Caller ID Spoofing: How Scammers Use Local and Trusted Numbers to Trick You
We've discussed the eight phone scams to protect yourself from; however, we didn't get into one major element of many of those scams: caller ID spoofing. Caller ID spoofing allows robo callers and scammers to seem as if they are calling you from a local number, a trusted business, or a government office. Many people fall victim to the IRS scam because the number that shows up on their caller ID is that of the local police station or the IRS itself. It's been happening across the country from California to New York and everywhere in between and it's not just the IRS scam, but countless other types of phone scams.
What Is Caller ID?
Caller ID provides people with the phone numbers of those calling their landlines or mobile phones. It gives the person the opportunity to know the identity of the person making the incoming call and to decide to take the call or send it to voicemail. Information on a caller ID display is generated by the originating phone’s carrier. Originally, keeping track of callers’ names and numbers was a simple task. However, internet phone numbers, pre-paid phones, and hundreds of phone carriers routinely cause the system to give misinformation. Unlike local number portability (LNP), wherein a phone number is attached to a particular carrier, caller ID is not regulated by the Federal Communications Commission (FCC). Services operate through a mish mash of decentralized databases that often function using outdated information.
A Little History on Caller ID Spoofing
Caller ID spoofing has been around for decades and was commonly used by businesses that had many internal phone numbers to display as one well known and advertised number on outgoing calls. Starting about a decade ago, in the early 2000s, techies developed free-to-cheap caller ID spoofing software. Developers designed it to allow people to protect their identity in vulnerable situations or play pranks on friends, but it soon took on criminal behavior. Today, several groups from telemarketers to scammers use caller ID spoofing to get the attention of unsuspecting consumers.
Paris Hilton allegedly used caller ID spoofing to hack into the phone and voicemail of Lindsay Lohan back in the mid-aughts, and from there on, people began to use spoofing for malicious purposes. Nowadays, we hear about caller ID spoofing as it's related to robo dialers calling at all hours from local phone numbers in the hopes that someone will pick up.
How Does Caller ID Spoofing Work?
One of the most common ways to spoof caller ID is by using Voice Over Internet Protocol (VoIP) service and a Private Branch Exchange (PBX) communications system software, like Asterisk. VoIP is a phone service over the internet. It uses the analog phone signal and converts it to a digital signal. The system sends the signal over the internet. This method is very popular due to its low cost compared to traditional telephone service.
PBX is a private system of telephone lines used within a company, and PBX software allows you to configure the internal phone lines of your company and control how outgoing calls appear along with a slew of other features. With a few tweaks to the software's files, you can alter the appearance of the outgoing number, causing the Caller ID Name (CNAM) to display the incorrect information.
Several other companies provide simplified spoofing services, one of the most well known being SpoofCard. For a low cost, you can change the number that your call recipient sees. You can also change the sound of your voice from male to female.
Who Is Affected by Caller ID Spoofing?
Caller ID spoofing affects everyone, from multi-million dollar businesses to little old grandmothers in rural Iowa. The trend continues to grow, and while the FCC attempts to combat caller ID spoofing, spoofers find ways to outwit the government agency.
First Orion, a scam protection service, working with the FCC released a report that analyzed 40 billion calls made to customers in the first half of 2019 accompanied by a study of 5,000 mobile phone subscribers who had answered their phone and spoken directly to scammers. The study found that 1 out of 3 scam calls were answered because the number seemed familiar.
According to First Orion and the FCC’s report, Scam Trends and Projections Report from Summer 2019:
- Scammers already had some personal information for 75% of the scam victims called. This information is most likely due to data breaches.
- Enterprise spoofing is on the rise and nearly 1 in 3 people who experienced a loss of $1,000 or more thought that they were speaking with a company they had previously done business with.
- Almost 4 in 10 scam victims said the caller knew their home address.
- Victims were 6 times more likely to experience financial loss when a scammer had personal information.
- More than a third of victims continued speaking with scam callers because the caller had verified personal information and 17% of scam callers were able to verify at least a part or all of the call recipient's Social Security number.
Effect of Caller ID Spoofing on Businesses
Caller ID hurts businesses in many ways. First, the reputation of the business is damaged when people register complaints about scams, unfair practices, nuisance calls, etc. Additionally, handling callbacks from angry customers and citizens creates a backlog in the business’ system, and prevents employees from conducting routine tasks.
A report from Tripwire gives a good example: “A business in West Springfield on June 22, 2018, received about 300 calls in one hour. Due to the high volume of calls, the business did not have enough resources to answer all of the calls. It quickly became apparent that the businesses number had been used in a series of spoofed calls and the calls were not from customers but from the recipients of the spoofed calls.”
Caller ID Spoofing and CEO Fraud
CEO Fraud involves a scam in which someone pretends to be the CEO or other high ranking executive in a company. The spoofer convinces the accounting department into authorizing phony wire transfers or tricks HR into sending out employees’ personal information.
The FBI refers to this scam as a "Business Email Compromise." BEC is defined as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” The scam is characterized by phishing emails accompanied by spoofed calls.
The scam has cost companies upwards of $26 billion. Criminal activity related to this scam has been reported in all 50 states and in 150 countries worldwide.
Can Caller ID Spoofing Be Stopped?
Caller ID spoofing isn't illegal unless it's done with intent to defraud or cause damage. The most common reasons for caller ID spoofing include getting personal information, credit card and bank account numbers, social security numbers. Some also sell products that are fake or never arrive.
In 2009 the U.S. passed the Truth in Caller ID Act, which has made it illegal for any person or company to use misleading caller ID information to commit fraud, harm, or to obtain anything of value. Each violation carries a penalty of up to $10,000.
However, you may ask yourself why you keep getting annoying calls from spoofed numbers if there is a law with heavy penalties? One of the reasons is because caller ID spoofing is very difficult to trace.
How to Protect Yourself From Caller ID Spoofing
The best method to avoid potential scammers and harassing callers is to let calls from unknown numbers go to voicemail and then use a reverse phone lookup app or site, such as CallerSmart, to look up the number.
We've come across several caller ID spoofers in our crowdsourced phone book. Many times scammers will use the number of a business or an individual, which can be a nightmare when harassed callers call back and complain. Our user's comments allow you to find out if a phone number that's calling you is related to a scam or if scammers have hijacked your business or personal line.
Here are just two out of many examples of caller ID spoofing that we've found:
- 972-972-3622: Identified as SCAMMER: “Telling me I have an outstanding warrant that needs to be resolved immediately!”
- 408-704-2507: Identified as SCAMMER: “Scam robocall left voicemail: ‘Pacific Gas and Electric just calling to inform you that your power will get disconnected in 30 minutes due to a pending balance on the account please call the direct billing department number at 1-844-613-1347 to avoid power disconnection.’ Do not call back!”
If you answer a call from a suspicious number that you might suspect is a scam, be sure to do the following:
- If a machine starts speaking once you answer, don't press a number to be placed on a Do Not Call List. Pushing a button will send a signal back that you are an actual person and the amount of nuisance phone calls you receive will increase. These people are criminals and disregard the National Do Not Call Registry.
- If an actual person starts speaking to you, do not give them any personal information. Tell them that you're unable to take the call at the moment and ask for their name, company, or organization and a number so you can call them back. Caller ID can't be trusted.
- After ending the conversation, do a reverse phone number lookup or check with the company that they said they were calling from to verify the information. Remember, if the caller claims to be an IRS )or other government agency) representative, it is a scam. Government agencies do not contact people by phone, nor do they demand payment over the phone - ever.
If you feel that you were contacted by a scammer using caller ID spoofing you should report it to the FCC, you can file a consumer complaint online or contact them by phone at 1-888-CALL-FCC (1-888-225-5322). Also, be sure to block the number on your iPhone in a few simple steps.
If you believe your number has been used in caller ID spoofing, it's best to file a complaint with law enforcement, the FCC and contact your phone service provider. Unfortunately, the only solutions are to change your number or wait it out until the scammer stops.
You can also report any suspicious behavior in CallerSmart's iPhone app for unknown number lookups. If you don't have an iPhone, you can find callers by phone number and leave your feedback on our website.
FCC Cracks Down on Caller ID Spoofing
On March 30, 2020 the FCC issued a press release titled, “FCC Mandates That Phone Companies Implement Caller Id Authentication To Combat Spoofed Robocalls.” The mandate states that the government agency will send FCC rules to telephone companies and service providers requiring authentication of caller ID numbers to ensure accuracy.
The FCC intends to enforce the new guidelines with strict penalties which should help to curb caller ID spoofing. Additionally, the FTC and the FCC drafted a joint order to service providers to cut off communication access to scammers in the United States who use robocalls intended to defraud citizens by offering services to combat COVID-19. Service carriers who do not comply will face stiff penalties and consequences.