Have you ever received unwanted calls from auto-dialers and telemarketers at a time when you did not want to be called? Has an auto-dialer or telemarketer ever tried to scam you? Have you noticed that the numbers of certain incoming calls don’t seem accurate? If you have answered yes to any of these questions, you might have seen a spoofed caller ID. Anyone can spoof a phone number and make it seem like another person is calling. In the past, caller ID spoofing has been used to break authentication on voicemail. However, there are a number of ways to protect yourself when you think the caller ID has been spoofed.
What Is Caller ID Spoofing?
Caller ID spoofing is the process of changing the caller ID to any number other than the calling number. When a phone receives a call, the caller ID is transmitted between the first and second ring of the phone. To transmit the caller ID, we use a technique called Frequency Shift Keying, which transmits the caller ID in a binary format. It is possible, during this part of the call, to transmit the caller ID we want instead of the true number.
How to Spoof?
There are multiple online services that offer caller ID spoofing for a price; some even offer a 30-second free trial, so you can try out the service. To make the service work, all you have to do is provide three pieces of information: the phone number you want to call from, the phone number you are calling, and the number you wish to show up in the caller ID. Once all the information is provided the service will create a conference type phone call and connect you to the number you have specified. If you wanted to, you could potentially set up something to spoof caller ID yourself. All that you need to do is set up a host with Asterisk and then have a SIP trunk line. Some service providers have been known to allow any number in the caller ID sequence sent out on Primary Rate Interfaces. This allows any company having a legitimate purpose change the caller ID to a number they specify. Unfortunately, it also allows anyone who owns a Primary Rate Interface to specify a number for malicious purposes.
Can you bypass authentication?
Voicemail used to use caller ID as the only form of authentication, allowing anyone to spoof the phone number and listen to the messages. This was a very insecure policy and most voicemail services have been updated to protect against this attack.
Are there ways around caller id spoofing?
The call-back method allows for some security when you think caller ID spoofing is being used. You could put the caller on hold, and then call the displayed number. If the number is busy or you reached the company they said they are calling from then they are potentially telling the truth. However, they could be forwarding you to the company. At that point, when you are on phone with the company in question, you could ask whether or not the person is calling on behalf of the company. The final check you could make is to enter the number in question in a search engine. This allows you to see if the company has the number on their website or if the company has mention of a scam that is going on. It also allows you to figure out what other people are saying about number.
Real World Spoofing Example
Earlier this year, a tax scam in Pottsville, PA, claimed to arrest victims if they didn’t pay outstanding tax debts. The caller ID that was spoofed showed that the originating call was from a Pennsylvania phone number: 570-622-1234. This number belonged to Pottsville City Hall, giving a false sense of security to anyone who received the call. The police warned of the scam and reminded Pottsville citizens to never give out any personal information over the telephone.
What you should know Legally
It should be noted that spoofing a phone number with malicious intent is against the law. In Canada, the CRTC suggests suspected victims file a complaint if they believe the caller ID has been spoofed by a telemarketer. The FCC also prohibits the use of using caller ID spoofing with intent to defraud, cause harm and wrongfully obtain anything of value. If you ever question the number that you see on you caller ID, remember to be cautious. When anyone has the ability to call you as another person or company, it’s impossible to know his or her intentions. Make sure to take the time to verify the person on the other end of the phone.
Zero Trust and the Seven Tenets
Understand the principles of Zero Trust in cybersecurity with Tripwire's detailed guide. Ideal for both newcomers and seasoned professionals, this resource provides a practical pathway to implementing Zero Trust, enhancing your organization's security posture in the ever-evolving digital landscape.
