Caller ID Spoofing: How Scammers Fake Numbers

Quick Answer: Caller ID spoofing lets scammers display any phone number they want on your screen—your bank, the IRS, even your mom. It works because caller ID was built on trust, not verification. Think of it like a letter with a forged return address: the postal service delivers it regardless of whether the return address is real.

A Little Bit of Caller ID History…

The global telephone network was never designed to verify the identity of who is calling. When Alexander Graham Bell's patents were commercialized and nationwide switch networks percolated around the globe, the design philosophy prioritized routing calls to the correct destination above all else. After all, phone numbers were more like addresses than identity, they were assigned to physical locations like a home or a business. The person calling was expected to be the person who paid the bill for that line. The nationwide networks grew this way for over half a century.

When the nationwide networks like AT&T in the US, British Telecom in the UK, and Deustche Bundepost in Germany came together to create standards in the 1970s, again the protocol included zero authentication mechanisms. Why would they? This was a club of state-owned monopolies around the world run by proper gentlemen (and yes always men back then). Better to blindly trust the originating operator than bother the group with needless frivolities that might only create friction. When Caller ID arrived in the 1980s, and what a magical feature it was for those who remember life before it, well, that simply displayed the originating phone number for the caller, it didn't verify it.

Wait, My Caller ID Can Lie to Me?

Yep. Here's the uncomfortable truth: that phone number on your screen? It's basically the honor system.

When caller ID was invented in the 1980s, phone calls came from physical phone lines in fixed locations. If someone called you from a number, they were probably standing next to a phone connected to that number. It made sense to trust what the caller claimed.

But here's what changed: phones went digital. Calls started traveling over the internet. And suddenly, the "caller ID" attached to a call became just a piece of data that the caller could set to... well, anything.

Imagine if you could write any return address you wanted on a letter and the postal service would just shrug and deliver it. That's basically what happened to phone calls. Scammers realized they could claim to be calling from the IRS, Bank of America, or your neighbor down the street—and your phone would display that number without question.

How Does Caller ID Spoofing Actually Work? (The Non-Technical Version)

Let's break this down into simple terms.

The Old Days: Phones Were Dumb (In a Good Way)

Back when phones were connected by physical copper wires, the caller ID came from the phone company's switching equipment. You couldn't easily fake it because the phone company controlled it.

The Internet Changed Everything

Modern phone calls—especially from businesses and call centers—travel over the internet using something called VoIP (Voice over Internet Protocol). Think of VoIP as phone calls that work like email: they're just data packets zooming across the internet.

Here's the key: when you make a VoIP call, you can configure what caller ID you want to send along with it. There's a field for it, like filling in the "From" line on an email. And just like you could type any email address in the "From" field (though email servers have gotten better at catching this), you can enter any phone number in the caller ID field.

The Tools Scammers Use

VoIP Services: Internet calling services that let you configure your outgoing display number. Some are legitimate (businesses use them so all employees' calls appear to come from the main company number). Scammers abuse them.

Spoofing Apps & Services: There are actual services—some charging just pennies per call—that let you punch in any number to display. Some advertise for "pranks." Many are used for fraud.

Overseas Call Centers: In larger countries like the US with the resources to create rules and investigate violators and impose penalties, these VOIP operators are controlled and required to put their customers through a variety of verifications before they can connect calls. But, in other countries, it's the wild west and because the global telecommunications system is distributed and interconnected, calls can on-board to the ecosystem from anywhere. Scammers naturally gravitate to jurisdictions that either can't or don't police VOIP providers properly. They can pump out thousands of spoofed calls per hour using automated systems, displaying whatever numbers they want.

The barrier to entry is shockingly low. Someone with basic tech skills and about $20 can make hundreds of calls that appear to come from the White House if they wanted to.

Neighbor Spoofing: Why That "Local" Call Might Be From Overseas

Ever notice you keep getting suspicious calls from numbers that look almost exactly like yours? Same area code, same first three digits?

That's called neighbor spoofing, and it's a deliberate psychological trick.

Scammers know that you're way more likely to answer a call from a local-looking number. A number from your area code might be your kid's school, your doctor, a local business. So scam operations specifically program their systems to display numbers that match your area code and exchange (the first three digits after the area code).

The irony: that "local" call might literally be coming from a call center in another country. But because they spoofed a number in your neighborhood, your brain says, "Maybe I should answer this."

Okay, But What About STIR/SHAKEN? I've Heard That's Supposed to Fix This.

If you're a telecommunications nerd like us, you might have heard about STIR/SHAKEN—a system the US government and international governments have adopted that require phone carriers to implement. It sounds impressive. So did it fix spoofing?

The short answer: It helps, but it's far from a complete solution.

Let's break down what STIR/SHAKEN actually is in plain English.

STIR/SHAKEN: The Basics

STIR stands for Secure Telephone Identity Revisited. SHAKEN stands for Signature-based Handling of Asserted information using toKENs. (Yes, they really stretched to make that acronym work.)

Here's the concept: when a call passes through carriers that support STIR/SHAKEN, the originating carrier can "vouch" for the caller ID by attaching a digital signature. It's like the carrier saying, "Yes, we can confirm this call actually came from this number."

Calls get one of three "attestation" levels:

• Full Attestation (A): The carrier confirms both the caller and the number. This is the gold standard.
• Partial Attestation (B): The carrier knows the customer but can't verify the specific number.
• Gateway Attestation (C): The carrier doesn't know where the call originated—it just entered their network from somewhere else.

In theory, your phone (or your carrier's screening service) could use this information to warn you about calls that lack proper attestation.

Why STIR/SHAKEN Isn't the Silver Bullet

Here's where it gets complicated:

1. Not all calls go through verified networks.

STIR/SHAKEN only works when calls travel through carriers that have implemented it. Calls originating from overseas, passing through VoIP gateways, or using older network equipment often don't get verified at all. Recent reporting estimates that 2. The "gateway" problem.

Many calls come into the US phone network through international gateways. The gateway carrier often has no idea where the call really originated, so it can only provide "C" level (gateway) attestation—which tells your phone basically nothing useful.

3. Even verified calls can be spoofed.

If a scammer sets up a VoIP service through a US carrier that doesn't properly verify their identity, they might get partial or even full attestation—while still spoofing their number.

4. Your phone might not show you the verification status.

Many phones don't clearly display whether a call passed STIR/SHAKEN verification. So you might be getting the data, but you're not seeing it.

An Unsettling Scenario: How a Scam Call Can Still Appear to Be From Mom

Let's walk through a realistic scenario that shows how STIR/SHAKEN can be completely bypassed—and why a call can still show up on your phone appearing to be from someone you trust.

The Setup

Maria lives in Phoenix. Her mom, Linda, lives in Chicago and is saved in Maria's phone as "Mom" with her Chicago phone number.

One day, Maria gets a call. Her phone lights up: "Mom" with her mom's actual phone number displayed.

What's Really Happening

A scammer in an overseas call center has obtained Linda's phone number—maybe from a data breach, maybe from social media, maybe just from a directory. They've set their VoIP system to display Linda's number as the outgoing caller ID.

The call travels like this:

1. Originates overseas via VoIP, with Linda's number set as caller ID
2. Enters the US through an international gateway that can't verify the call's origin (Gateway attestation only)
3. Reaches Maria's carrier with Linda's spoofed number attached
4. Maria's phone matches the number to her contacts and displays "Mom"

STIR/SHAKEN couldn't help here because the call came in through an international gateway with minimal verification. The gateway just passed along whatever caller ID the foreign VoIP service claimed.

The Con

Maria answers. A voice that sounds distressed says, "Maria? It's Mom. I'm in trouble. I was in an accident and I need you to send money right away. Please don't tell anyone—just help me get out of this."

Now imagine if the scammer used AI voice cloning to sound like Linda. They might have scraped a few seconds of Linda's voice from an Instagram video and trained an AI model. Now Maria hears something that actually sounds like her mother.

Maria goes into protector/savior mode and just wants to help solve the problem. The call came from Linda's number. It showed "Mom" on her screen. The voice sounds like her mother.

Maria's about to get scammed—and every protection we have failed.

The Lesson

This scenario isn't hypothetical. These attacks happen every day. And they work because:

• Caller ID spoofing is trivially easy
• STIR/SHAKEN doesn't cover all calls and can actually provide a false sense of security
• Contact matching makes spoofed calls look legitimate
• AI voice cloning makes the voice convincing
• Emotional urgency bypasses critical thinking

So What Can You Actually Do About Caller ID Spoofing?

If all these protections have gaps, how do you protect yourself?

Never trust caller ID alone. Even if your phone says "Mom" or "Chase Bank" or "Local Police"—that number could be spoofed thanks to caller ID spoofing. Treat caller ID as useful but unverified information.

Verify independently before taking action. If someone claims to be from an organization, hang up and call them back using a number you find yourself (from their official website, from a bill, from the back of your card).

Create a family code word. Pick a secret word that only your family knows. If someone calls claiming to be a relative in distress, ask for the code word. A scammer won't know it.

Be suspicious of urgency. "Don't tell anyone" and "You must act NOW" are manipulation tactics and social engineering. Real emergencies can wait for a 60-second verification call.

Understand that familiar voices can be faked. AI voice cloning is real. If something feels off, trust that instinct over what your ears are telling you.

Invest in third-party tools like Savi to help you implement these and other scam protections for you and your family.

FAQs

Is caller ID spoofing illegal?

Spoofing with intent to defraud is illegal under federal law. But enforcement is extremely difficult, especially when calls originate overseas.

Can scammers spoof my number to call other people?

Yes, unfortunately. If people tell you they got calls "from you" that you never made, your number is being spoofed. You're a victim too. Report it to the FTC.

Does STIR/SHAKEN stop spoofing?

It helps reduce some caller ID spoofing within verified US networks, but it doesn't cover international calls, VoIP gateways, or calls that pass through unverified systems. It's one layer of protection, not a complete solution.

Why can't phone companies just stop spoofed calls?

The phone network was built on trust, not verification. Retrofitting security onto a global system with billions of endpoints is incredibly complex. Progress is being made, but it's slow.

The Bottom Line

Caller ID spoofing exists because the phone system was built in an era when trust was the default. Scammers exploit that trust every day, displaying whatever number they want on your screen.

STIR/SHAKEN is a step in the right direction, but it's not a silver bullet. Many calls—especially those from overseas—slip through without verification. And even "verified" calls aren't guaranteed to be legitimate.

Your best defense? Healthy skepticism. Treat every unexpected call as potentially spoofed, verify through independent channels, and never let urgency override caution.