Caller ID Spoofing: How It Works and Why You Can't Trust Your Screen

You get a call from your own area code. The first six digits even match your neighbour's. You pick up — and it's a robocall about extended car warranties. That's caller ID spoofing, and at this point it's so cheap and so easy that any teenager with a credit card can do it. Here's how the trick actually works, and why a 2019 federal law called STIR/SHAKEN was supposed to fix it but mostly didn't.

What spoofing actually is

When you make a normal phone call, your carrier attaches your number to the call so the recipient's caller ID can display it. That data field — called the "Calling Party Number" — is sent over the network as plain metadata, not as a verified identity. Whoever originates the call gets to write whatever they want in it.

That's it. That's the whole vulnerability. The phone network was designed in the 1970s when only carriers could place calls, so nobody bothered to add authentication. Forty-five years later, anyone with a SIP trunk and a few dollars can place a call from any number they choose.

Where scammers buy this

Cloud-based PBX providers — the same kind of services Zoom Phone or RingCentral run on — sell spoofing as a feature. They call it "Caller ID name and number." Set the field, place the call, the recipient sees whatever you typed. Cost is somewhere between half a cent and three cents per minute depending on volume.

Most legitimate providers require proof you own the number you're spoofing (like a callback verification or DNS record). Plenty of providers don't. The ones that don't are based in jurisdictions where US law can't reach them.

"Neighbour spoofing"

The most common pattern in 2026. Scammers buy a list of phone numbers in a target area code, then place spoofed calls from numbers that share the recipient's first six digits. The caller ID shows what looks like a number from your zip code. Your brain assumes it's local and you're 3x more likely to pick up.

This is so effective that the FCC fined a single Texas-based operation $225 million in 2021 for using it to place 1 billion spoofed health-insurance robocalls in three months.

STIR/SHAKEN: what it does and doesn't do

STIR/SHAKEN is the cryptographic call-authentication framework US carriers have been required to implement since 2021. It works like this:

1. When you make a call, your carrier checks whether you actually own the number you're claiming
2. If yes, your carrier signs the call with a cryptographic certificate
3. The recipient's carrier verifies the signature and shows a "Verified" badge on the call
4. Unsigned calls get a "Caller Verification Failed" or similar warning

It does work — for calls originating on carriers that participate. The problem is that international robocalls and calls from non-IP networks (legacy copper lines, some VoIP providers abroad) can't be signed. Scammers route through those gateways on purpose. STIR/SHAKEN has reduced US-originated spoofing meaningfully. International-originated spoofing is largely unchanged.

How to tell if a call is spoofed

• You call the number back and it's disconnected, rings forever, or belongs to someone who never called you
• The "Verified" badge is missing in your call log (assuming your carrier displays it)
• The number's area code matches yours exactly, but no message was left
• The number shows as toll-free but the caller claims to be local
• Carrier ID lookups show the number as belonging to a real person who hasn't called you

What to actually do about it

You can't stop spoofing at your end — it happens upstream. But you can:

• Turn on your carrier's spam filter (it's free and most people forget to enable it)
• Use Silence Unknown Callers on iOS or Call Screen on Pixel — they don't care what the caller ID says
• Report spoofed calls to the FTC's reportfraud.ftc.gov — useful aggregate data even if it doesn't catch any one scammer
• Don't call back unknown numbers. If it was real, they'll leave a voicemail

💡 Got a number that looks suspicious? Run it through reverse lookup — we cross-check it against carrier records, so if the number is being spoofed (i.e., doesn't actually exist on the network) you'll know immediately.