Caller ID Spoofing

There are many different types of spoofing, from email spoofing to caller spoofing. The purpose behind spoofing is to deceive a system or person by impersonating a trusted source. The goal could be a variety of things, such as, gain unauthorized access, stealing information, bypass security controls, deliver malware, perform fraud and more.

Description:

Caller Identification (ID) spoofing is a tactic where an attacker will disguise their phone number. It is when threat actors use software or VoIP services to falsify the caller ID number being displayed on the recipient’s phone. Caller ID spoofing aims to deceive victims into answering by displaying a number that appears local or familiar, creating a false sense of trust or urgency and making the scammer’s message more convincing.

How it Works:

To understand how caller ID spoofing works, it is important to understand that when a call is made, two pieces of information are transmitted, signaling data (setup and caller ID) and voice/data stream (call content). When you make a call, your phone will send a request to the carrier’s network, which will handle signaling. The signaling phase is when the spoofing will occur. Once the connection is established, the voice is transmitted either over a dedicated circuit (in traditional networks) or as digital packets over IP (in VoIP systems).

Signaling System 7 (SS7)

For mobile technology and traditional landline, there is a switching technology called Common Channel Signaling System 7 (SS7). If the call is made over traditional circuit-switched networks, it is likely SS7 being used. This protocol handles call routing and includes metadata like the Calling Party Number (CPN), which becomes the caller ID. The CPN is a metadata field that is sent in an Initial Address Message (IAM), which will tell the receiving network what number to display on the recipient’s device. This protocol is outdated being implemented in 1970-1980s, it is however still widely used in 2G (GSM), 3G (UMTS) networks, and even in 4G (LTE). This protocol is vulnerable because of its trust-based architecture and lack of authentication.

Threat actors can exploit the SS7 by sending an IAM when placing a call. Instead of inserting their real number, the attacker places a fake or impersonated number into the CPN field. Since SS7 does not validate that the number in the CPN field matches the true source of the call, the receiving network simply accepts it and displays the spoofed number on the victim’s phone.

Diameter

There is a new signaling protocol used in 4G and 5G networks. While this new protocol doesn’t stop caller ID spoofing, it does have subscriber authentication and authorization which has improved security in data sessions.

Voice over Internet Protocol (VoIP)

In VoIP networks, the signaling data is on internet-based networks (Applications, IP Phones, Internet Calling Platform). The Session Initiation Protocol (SIP) is used for VoIP. This system does not rely on circuit-switching like SS7 but instead uses packet-switching, where voice is broken into digital data packets and transmitted over the internet in real time. SIP is responsible for initiating and managing the call and includes metadata fields such as the “From” header, which acts as the caller ID. This protocol is widely used in modern communication platforms, including business phone systems, call centers, and consumer apps like Zoom, WhatsApp, and Skype.

The “From” field in SIP messages tells the receiving network what number to display, like how SS7 uses CPN. SIP does not require authentication of this field by default. This means an attacker using a VoIP system can place a call and manually configure the “From” header to show any number they want.  Since most VoIP carriers and endpoints do not verify the legitimacy of this metadata, the spoofed caller ID is accepted and shown to the recipient.

Mitigations

There is a combination of technologies and practices that can be implemented to help defend against caller ID spoofing. On the network level, STIR/SHAKEN helps authenticate caller ID in SIP-based VoIP environments, reducing impersonation by validating that a call’s number hasn’t been faked. Unfortunately for legacy systems like 2G and 3G, SS7 is still used, and it lacks authentication mechanisms by default, making spoofing easy for threat actors. Carriers and organizations can deploy analytics-based call filtering, AI-powered spam detection, and maintain strict know-your-customer (KYC) enforcement for VoIP service signups. On a personal level, there’s no foolproof way to prevent your number from being spoofed, but you can reduce the chance of it being flagged or abused by registering with services like the FCC’s Do Not Originate list if eligible, limiting where your number is publicly listed, and monitoring for suspicious use.

STIR/SHAKEN Framework

The STIR/SHAKEN Framework was mandated by the FCC in 2019 for U.S. carriers to adopt. This framework includes a caller ID authentication technology that will enable subscribers to trust incoming calls and reduce the effectiveness of spoofed calls. STIR/SHAKEN are acronyms for the Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) standards. With this standard, caller ID information is authenticated using digital certificates. When a call is made over a SIP-based VoIP network, the originating provider digitally signs the caller ID with a token that asserts whether the caller is authorized to use that number. This token is passed along with the call to the receiving carrier, which verifies it using a public key infrastructure. If the signature is valid, the recipient may see a message like “Caller Verified.” This verification helps prevent bad actors from impersonating numbers they don’t own.

STIR/SHAKEN doesn’t completely stop spoofing. First, it only works on SIP-based VoIP networks, meaning it doesn’t apply to legacy 2G/3G SS7 systems, older landlines, or international networks without STIR/SHAKEN support. Second, it relies on the assumption that the originating carrier is trustworthy. If a malicious or negligent provider signs off on a spoofed number, the framework still considers it valid. Third, many calls still travel through parts of the network that haven’t fully adopted the protocol, so the authentication breaks down along the way. Lastly, even verified calls can be malicious if scammers are using real, registered numbers they own. So, while STIR/SHAKEN helps limit spoofed calls and increases traceability, it doesn’t stop all spoofed calls.

SS7 Firewalls

SS7 firewalls are used in 2G and 3G networks to secure signaling traffic that historically lacked built-in verification. SS7 firewalls are implemented by the telecommunications provider, not the end user.  An SS7 firewall inspects signaling messages, filters or blocks invalid requests, enforces strict routing rules, and applies anomaly detection to flag unusual behaviors. These firewalls help telecommunication operators defend against unauthorized location tracking, call interception, and number spoofing, though their deployment varies greatly by region and operator, especially in countries where older infrastructure is still heavily relied upon.

Notify Your Carrier, FCC, and the FTC

If your number is being spoofed, carriers cannot stop the spoofing outright because caller ID data is set by the originating network, which may be outside their control. However, they can flag patterns, investigate if your number is used in a robocall campaign, and submit traceback requests via industry groups like the Industry Traceback Group (ITG). You can protect yourself by reporting the spoofing to your carrier, the FCC, and FTC. Letting contacts know not to trust calls from your number temporarily can reduce damage. While changing your number isn’t always necessary, enabling call-labeling tools, activating spam protection features from your carrier, and monitoring for misuse can help reduce fallout and ensure your real calls aren’t mistaken as fraudulent.