Caller-ID Spoofing

by Rich Pasco

Caller Identification, or “Caller ID” for short, is a system by which the phone number of a calling party is transmitted in parallel with the ringing signal to a telephone set. With conventional wired and cellular telephone services, the number of the calling party is determined accurately from telephone company records and transmitted by the carrier's equipment. Unfortunately this is not the case with Voice-over-Internet-Protocol (VoIP) telephone systems. With VoIP systems, the callerID number originates from the caller's computer. An honest VoIP caller enters his number correctly into his VoIP software when he sets up VoIP, and it is transmitted to people he calls. But a dishonest VoIP caller can enter any number he wants, even a different one for each call. This process, called “Caller ID Spoofing”, enables junk callers to put any number they want on your Caller ID when your phone rings. In many ways it is analagous to e-mail address spoofing.

They use this capability in four evil ways:

1. Never the Same Number Twice

This morning my cell phone rang with a number I didn't recognize. When I answered, a recording said “This is cardholder services, calling about your current credit card account....” Since it did not mention which account, I knew it was phony, and so I added the number to my growing list of “do not ring” numbers. But probably they will not use that number again anyway.

2. Spoofing a Known Institution

Just minutes later, my home land line rang, displaying the number 800-743-5000 (which happens to be the main customer service number for Pacific Gas & Electric). I answered on the first ring, but as I said “hello” the caller hung up. Thinking this odd, I called PG&E back and followed the menu prompts about “suspicious phone calls” to learn that there is an on-going scam where callers spoof PG&E's number and demand payment for an allegedly overdue account. Actually I am glad that my caller hung up, but annoyed that they called at all.

For more reading

3. Spoofing a Local Number

Scammers often spoof a number whose area code and “prefix”—first six digits total—match the number of the victim they are calling, because they know people are more likely to pick up a call whose origin looks local, assuming that it is a neighbor. In reality, the caller could be anywhere in the world. A good rule of thumb is, if you don't recognize the name that comes with the caller ID, or the calling number is not in your contacts, let it roll to voicemail. If it's important, the caller will leave a message.

Often, in spoofing a local number, a scammer will choose a number which actually belongs to someone in your community. On more than one occasion when I have called back such a local number, the legitimatly innocent party there was completely unaware that their number had been spoofed onto spam calls. There is no point in getting angry at such a person (it's not their fault) or in blocking the number (it probably won't be used again), but politely explaining what happened may help them understand other angry calls they may have receeived. You may want to give them a link to this article.

For more information

4. Your Own Number and Voicemail Security

On Wednesday evening, April 18, 2007, I got a call on my cell phone, apparently from a telemarketer. He gave his name as “David” and said he was calling from the “American Grant Information Center” and that my number was randomly selected by computer from among all US residents and that I was eligible to receive free grant money. [Yeah, sure!]

For this call, my caller-ID indicator displayed as the calling number my own cell phone number! Obviously, I was not calling myself, so his computer was falsifying its caller ID through a technique known as “Caller-ID Spoofing” (see above). When placing a call with the right equipment and software, it is relatively easy to forge any number you wish to be displayed as the caller. In this case “David” was setting a fictitious calling number matching the actual called number (mine). Find more about Caller-ID Spoofing in Google and Wikipedia

Furthermore, he was calling me in violation of the fact that my cell phone number was listed on the National Do Not Call Registry.

I asked “David” for his company's phone number “so that I can call you back” but he refused to divulge it, insisting on sticking to his own patter about free grant money for me. I told him that I was on the Do Not Call registry and that his phone call was illegal unless he fully identified his company and their phone number. Actually, it was illegal regardless, but I wanted as much information as I could get to file with my complaint. He wouldn't tell me any more so I hung up.

Next I visited the National Do Not Call Registry and filed a complaint, giving the name of the company as “American Grant Information Center” with unknown phone number. Not much for them to go on, but better than nothing, I suppose.

But here's the most important part, and it's really scary:

Suppose I had not answered the call? My [former] cell phone service (Cingular) forwards all calls which are not answered directly into their voicemail system. By default, when that system recognizes the caller ID as matching the phone number whose mailbox is being called, it automatically logs the caller in with the full authority to control the system (play incoming messages, set personal options, record new greetings, etc.). Therefore, if I hadn't answered, “David” would have had full control over my voicemail system!

Closing this exposure was simple: I just needed to configure my voicemail system to always ask for my password regardless of the caller ID. On Cingular's system this is called “Turn off 'Skip Password'” and is implemented by logging into voicemail and pressing these keys:

4 - Options
2 - Administrative options
1 - Password options
2 - “Skip Password” control
2 - Turn “Skip Password” off

If you have a non-Cingular system your exact keys may vary, but the principle is the same.

Now I'm wondering whether “David” really was a telemarketer, or if perhaps his “free grant money” patter was really a cover for his real purpose of looking for unsecured voicemail systems he could hack into, perhaps for purposes of harvesting personal information for nefarious purposes.

The moral of this story is:

If your voicemail system doesn't always ask you for your password, I strongly recommend that you reconfigure it so that it does. Otherwise, a hacker, easily spoofing your own number as their own, could call right in and take over your voicemail system, playing and deleting your messages, changing your settings, and more.


Note: As author of this page, I see my primary responsibility as warning potential victims of caller-ID spoofing not to believe the caller ID displayed on their phone by an incoming call. It violates my conscience to advertise ways to do it. However, I feel it is only appropriate to fully expose at least one method of caller-ID spoofing simply to illustrate how easy it is. I am surprised that it legal, but apparently it is.

SpoofCard is a commercial subscription service. For a fee, subscribers can place their outgoing calls through the SpoofCard server instead of directly. When placing a call, the subscriber enters the number to be called and the number to appear on the caller ID. It's that simple.


Further Research

General Information about Caller ID

To check numbers which call you

About caller ID spoofing

About voicemail security

About the “American Grant Information Center”

Other Phone Scams

If you have any questions feel free to e-mail me.

Index to all of Rich Pasco's articles on e-mail and viruses

Rich Pasco's home page

Copyright © 2001-2017 Richard C. Pasco. All rights reserved.