A deep dive into caller ID spoofing technology — how scammers change what appears on your phone and why it's hard to stop.
Caller ID spoofing works by manipulating the signaling information that travels alongside a phone call in the telephone network. When you place a call, your phone sends not just the audio but also metadata — including the calling party number (CPN) and calling party name (CPNAME) — through the signaling layer of the telephone network. For traditional landline calls, this signaling travels through SS7 (Signaling System 7), the protocol suite developed in 1975 that underpins most of the world's telephone networks. SS7 was designed in an era when only regulated telephone companies could access the network, so it has virtually no authentication mechanisms — it trusts the signaling data it receives.
VoIP (Voice over Internet Protocol) systems generate calls using the SIP (Session Initiation Protocol), which also includes a "From" field that specifies the calling number. SIP's From field can be set to any number the caller specifies — there is no mechanism in basic SIP that verifies the From field contains a number the caller is actually authorized to use. A VoIP operator sending a call can write "202-456-1414" (the White House switchboard) in the SIP From field, and the receiving carrier's system will display that number as the caller ID unless it has authentication mechanisms to check whether the call is actually authorized to use that number. The ease of SIP From field manipulation is why VoIP made spoofing trivially accessible — anyone with a VoIP account and basic technical knowledge can set an arbitrary caller ID.
For non-technical users, the practical implication is simple: caller ID is not reliable identification. It's closer to an email "From" field — it shows whatever the sender chose to enter, which may have no relationship to the actual sender. Just as you would not trust an email claiming to be from your bank based solely on what the From field says, you should not trust a phone call based solely on what the caller ID says. The caller ID may be accurate (most calls are not spoofed), but when the stakes are high — someone claiming to be from your bank, the IRS, or a government agency — the caller ID provides no verification of legitimacy.
Not all caller ID modification is illegal. The Truth in Caller ID Act, enacted by Congress in 2009 and signed into law as part of the FCC's authority under the Communications Act (47 U.S.C. §227(e)), specifically prohibits causing caller ID service to transmit misleading or inaccurate caller ID information "with the intent to defraud, cause harm, or wrongfully obtain anything of value." The intent standard is critical — many legitimate uses of caller ID modification don't involve deceptive intent and are therefore legal.
Legal spoofing examples: a business displaying its main customer service number rather than the extension of the specific employee making the call (so customers can call back using a known number). A doctor's office displaying the practice's main number rather than an individual physician's direct line. A shelter or domestic violence organization displaying a generic number to protect the location and identity of staff who call clients. Political campaigns displaying their main campaign number rather than individual staffer extensions. Call centers where agents call from a shared number pool rather than individual lines. In all these cases, the displayed number is a number the organization actually owns and is authorized to use, and no deception is intended — the displayed number is just a different number within the same organization.
Illegal spoofing is the modification of caller ID with deceptive intent — displaying a government agency number to make victims believe they're talking to the IRS, or displaying a victim's neighbor's number to make the call appear local and trustworthy (neighbor spoofing), or displaying a number known to be trusted (like a person's own bank) to lower their guard. The FCC enforces the Truth in Caller ID Act with civil penalties up to $10,000 per violation and criminal referrals for the most egregious cases. However, enforcement is challenging when the spoofing originates overseas, where FCC jurisdiction doesn't reach directly — the FCC's enforcement actions are primarily effective against domestic violators.
Before VoIP became widespread in the mid-2000s, placing a call required access to the traditional telephone network — either through a regulated carrier or through physical access to telephone infrastructure. Spoofing a caller ID in the traditional telephone network required either compromising the signaling system (which required carrier-level access) or paying for specialized services from carriers that offered caller ID customization. This created significant barriers: only sophisticated actors with network access could spoof caller IDs at scale. The cost and technical complexity kept spoofing rare.
VoIP changed the economics completely. VoIP calls are essentially internet packets — audio encoded and transmitted over IP networks, with SIP headers specifying the calling and called party numbers. The SIP infrastructure is operated by hundreds of VoIP providers worldwide, ranging from large regulated companies to tiny overseas operations with minimal oversight. A person or organization wanting to place spoofed calls needs only an account with a VoIP provider that doesn't strictly validate caller ID — many providers allow customers to specify any caller ID they want, asking for verification (or not asking at all) as a matter of policy rather than technical necessity. The cost per call is fractions of a cent. An operation wanting to place 100 million calls with spoofed caller IDs can do so for a few thousand dollars in VoIP costs.
The STIR/SHAKEN framework (described in the next section) was developed specifically to address this VoIP-enabled spoofing problem. But the solution has limits: it works for calls between carriers that have implemented the standard, and it doesn't prevent spoofing by providers that choose not to implement or comply. The FCC's parallel approach — holding "gateway providers" (wholesale VoIP carriers that pass traffic from overseas) accountable for the call quality of traffic they pass — addresses the compliance gap by making the US network entry points responsible for filtering out unattested traffic rather than requiring every overseas VoIP provider to implement STIR/SHAKEN.
Neighbor spoofing is a specific caller ID spoofing technique where the displayed number is chosen to match the recipient's local area code and telephone prefix (the first three digits after the area code). If your phone number is 512-438-7291, a neighbor-spoofed call might display as 512-438-XXXX — a number in the same exchange as yours, which looks like it might be a neighbor, local business, or previously encountered number. The technique exploits the human tendency to answer calls that appear to come from familiar geographic areas — answer rates for local-appearing numbers are substantially higher than for unknown area codes or toll-free numbers.
YouMail data shows that neighbor spoofing peaked in 2018-2019 and has declined significantly since STIR/SHAKEN implementation began in 2021. STIR/SHAKEN specifically makes neighbor spoofing harder because the attestation system verifies whether the calling carrier has actually authorized the calling party to use the specific number displayed — a VoIP operator using a number pool in the 512-438 prefix range for neighbor spoofing will have that number range identified as a pool it doesn't legitimately own, resulting in downgraded attestation. The decline in neighbor spoofing has been partially offset by scammers moving to other techniques: using legitimate-appearing numbers they've actually registered, using numbers in less-monitored ranges, and using robocalls from multiple rapidly-rotated numbers to defeat blocking.
Consumers can protect against neighbor spoofing by treating local-appearing calls from unknown numbers with the same skepticism as calls from unknown area codes. If you receive a call from a number that appears local but that isn't in your contacts, let it go to voicemail — a legitimate local caller (a neighbor, a local business you've patronized) will leave a voicemail identifying themselves. If the voicemail is generic ("this is an important message regarding...") or doesn't identify the caller specifically, it's a scam. The local appearance of the number is a manipulation designed to increase your answer rate, not an indicator of legitimacy.
STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs) is the US call authentication framework mandated by the FCC for US carriers. It works analogously to the SSL/TLS certificates that authenticate websites: when you visit a website with "https://", your browser checks a digital certificate that verifies the site is who it claims to be. STIR/SHAKEN provides a digital signature for phone calls that verifies the originating carrier has authenticated the calling party's right to use the displayed number.
When a carrier places a call using STIR/SHAKEN, it cryptographically signs the call with its private key and includes an attestation level: A (full attestation — the carrier has verified the caller is authorized to use this exact number), B (partial attestation — the carrier verified the call's origin but not the specific number's authorization), or C (gateway attestation — the call entered the US network from an external source the carrier can only partially verify). The receiving carrier verifies the signature using the originating carrier's public key. If the signature is valid and the attestation level is A, the call has been cryptographically verified as coming from a carrier that authenticated the calling party's use of that number. This is displayed to consumers as a "Verified" badge or call indication on supported devices.
The limitations of STIR/SHAKEN are significant, however. International calls arrive without STIR/SHAKEN signatures and receive C-level attestation at best. Scammers who register actual number ranges (rather than spoofing numbers they don't own) can generate fully A-attested calls. The framework verifies the carrier's authentication of the number — not that the caller is actually the IRS, not that the caller has good intentions, not that the call content is truthful. STIR/SHAKEN prevents a scammer from displaying "202-555-1234" if they don't have an account that actually includes that number — but it doesn't prevent a scammer from registering "202-555-9999" legitimately and using that authenticated number to make scam calls. The framework is an important component of anti-spoofing infrastructure but not a complete solution.
RELATED GUIDES
LOOKUP BY AREA CODE