at risk.
They have asked those employees to take added precautions, such as not publicly giving their whereabouts or listing information about their families. The tech companies have also privately let the local police know when certain high-profile executives are at risk, according to police departments in the Silicon Valley area.
The home of Facebook's chief executive, Mark Zuckerberg, was permanently flagged as high risk, said one Facebook security expert, who asked not to be named because of the sensitivity of the topic.
Facebook, Google and Twitter informally share information about potential swattings, giving warnings to one another if they spot a threat on their platforms, the expert said.
In an attack on another Facebook executive last year, police officers encircled the man's home in Palo Alto, California, after being told that he was at risk of harming himself and his family. The episode was resolved without anyone getting hurt.
Facebook had flagged the executive as a likely target for swatting and had taken precautions to protect him and his family. The police still sent a SWAT team.
"Anyone can be at risk of being swatted, but people who work in tech are at a particular risk," Best said. "We have to get a foothold on this, before more people get hurt."