ELI5: How do spam callers mask their phone numbers to ones registered to someone else?

Read the Story

Show Top Comments

When you get a phone call and a number shows up on your caller ID, that’s not always because your phone knows which number is calling it. The phone that’s calling you can send the call *and* tell your phone what number to show, plus maybe a name as well. Scammers use a VoIP phone and can just alter the data that their phone sends to your phone, your phone doesn’t know any better and just shows what ever the other phone tells it to show. Edited for clarity.


It’s called spoofing, and it actually exists for legitimate reasons. For example, a business with many individual phone lines may want them all to show up the same on caller ID so that customers call the correct number back. Or a person may want calls from their cell phone to appear to come from their office phone. Unfortunately now we’re dealing with people misusing this system. It used to be somewhat complicated to spoof a phone number but these days it’s trivially easy. That’s because a lot of phone traffic isn’t actually done over traditional phone networks, it’s done over the internet using a protocol called voice over IP (VoIP), in which case all you have to do is send deliberately incorrect caller ID data.


The telephone backbone operators such as AT&T have no incentive to block spam calls. They profit from it. Perhaps it even makes up the bulk of their call traffic. So although they could shut down the spam, they will be making excuses until they are forced to somehow. The reality is, despite the fact that the presentation caller ID may be spoofed, the billing number cannot be spoofed. The VoIP call traffic is well known as it enters the telephone network and they turn a blind eye to it.


Phone guy here. Depending on the carrier, I can send whatever the hell I want over as the caller ID. I can legit send 123 to your phone. Now you have to sign all sorts of legal docs saying you won’t do anything untoward… But when has that ever stopped anyone. It’s just a field in the PBX (phone system) and we can put whatever we want in there. It’s normally used to send the main number of the facility or department, but nothing stops me from sending complete bogus junk. Also, VoIP has nothing to do with it. It may make cheating easier, but I can send absolute trash over a standard PRI (old fashioned telephone service on a T1) with the right settings.


Spoofing is when you are pretending to be a directory number that does not belong to you and masking is when you want outbound calls to appear from a different directory number of your org. Masking is done for a number of legitimate reasons. Most carriers will check and enforce the format of the directory number but do not check if that number is yours. If carriers enforced not accepting directory numbers onto their network that don’t belong to the peering org we could eliminate a lot of spam and spoofing. They have the network resources to do this but it would add some overhead and cost and would require laws and regulations which isn’t easy.