Guide

Caller ID Spoofing Explained: Why the Number Can Lie

Caller ID was never designed as a security feature. It's a display convenience built on signaling data that, for most of its history, any telephony provider could set to whatever it wanted — which is exactly why spoofing became the backbone of modern phone scams.

How spoofing actually works

How caller ID spoofing swaps a real phone number for a faked one on the receiving screen

Traditional phone signaling (SS7, and its VoIP-era descendant SIP) carries a caller-ID field that the originating provider populates — historically with minimal verification that the number belongs to whoever is dialing. VoIP trunking made this trivial to abuse: cheap, programmatic access to bulk calling combined with a caller-ID field you can set to any string means an auto-dialer can display literally any number it wants, including a number it doesn't own, a number that belongs to a real business, or a number in your own area code and prefix.

Neighbor spoofing — matching the displayed number's area code and first three digits (the prefix) to the recipient's own number — exploits a well-documented behavioral pattern: people answer calls that look local at a significantly higher rate than calls from unfamiliar area codes or "unknown caller." The tactic costs the caller nothing extra and measurably increases pickup rates, which is why it became close to universal in high-volume robocall operations.

What STIR/SHAKEN actually fixes

STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs) is a framework the FCC mandated major US carriers implement, requiring the originating carrier to cryptographically sign each call with an attestation level describing how confident it is that the caller ID is accurate:

AttestationMeaningWhat it signals
A — FullThe carrier verified the caller is authorized to use that exact number.Highest confidence the caller ID is genuine.
B — PartialThe carrier verified the customer but not that they own this specific number.Common for legitimate call centers and PBX systems — not inherently suspicious.
C — GatewayThe call entered the carrier's network from an untrusted source (often international) with no verification possible.Lowest confidence — the number could be anything.

Attestation is signaling infrastructure for carriers' own spam filters and analytics systems — it isn't something most phones display directly to a consumer. The practical effect is indirect: your carrier's spam-labeling and call-blocking features got substantially better at flagging low-attestation calls once STIR/SHAKEN rolled out, which is part of why carrier-level filtering (covered in our robocall guide) now catches more than it used to. What it does not do is stop a bad actor from placing the call in the first place — it only makes the deception easier for the network to detect after the fact.

Why the fix is incomplete

STIR/SHAKEN call attestation and the coverage gaps that leave spoofing incomplete

Reading a suspicious call without trusting the number

Since the displayed identity can't be trusted on its own, treat it as one input among several rather than the verdict. Run the actual number through the reverse phone lookup for its registered carrier and line type — a VoIP wholesale carrier paired with a claim to be a well-known bank or agency is a strong mismatch signal, since real institutions overwhelmingly call from their own enterprise lines. Check the carrier lookup independently if you want that detail without running a full lookup, and cross-reference the spam gauge for existing reports. None of these prove fraud individually, but a VoIP carrier, an implausible location, and existing complaint reports stacking together is a very different picture than a clean household-name mobile carrier with no history.

The one method that reliably defeats spoofing entirely: never call back or verify through any number or link the caller themselves provides. Find the organization's number independently — a bill, the back of your card, the official site you type in yourself — and call that instead. Spoofing can fake what appears on your screen; it cannot fake a number you looked up on your own.

Frequently asked questions

Is caller ID spoofing illegal?

Spoofing itself isn't automatically illegal in the US — the Truth in Caller ID Act of 2009 only bans spoofing done "with intent to defraud, cause harm, or wrongfully obtain anything of value." Legitimate uses exist: a business displaying its main support line instead of an individual agent's extension is technically spoofing but entirely legal. The law targets the intent, not the technique.

Does STIR/SHAKEN stop spoofed calls from reaching me?

No — it labels them, it doesn't block them. STIR/SHAKEN lets carriers cryptographically attest to how confident they are that a call's caller ID is genuine (A/B/C attestation), which lets your carrier's spam filter make a much better blocking decision than it could from raw caller ID alone. The call can still arrive; what changed is the network now has good evidence to flag or drop it before your phone rings.

Why does a scam call show my own area code and prefix?

Neighbor spoofing — a well-known effect where people answer calls from numbers that look local at a much higher rate than obviously distant or blocked numbers. Auto-dialing software exploits this by matching the displayed number's area code and first three digits to your own, regardless of where the call actually originates.

Can I spoof caller ID myself for a legitimate reason?

Doctors' offices, businesses with multiple extensions, and call centers legitimately display a single main number rather than the exact originating line — this is standard, legal use. Consumer-facing "spoofing apps" marketed for pranks or privacy exist but sit in a legal gray zone the moment the displayed identity is used to deceive or extract something of value, which is exactly the line the Truth in Caller ID Act draws.

How do I check the real identity behind a suspicious call?

You generally can't determine it from caller ID alone, since that's exactly what spoofing defeats. The reliable method is independent verification: hang up, find the organization's number yourself (official website, back of your card, a bill you already have), and call that instead. A reverse phone lookup on the number that called you can still add context — carrier, line type, and existing spam reports — even when the displayed identity itself can't be trusted.