What you are about to read is fiction, but the scenario is feasible and, in a few months, may be likely.
Bob was sitting on the couch watching the Chiefs play the Bills. The Bills had just made a touchdown, bringing the score to Bills 17, Chiefs 10. Suddenly the front door burst open and a heavily armed group of people flowed into his home. In moments Bob was on the floor face down, arms behind him zip tied. Bob was under arrest.
Bob wasn’t guilty of a crime. He was the victim of a horrible extreme prank called “swatting.” Someone had accused Bob of posting extreme anti-government threats on social media. Bob’s social media account had been compromised, then filled with anti-government rants. Enough evidence to justify the temporary chaos you just witnessed.
Why was Bob targeted? Unfortunately, he was the client of a medical center that recently had fallen victim to a cyber-extortion group. The patient information was stolen (including Bob’s) and the threat group promised that if the ransom wasn’t paid, the threat group would make life a literal hell for the patients.
Because Bob had the bad habit of reusing his passwords it was trivial for the threat group to take over Bob’s social media account using his stolen credentials and make those false posts. Bob became the first of many to endure such humiliation.
The story is fictitious. But the threat is real. Swatting as a service is the latest tactic threat actors are using to coerce businesses into paying cyber ransom. You are truly just a pawn. Because cyberattack reports are so common today, we’ve become overwhelmed and desensitized to the implications of the threat. But now the implications are physical. Visits from actual police to your home. So far, the police visits have resulted in only momentary inconvenience for the victim and a waste of police resources. But it is conceivable this will escalate.
You are probably thinking, “There’s no way this could happen. Who would ever go to such an extent just to get money?”
The reason you think this is because you are not evil. But there are truly evil people who absolutely don’t care about the pain this causes innocent people. The effort it would take to conduct such a campaign as described above is very little on the part of the threat actor, especially in the age of artificial intelligence.
An AI bot can easily craft the content for social media posts at scale. The level of effort on the part of the human is then as little as copying and pasting the content into a compromised social media account.
But you can do something to make sure it isn’t you who suffers. First, if you don’t absolutely need social media, you can cancel your accounts. One principle of cybersecurity is “if you don’t need it, remove it.” If you do use your social media accounts, make sure you use a password manager like Bitwarden to create and securely store your passwords.
Lastly, you do have a right to ensure your data is secure. The tactic described above has been used against medical centers. Your protected health information is governed by the Health Information Portability Accountability Act. You have the right to ensure your medical provider is protecting you. Ask it to provide you with evidence it is doing more than the bare minimum. If it refuses to show you, then you may consider changing doctors.
I know this sounds extreme, but so is “swatting.”
Original article was featured in the Sierra Vista Herald and can be found here.