Number spoofing scams explained

Getting spammed with phone calls from numbers sharing your area code? You’re not alone. Millions of people in the US, UK, Canada, and elsewhere are now plagued with phone-based scams that use a technique called caller ID spoofing. Also known as number spoofing, scammers have easy access to the tools needed to create fake numbers and launch phone scam campaigns. Spoofed numbers have proven effective at getting more of us to pick up the phone, leading to a higher occurrence of number spoofing scams.

Number spoofing doesn’t appear to be going away any time soon, but you can at least take some action against it. Learn more about number spoofing scams, how they work, and how to stop phone spam that uses spoofed numbers.

What is number spoofing?

When you get a call to your mobile phone, the caller may be masking the original number. If so, the caller could be located just about anywhere in the world and you would never know it. Most of the spam calls you receive are likely using spoofed numbers to operate scams.

Who among us hasn’t received a phone scam call or text message (or hundreds)? I sure have. According to YouMail, Americans received over 45 billion robocalls in 2020. That equates to nearly 140 robocalls per person in the US, or nearly 220 per US adult aged 18 and up.

How does Caller ID spoofing work?

There are several methods scammers can use to create fake numbers. By far, the most common and most popular technique scammers use is to fake numbers with voice over internet protocol (VoIP). Scammers can either use freely available open-source VoIP tools or create an account with a VoIP provider that allows them to substitute their original number with any number they want.

caller id spoofing FCC diagram
Source: FCC

Once they’ve configured their VoIP software to display the numbers they want, scam artists can then create and execute largescale scam call campaigns almost without limitation. Practically any number can be spoofed, meaning scammers can target any phone number they have in their database.

Many scammers don’t stop at just spoofing caller ID numbers. Some will use digital tech tools to change the display name on the caller ID, as well. Scammers do this so they can use almost anyone’s phone number and name without the threat of call-backs. Unfortunately, this has led some innocent people whose names and numbers are used as part of a scam campaign to get angry calls and texts instead.

VoIP providers that allow this type of activity through their service effectively relay both spoofed numbers and fake caller ID names to the recipients’ phone services. The receiving phone services typically take this information at face value and display both spoofed or faked information.

How did number spoofing scammers get my number?

Massive robocall and phone scam operations don’t work if the criminal organizations behind them don’t have anyone to call. Unfortunately, getting numbers is relatively simple. Phone number and name combinations are not typically private information, so scammers can usually scrape this data from public archives.

Even the US government provides a list of archives where this information can be easily acquired through websites such as:

  • National Cellular Directory

An important limitation on scammers trying to use these sites is that they require web scraping (typically using Python scripts). Even then, these sites require a name to find find a matching number (or vice versa), so it’s a less-than-ideal process for getting numbers wholesale, though it can help scammers match names and numbers.

An easier route that many phone scammers take is to instead purchase stolen data from data breaches, or steal phone numbers and other data from poorly-secured databases.

Stolen data is exceptionally cheap to purchase on dark web marketplaces. For example, scammers can quickly locate and buy 2 million+ stolen records from Walmart customers on dark web marketplaces for as little as $5 USD. With the average reported financial loss for phone scams in the US exceeding $500, scammers have no problem recouping their costs.

Dark Web data dump
Walmart data for sale on the dark web.

Scammers don’t need to pay for this data, though. They can also scan the web for poorly-secured databases that contain thousands or millions of users’ data. This is a major area of concern and one that Comparitech regularly researches and writes about.

Regardless of where they got the numbers, scammers still need a way to call without being traced. This is where number spoofing comes in, and why VoIP companies with lax policies share a lot of the blame for the number spoofing epidemic. The US government is now warning, suing, and fining VoIP providers that allow their customers to operate illegal phone scam operations.

How to prevent and block Caller ID spoofing

Although service providers and governments are working on solutions, it’s up to all of us to do our own due diligence in stopping number spoofing scams. Here are some simple steps you can take to combat number spoofing:

1. Don’t pick up calls from unknown numbers

Caller ID spoofing and scams don’t work if potential victims don’t answer the phone or respond to text messages you don’t pick up you can’t fall victim to a scammer using a spoofed number.

Most number spoofing scammers now focus on spoofing local numbers, a tactic known as neighbor spoofing. This involves spoofing a phone number that matches your area code and sometimes, even your exchange number. Neighbor spoofing is exceedingly popular among scammers now because it works so well. Victims are more likely to pick up a call, even from an unknown number, if it could be from someone local such as a friend, family member, doctor, or the auto repair shop.

Even if you see a number with a local area code, don’t pick up if it’s not in your address book. Save the numbers of people you know and businesses you patronize to your device’s address book. Let unknown numbers go to voicemail. Scam callers sometimes leave a voicemail, but often do not bother or have not invested in automated voicemail messages.

2. Install a spam blocking app

Mobile devices are now the most common phone service consumers use as landlines have fallen out of favor. Phone scammers have picked up on this. Similar to malware writers when it comes to Windows vs macOS, they focus their number spoofing scams where most users are located (in this case, mobile phones).

Spam blocking apps are now a must for consumers. There are dozens of spam blocking apps on the market that use different techniques to block spam calls. That said, here are some of the most respected and top-rated spam blocking apps:

  • Robo Shield: Our preferred option that combines multiple security tools into one; Android and iOS apps available
  • Truecaller: Excellent free spam blocker with premium tools; Android and iOS apps available
  • RoboKiller: Answers and hangs up calls for you in the background; Android and iOS apps available
  • Nomorobo: An FTC Robocall Challenge winner that also works for landlines; Android and iOS apps available
  • YouMail: Blocks spam calls using out “Out of Service” message to help discourage further calls; Android and iOS apps available

For more, check out our post on the best spam call blockers for iOS and iPhone. (Most of the iOS spam blocking apps also work on Android devices.)

3. Put your number on a “do not call” registry

Many countries now have national “do not call” registries that prohibit telemarketers from calling any number registered to the list. Note that adding your number to your country’s “do not call” registry will have only a marginal impact if any. Most number spoofing callers are based outside of the US and are not concerned or care about these registries.

The following registries are available:

Telecom companies are now working on measures that block suspected phone scams that use spoofed numbers. In both the US and Canada, phone carriers must now implement the new STIR/SHAKEN Caller ID authentication framework. The framework is designed to combat number spoofing by using a multi-step approach and certificates to verify the authenticity of the caller’s number. If the caller cannot be properly identified, the call can be blocked by an automatic filter or by the called party’s service provider.

4. Change phone numbers (especially if your number is getting spoofed)

Getting a new phone number can be a hassle, but it may be necessary to reduce the number of incoming spam calls and texts coming to your phone. Even more importantly, though, if it’s your number that is getting spoofed, you should consider getting a new number as soon as possible.

Getting a new phone number is fairly simple. In most cases, you can contact your mobile telecom provider and request a new number without having to purchase a new device.

We also recommend requesting an unused number. Telecoms typically recycle numbers. If you’re using a recycled number, you could be stuck with the same problem you had. The longer a number has been used, the more likely it is that that number has been shared widely across the web and stolen in data breaches.

Here are some quick links to provider-specific information for changing phone numbers:

Top US mobile carriers:

*Most US carriers will not charge for changing your mobile number, but some will. Check with customer support first.

Top Canada mobile carriers:

*Most mobile carriers in Canada will charge a fee for changing your mobile number. Check with customer support for the cost.

Top UK mobile carriers:

  • EE
  • Vodafone
  • O2
  • GiffGaff
  • Three (Does not provide number change details; contact customer service)
  • Sky
  • Tesco (Does not provide number change details; contact customer service)
  • BT (Does not provide number change details; contact customer service)
  • Virgin Mobile (Does not provide number change details; contact customer service)
  • Talkmobile (Does not provide number change details; contact customer service)

*Some UK carriers will charge an administration fee for changing your number. Check with customer support for the cost.

Top Australia mobile carriers:

*Some mobile carriers will charge a fee for certain types of number change requests. Check with customer service for costs. 

5. Switch to a new mobile carrier

Similar to changing your number, you may want to change to a different mobile carrier. There are a few reasons why this option might be better than just changing your number with your existing carrier:

  1. Your existing carrier may not allow number changes
  2. A different carrier may be cheaper and offer better service in your area
  3. Some carriers now employ number spoofing and spam blockers across their networks

Focusing on that third point, many large, first-party mobile carriers have started to deploy spam blocking technologies at the network level. As calls come into the network, they’re scrutinized and filtered. So instead of having to wait for calls to hit your phone before being blocked, many get blocked before you know it.

This is particularly true in the US, where network-level spam blocking is now a marketing tool to draw in customers. All major US mobile carriers (Verizon, T-Mobile, AT&T) now offer free spam blocking to customers. Notably, they tend not to offer these services to MNVOs that ride on their networks, and most MVNOs do not offer free spam blocking.

6. Protect your personal data

One of the most effective ways to avoid caller ID scams is to ensure that third parties don’t get access to your phone number in the first place. This means not entering your phone number into competitions or any unnecessary online forms.

If you can’t avoid providing your phone number, e.g making a new account with an online service, you can still take precaution. Look for any consent boxes that mention sharing or selling your personal data to other businesses, and make sure that they are left unticked. This will avoid you unknowingly giving permission for your phone number to be distributed.

How to report Caller ID scams

In most countries plagued by Caller ID or number spoofing, the practice is generally considered to be legal. However, in almost all countries, the problem isn’t number spoofing so much as running scam call operations. If you’ve been the victim of a scam call, or believe that your number is being used to conduct scam calls, there are resources available to help you report the activity.

Australia Caller ID spoofing laws

Caller ID spoofing is completely legal in Australia unless it’s part of a scam. Number spoofing scams fall under laws governing unwanted communications. Scammers caught in the act can be subject to fines and/or criminal prosecution.

To report number spoofing scams in Australia, contact the following resources:

Canada Caller ID spoofing laws

Caller ID spoofing is technically legal in Canada, but there are certain areas where it’s illegal. For example, it is illegal in Canada for telemarketers to use caller ID spoofing. Additionally, caller ID spoofing used for the purposes of defrauding the recipient is illegal in the country. Generally speaking, the country’s Unsolicited Telemarketing Rules impose fines for this activity.

To report number spoofing scams in Canada, contact the following resources:

UK number spoofing laws

Number spoofing is not illegal in the UK. Still, the Office of Communications (Ofcom) and Information Commissioner’s Office (ICO) take a bold stance against this practice. Scammers using spoofed numbers to engage in nuisance calls can be levied hefty fines or even jail time, depending on the extent and severity of the scam activity.

To report number spoofing scams in the UK, contact the following resources:

US Caller ID spoofing laws

In the US, the Truth in Caller ID Act establishes what types of caller ID spoofing are legal and illegal. According to the legislation, which was designed with VoIP-based caller ID spoofing in mind, it is against the law to spoof caller ID if the intention is to “defraud, cause harm, or wrongfully obtain anything of value”.

Considering that, some phone spoofing is legal, but the vast majority of spam calls US mobile phone users receive are in violation of the Truth in Caller ID Act and other state-based laws designed to target caller ID spoofing.

To report number spoofing scams in the US, contact the following resources:

Number spoofing FAQs

Can someone spoof my number?

Yes, they can! Many VoIP services, whether through paid providers or from off-the-shelf open-source tools, allow the call originator to spoof any number. In most cases, there are few restrictions on what number can be spoofed.

How do phone numbers get spoofed?

There are several techniques available to phone scammers and telemarketers, but digitally-altered numbers using voice over internet protocol (VoIP) is the most popular method used to spoof numbers. 

Can I tell if a number is spoofed?

More often than not, you can’t tell for certain that a number calling or texting you is spoofed. That said, the vast majority of phone calls coming to your phone, especially those that share your area code and exchange number, are likely to be spoofed calls. A rule of thumb is to let calls from unknown numbers go to voicemail. 

What does it mean to have your number spoofed?

Having your number spoofed means that someone has illegitimately masked their real number (usually using VoIP services) by replacing it with your number. That way, any call recipients will see your number displayed via Caller ID instead of the call sender’s actual number.

Can you prevent your phone number from being spoofed?

Unfortunately, you cannot. Whether your number can or cannot be spoofed is really dependent upon whether a scammer has your data and has the resources available to spoof your number. There is currently no way to block scammers from spoofing your number.

Can you find out who spoofed you?

Sadly, you will most likely be unable to find out who was spoofing you. Scammers just spoof one number; they spoof hundreds or thousands of numbers using technology that allows them to easily mask their real identity and location. If a scammer gets caught, they will get fined or potentially worse, but you may never know which scammer was spoofing your number.