Getting spammed with phone calls from numbers sharing your area code? You’re not alone. Millions of people in the US, UK, Canada, and elsewhere are now plagued with phone-based scams that use a technique called caller ID spoofing. Also known as number spoofing, scammers have easy access to the tools needed to create fake numbers and launch phone scam campaigns. Spoofed numbers have proven effective at getting more of us to pick up the phone, leading to a higher occurrence of number spoofing scams.
Number spoofing doesn’t appear to be going away any time soon, but you can at least take some action against it. Learn more about number spoofing scams, how they work, and how to stop phone spam that uses spoofed numbers.
What is number spoofing?
When you get a call to your mobile phone, the caller may be masking the original number. If so, the caller could be located just about anywhere in the world and you would never know it. Most of the spam calls you receive are likely using spoofed numbers to operate scams.
Who among us hasn’t received a phone scam call or text message (or hundreds)? I sure have. According to YouMail, Americans received over 45 billion robocalls in 2020. That equates to nearly 140 robocalls per person in the US, or nearly 220 per US adult aged 18 and up.
How does Caller ID spoofing work?
There are several methods scammers can use to create fake numbers. By far, the most common and most popular technique scammers use is to fake numbers with voice over internet protocol (VoIP). Scammers can either use freely available open-source VoIP tools or create an account with a VoIP provider that allows them to substitute their original number with any number they want.
Once they’ve configured their VoIP software to display the numbers they want, scam artists can then create and execute largescale scam call campaigns almost without limitation. Practically any number can be spoofed, meaning scammers can target any phone number they have in their database.
Many scammers don’t stop at just spoofing caller ID numbers. Some will use digital tech tools to change the display name on the caller ID, as well. Scammers do this so they can use almost anyone’s phone number and name without the threat of call-backs. Unfortunately, this has led some innocent people whose names and numbers are used as part of a scam campaign to get angry calls and texts instead.
VoIP providers that allow this type of activity through their service effectively relay both spoofed numbers and fake caller ID names to the recipients’ phone services. The receiving phone services typically take this information at face value and display both spoofed or faked information.
How did number spoofing scammers get my number?
Massive robocall and phone scam operations don’t work if the criminal organizations behind them don’t have anyone to call. Unfortunately, getting numbers is relatively simple. Phone number and name combinations are not typically private information, so scammers can usually scrape this data from public archives.
Even the US government provides a list of archives where this information can be easily acquired through websites such as:
- Whitepages.com
- AnyWho.com
- National Cellular Directory
- MobilePhoneNumber.com
- 411.com
An important limitation on scammers trying to use these sites is that they require web scraping (typically using Python scripts). Even then, these sites require a name to find find a matching number (or vice versa), so it’s a less-than-ideal process for getting numbers wholesale, though it can help scammers match names and numbers.
An easier route that many phone scammers take is to instead purchase stolen data from data breaches, or steal phone numbers and other data from poorly-secured databases.
Stolen data is exceptionally cheap to purchase on dark web marketplaces. For example, scammers can quickly locate and buy 2 million+ stolen records from Walmart customers on dark web marketplaces for as little as $5 USD. With the average reported financial loss for phone scams in the US exceeding $500, scammers have no problem recouping their costs.
Scammers don’t need to pay for this data, though. They can also scan the web for poorly-secured databases that contain thousands or millions of users’ data. This is a major area of concern and one that Comparitech regularly researches and writes about.
Regardless of where they got the numbers, scammers still need a way to call without being traced. This is where number spoofing comes in, and why VoIP companies with lax policies share a lot of the blame for the number spoofing epidemic. The US government is now warning, suing, and fining VoIP providers that allow their customers to operate illegal phone scam operations.
How to prevent and block Caller ID spoofing
Although service providers and governments are working on solutions, it’s up to all of us to do our own due diligence in stopping number spoofing scams. Here are some simple steps you can take to combat number spoofing:
1. Don’t pick up calls from unknown numbers
Caller ID spoofing and scams don’t work if potential victims don’t answer the phone or respond to text messages you don’t pick up you can’t fall victim to a scammer using a spoofed number.
Most number spoofing scammers now focus on spoofing local numbers, a tactic known as neighbor spoofing. This involves spoofing a phone number that matches your area code and sometimes, even your exchange number. Neighbor spoofing is exceedingly popular among scammers now because it works so well. Victims are more likely to pick up a call, even from an unknown number, if it could be from someone local such as a friend, family member, doctor, or the auto repair shop.
Even if you see a number with a local area code, don’t pick up if it’s not in your address book. Save the numbers of people you know and businesses you patronize to your device’s address book. Let unknown numbers go to voicemail. Scam callers sometimes leave a voicemail, but often do not bother or have not invested in automated voicemail messages.
2. Install a spam blocking app
Mobile devices are now the most common phone service consumers use as landlines have fallen out of favor. Phone scammers have picked up on this. Similar to malware writers when it comes to Windows vs macOS, they focus their number spoofing scams where most users are located (in this case, mobile phones).
Spam blocking apps are now a must for consumers. There are dozens of spam blocking apps on the market that use different techniques to block spam calls. That said, here are some of the most respected and top-rated spam blocking apps:
- Robo Shield: Our preferred option that combines multiple security tools into one; Android and iOS apps available
- Truecaller: Excellent free spam blocker with premium tools; Android and iOS apps available
- RoboKiller: Answers and hangs up calls for you in the background; Android and iOS apps available
- Nomorobo: An FTC Robocall Challenge winner that also works for landlines; Android and iOS apps available
- YouMail: Blocks spam calls using out “Out of Service” message to help discourage further calls; Android and iOS apps available
For more, check out our post on the best spam call blockers for iOS and iPhone. (Most of the iOS spam blocking apps also work on Android devices.)
3. Put your number on a “do not call” registry
Many countries now have national “do not call” registries that prohibit telemarketers from calling any number registered to the list. Note that adding your number to your country’s “do not call” registry will have only a marginal impact if any. Most number spoofing callers are based outside of the US and are not concerned or care about these registries.
The following registries are available:
- Australia: Do Not Call Register
- Canada: National Do Not Call List
- UK: Telephone Preference Service
- US: National Do Not Call Registry
Telecom companies are now working on measures that block suspected phone scams that use spoofed numbers. In both the US and Canada, phone carriers must now implement the new STIR/SHAKEN Caller ID authentication framework. The framework is designed to combat number spoofing by using a multi-step approach and certificates to verify the authenticity of the caller’s number. If the caller cannot be properly identified, the call can be blocked by an automatic filter or by the called party’s service provider.
4. Change phone numbers (especially if your number is getting spoofed)
Getting a new phone number can be a hassle, but it may be necessary to reduce the number of incoming spam calls and texts coming to your phone. Even more importantly, though, if it’s your number that is getting spoofed, you should consider getting a new number as soon as possible.
Getting a new phone number is fairly simple. In most cases, you can contact your mobile telecom provider and request a new number without having to purchase a new device.
We also recommend requesting an unused number. Telecoms typically recycle numbers. If you’re using a recycled number, you could be stuck with the same problem you had. The longer a number has been used, the more likely it is that that number has been shared widely across the web and stolen in data breaches.
Here are some quick links to provider-specific information for changing phone numbers:
Top US mobile carriers:
*Most US carriers will not charge for changing your mobile number, but some will. Check with customer support first.
Top Canada mobile carriers:
*Most mobile carriers in Canada will charge a fee for changing your mobile number. Check with customer support for the cost.
Top UK mobile carriers:
- EE
- Vodafone
- O2
- GiffGaff
- Three (Does not provide number change details; contact customer service)
- Sky
- Tesco (Does not provide number change details; contact customer service)
- BT (Does not provide number change details; contact customer service)
- Virgin Mobile (Does not provide number change details; contact customer service)
- Talkmobile (Does not provide number change details; contact customer service)
*Some UK carriers will charge an administration fee for changing your number. Check with customer support for the cost.
Top Australia mobile carriers:
*Some mobile carriers will charge a fee for certain types of number change requests. Check with customer service for costs.
5. Switch to a new mobile carrier
Similar to changing your number, you may want to change to a different mobile carrier. There are a few reasons why this option might be better than just changing your number with your existing carrier:
- Your existing carrier may not allow number changes
- A different carrier may be cheaper and offer better service in your area
- Some carriers now employ number spoofing and spam blockers across their networks
Focusing on that third point, many large, first-party mobile carriers have started to deploy spam blocking technologies at the network level. As calls come into the network, they’re scrutinized and filtered. So instead of having to wait for calls to hit your phone before being blocked, many get blocked before you know it.
This is particularly true in the US, where network-level spam blocking is now a marketing tool to draw in customers. All major US mobile carriers (Verizon, T-Mobile, AT&T) now offer free spam blocking to customers. Notably, they tend not to offer these services to MNVOs that ride on their networks, and most MVNOs do not offer free spam blocking.
6. Protect your personal data
One of the most effective ways to avoid caller ID scams is to ensure that third parties don’t get access to your phone number in the first place. This means not entering your phone number into competitions or any unnecessary online forms.
If you can’t avoid providing your phone number, e.g making a new account with an online service, you can still take precaution. Look for any consent boxes that mention sharing or selling your personal data to other businesses, and make sure that they are left unticked. This will avoid you unknowingly giving permission for your phone number to be distributed.
How to report Caller ID scams
In most countries plagued by Caller ID or number spoofing, the practice is generally considered to be legal. However, in almost all countries, the problem isn’t number spoofing so much as running scam call operations. If you’ve been the victim of a scam call, or believe that your number is being used to conduct scam calls, there are resources available to help you report the activity.
Australia Caller ID spoofing laws
Caller ID spoofing is completely legal in Australia unless it’s part of a scam. Number spoofing scams fall under laws governing unwanted communications. Scammers caught in the act can be subject to fines and/or criminal prosecution.
To report number spoofing scams in Australia, contact the following resources:
- Scamwatch
- ReportCyber
- If your number is being spoofed, contact your telephone company
Canada Caller ID spoofing laws
Caller ID spoofing is technically legal in Canada, but there are certain areas where it’s illegal. For example, it is illegal in Canada for telemarketers to use caller ID spoofing. Additionally, caller ID spoofing used for the purposes of defrauding the recipient is illegal in the country. Generally speaking, the country’s Unsolicited Telemarketing Rules impose fines for this activity.
To report number spoofing scams in Canada, contact the following resources:
- File a complaint with the government
- Use the RCMP’s Fraud Reporting System
- If you believe your number is being spoofed, contact your phone service provider
UK number spoofing laws
Number spoofing is not illegal in the UK. Still, the Office of Communications (Ofcom) and Information Commissioner’s Office (ICO) take a bold stance against this practice. Scammers using spoofed numbers to engage in nuisance calls can be levied hefty fines or even jail time, depending on the extent and severity of the scam activity.
To report number spoofing scams in the UK, contact the following resources:
- File a report with the ICO
- Call Action Fraud on 0300 123 2040
- Use the Action Fraud online reporting system
US Caller ID spoofing laws
In the US, the Truth in Caller ID Act establishes what types of caller ID spoofing are legal and illegal. According to the legislation, which was designed with VoIP-based caller ID spoofing in mind, it is against the law to spoof caller ID if the intention is to “defraud, cause harm, or wrongfully obtain anything of value”.
Considering that, some phone spoofing is legal, but the vast majority of spam calls US mobile phone users receive are in violation of the Truth in Caller ID Act and other state-based laws designed to target caller ID spoofing.
To report number spoofing scams in the US, contact the following resources:
- File a report with the FCC
- File a report with the FTC
- Contact your local police
- Contact your state’s fraud reporting system
- If you believe your number is being spoofed, contact your mobile service provider
Number spoofing FAQs
Can someone spoof my number?
Yes, they can! Many VoIP services, whether through paid providers or from off-the-shelf open-source tools, allow the call originator to spoof any number. In most cases, there are few restrictions on what number can be spoofed.
How do phone numbers get spoofed?
There are several techniques available to phone scammers and telemarketers, but digitally-altered numbers using voice over internet protocol (VoIP) is the most popular method used to spoof numbers.
Can I tell if a number is spoofed?
More often than not, you can’t tell for certain that a number calling or texting you is spoofed. That said, the vast majority of phone calls coming to your phone, especially those that share your area code and exchange number, are likely to be spoofed calls. A rule of thumb is to let calls from unknown numbers go to voicemail.
What does it mean to have your number spoofed?
Having your number spoofed means that someone has illegitimately masked their real number (usually using VoIP services) by replacing it with your number. That way, any call recipients will see your number displayed via Caller ID instead of the call sender’s actual number.
Can you prevent your phone number from being spoofed?
Unfortunately, you cannot. Whether your number can or cannot be spoofed is really dependent upon whether a scammer has your data and has the resources available to spoof your number. There is currently no way to block scammers from spoofing your number.
Can you find out who spoofed you?
Sadly, you will most likely be unable to find out who was spoofing you. Scammers just spoof one number; they spoof hundreds or thousands of numbers using technology that allows them to easily mask their real identity and location. If a scammer gets caught, they will get fined or potentially worse, but you may never know which scammer was spoofing your number.
Our business line is being spoofed. Someone keeps calling us says we called him. After reviewing our records from our phone service carrier logs, we have never made any calls to the number that is calling us. So far he has called us twice and once told us to stop calling him. Our provider says there is nothing we can do. After owning our number for over 45 years, we aren’t going to change it now. At this point we can only tell the person to block our number if they call again. We have his number and name but do NOT intend to call him ever. How can this spoofing be stopped?
I guess blocking these numbers is futile. They just keep making or taking on new ones. To use someone else’s phone number or create a phone number with a familiar area code should be illegal. Really!
The biggest problem with these spoofed numbers comes when the recipient MUST be able to receive calls from people outside their contacts. I work as a handyman, and 100% of new customers come from referrals. I do not advertise my service since I get more than enough work without doing so. That means I MUST answer calls from people who are not in my contacts, or eventually I will not have enough work to sustain the business. Every single time I get a call, I get anxiety about the possibility that the caller will just hang up, which means a scammer just verified that my line is active, and will sell that information to a gazillion other scammers. I will then receive an even greater volume of fraudulent calls. Currently, 95% of ALL calls I receive are scammers and robots. Its fricking insane, and ITS GOT TO STOP!
To add to the BS, these scammers have recently started spoofing the numbers of official city departments such as law enforcement and such. How is anybody ever supposed to have any confidence in anything they do over the phone these days!?
I will NEVER answer the phone unless I recognize the full number. Every caller gets a voicemail message saying “Sorry, but I never answer calls because of scammers. Leave a message and number and I’ll get right back to you if you’re legit.” Scamming won’t stop – we just have to deal with it and not get mad. Life’s too short!
Dustin, my comment is not published yet, but I also need to receive calls at times from people I don’t know. I’ve set my phone to go to voicemail for unknowns and legitimate callers will leave a message. My message says, “this phone is silenced for unknown callers and on the do not call list, so if you’re a telemarketer or scammer, take it off your list. If you are calling for (name) or to inquire about (business) please leave your name & number and I’ll return your call asap.” You could reword to suit & still protect your business. It’s worked for me. The fakes never leave a message, but real people do.
I truly do not understand why scammers can have the ability to mask their true phone number!
It should be illegal to mask/spoof anyone’s true caller ID. Why does the software/app even exist?
I can’t think of ANY acceptable reason why anyone can have this ability to claim/pretend to be someone else – isn’t it illegal to impersonate another person?
I could not agree more. But most of the TCP/IP standards were written back when there was a trusted network in place and no reason to fake data because there was no way to monetize it. Security with TCP/IP and VOIP etc, were largely band-aids on these standards as it became problematic. This was a BIG mistake. Once standards are broken or abused, they are very hard to fix, because they are in such common use. Requiring caller verification right now would simply mean most valid calls would be rejected. Finally, caller validation means associating a person or legal entity with a device, a device with a sim, and a sim with a number. Go figure, most people who hate spam calls also hate government knowing who you are and where you are in terms of unique validated documents. Not much point knowing which company spammed you if it just leads to a dead drop post box and not a real person subjectable to a court of law. And all this has to be agreed internationally? A’int gonna happen, which is a shameful truth.