The number on your screen is not real. It never had to be. When engineers designed the global telephone network in the 1970s, they built caller identification as a courtesy feature — a number passed between carriers on faith, with no mechanism to verify its origin. That design decision, made fifty years ago, is the architecture underpinning a $12.5-billion fraud machine operating openly today.
Caller ID spoofing lets any person with a laptop, a internet phone account, and twenty minutes of setup display any phone number they choose. Your bank's fraud line. A government agency. A local hospital. A grandchild's cell phone. The number arriving on your screen may have been typed into a web form minutes before the call reached you. Nothing in the call itself will tell you that.
The U.S. Federal Communications Commission, the Canadian Radio-television and Telecommunications Commission, the FBI, and the FTC have all moved against this problem. Fines have been record-breaking. Arrests have happened. A new authentication standard — STIR/SHAKEN — was mandated into law. As of August 2025, it covers 38.4 per cent of calls. The other 61.6 per cent remain unauthenticated.
How the Phone System Learned to Lie
Signalling System 7 — SS7 — is the backbone of global telephone routing. It was developed by AT&T for Bell System internal use and deployed through the late 1970s and 1980s. Every piece of information passed between carriers in an SS7 call — including the Calling Party Number (CPN) that becomes your caller ID display — travels in a message called an Initial Address Message, or IAM. The IAM accepts that number as provided. There is no authentication step. Every network node is treated as trusted.
For decades this was a manageable problem because access to SS7 infrastructure required physical carrier-level equipment. Then came Voice over IP.
The Session Initiation Protocol — SIP — defined in IETF RFC 3261, runs essentially every internet-based phone call. Its "From" header specifies the caller's identity and can be set to any value by the person initiating the call. As the reference work Hacking Exposed VoIP states flatly: spoofing caller ID is trivial in SIP. Anyone with an open-source PBX like Asterisk or FreeSWITCH, a SIP trunk from a VoIP provider, and a Direct Inward Dialing number can configure outbound caller ID to any number they choose. Many SIP trunk providers pass that information through without verification.
When a VoIP call enters the traditional phone network, a gateway translates the SIP "From" header into an SS7 Calling Party Number — which the receiving network accepts without question. The spoofed number rides the call all the way to your handset. The P-Asserted-Identity header, defined in RFC 3325, was an attempt to add trust inside carrier federations. It provides no cryptographic verification and Network World described it as "a stopgap solution" that breaks down in larger interconnected environments.
There is an important distinction between caller ID and Automatic Number Identification (ANI). ANI, created for Bell System billing, is set by the originating carrier's switch — not the customer's equipment. ANI is substantially harder to spoof because it requires carrier-level infrastructure access. For toll-free calls, ANI is always delivered since the toll-free subscriber pays for the call. With traditional landlines ANI and caller ID are identical values. With VoIP and PBX systems they can diverge entirely.
What gets forged in a typical spoofing attack is the CPN — the number on the display. Because the recipient's carrier often performs a database lookup on the incoming number to retrieve the caller's name, a convincing spoof displays not only the right phone number but the actual registered business name. A scammer displaying your bank's real fraud department number gets the bank's real name returned by the lookup. The call looks, in every visible detail, exactly like your bank calling.
The Commercial Infrastructure Behind It
Spoofing at scale is not underground. Commercial services operate openly. SpoofCard, one of the better-known platforms, markets itself as a privacy tool and offers caller ID modification, voice changing, and call recording through mobile apps and a website. SpoofTel has operated for years and charges per-minute rates for spoofed calls and per-message rates for spoofed SMS. Both services state they prohibit fraudulent use and will cooperate with law enforcement subpoenas. The barrier to misuse is functionally nonexistent regardless.
The full criminal infrastructure is more sophisticated. Open-source PBX software can be configured to place thousands of spoofed calls simultaneously. Automated dialling platforms, sold as legitimate business tools, are routinely repurposed for scam campaigns. VoIP origination costs fractions of a cent per call, making even tiny conversion rates economically viable. Scammers buy VoIP trunks, configure any caller ID they want, and blast millions of households in a day.
Neighbourhood spoofing — displaying a number with the same area code and exchange as the target — exploits the tendency to answer calls that appear local. Spoofing a relative's mobile number exploits the tendency to answer calls from family without screening. Government number spoofing exploits the tendency to take calls from official agencies seriously. Each variant targets a different psychological vulnerability.
STIR/SHAKEN: A Fix That Covers 38 Per Cent of the Problem
The industry and regulatory response to spoofing is a framework called STIR/SHAKEN — Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs. Developed jointly by the IETF (STIR protocols) and ATIS with the SIP Forum (SHAKEN implementation), the system uses public key infrastructure to digitally sign calls. When a SIP call arrives at an originating service provider, the provider creates a JSON Web Token, signs it with a private key, and attaches it as a SIP Identity header. The receiving carrier verifies the signature. The number has a chain of custody.
Three attestation levels govern what the signing means. Full attestation — A — means the originating carrier verified both the caller and their authorisation to use the number. Partial attestation — B — means the carrier knows the customer but could not verify the specific number; common with enterprise PBX extensions dialling out. Gateway attestation — C — means only the gateway was authenticated, with no verification of the actual caller or number. International call handoffs typically carry C-level attestation or none at all.
Coverage as of August 2025 stands at 38.4 per cent of calls arriving with STIR/SHAKEN headers intact — down from a reported peak near 49 per cent in late 2024. The decline is counterintuitive. The number of SHAKEN-authorised providers has reached an all-time high of 1,739. But more calls are being routed through legacy TDM (time-division multiplexing) network segments, where authentication headers are stripped in transit. Between the major tier-one carriers, roughly 85 per cent of call traffic is signed. Between smaller carriers, the figure is around 17 per cent. The "island problem" — authenticated calls on large networks dropping into unauthenticated segments when routed through smaller providers — remains unsolved.
The more significant limitation is that STIR/SHAKEN authenticates the originating carrier, not the legitimacy of the call or the identity of the caller. A carrier that is careless about vetting its own customers, or that is actively complicit in fraud, can sign fraudulent calls with full A-level attestation. TransNexus data from August 2025 found that among prolific robocall originators, 93.4 per cent of their calls carried A-level attestation — the highest trust level — demonstrating that bad actors actively seek and exploit that designation. As much as 20 per cent of signed traffic in some networks appears to carry over-attestation, meaning the confidence level assigned does not reflect what the carrier actually verified.
Five structural gaps remain unfilled. First, international calls bypass the framework entirely. No global standard for STIR/SHAKEN interoperability exists; the UK's Ofcom formally rejected STIR/SHAKEN adoption in February 2024 and is developing its own alternative framework. Second, any call traversing a TDM segment loses its authentication headers. Third, STIR/SHAKEN covers voice calls only — SMS spoofing is a separate, unresolved problem. Fourth, the framework cannot distinguish a well-attested scam call from a well-attested legitimate one; it verifies carrier identity, not call intent. Fifth, non-IP providers have received rolling exemptions, though the FCC has proposed requiring them to either convert to IP or adopt one of three ATIS-developed non-IP authentication standards within two years.
The FCC mandated STIR/SHAKEN implementation through its March 2020 Report and Order, setting a June 2021 deadline for large carriers under the authority of the TRACED Act of 2019. A November 2024 order addressed the third-party signing loophole, requiring all providers to make their own attestation decisions independently by September 2025. The FCC has removed more than 1,200 non-compliant voice providers from the U.S. phone network and flagged roughly 2,400 for deficiencies. Canada's CRTC mandated STIR/SHAKEN through Decision 2021-123, with a November 2021 deadline and no small-carrier exemptions — a stricter approach than the United States. Cross-border STIR/SHAKEN between the U.S. and Canada remains non-operational in practice despite early demonstration calls between the two regulators.
The Numbers Behind the Damage
The FTC's Consumer Sentinel Network recorded $12.5 billion in reported fraud losses in the United States in 2024 — a 25 per cent increase over 2023's $10 billion, and the highest total in the program's history. The FBI's Internet Crime Complaint Center separately reported $16.6 billion in total cybercrime losses from 859,532 complaints in 2024, a 33 per cent increase year over year. These are reported figures. Both agencies acknowledge that most fraud is never reported.
Phone calls carry the heaviest financial weight of any contact method. While email leads in total fraud reports, the FTC data shows that frauds initiated by phone call carry substantially higher median per-incident losses than other channels. For older adults specifically, the FTC found the highest median individual losses came from frauds starting with a phone call — $2,210 per incident. Investment scams conducted over phone contact have driven the largest aggregate losses across all age groups.
Spoofing enables specific high-damage scam categories. Government impersonation — callers presenting as the IRS, Social Security Administration, CRTC, or law enforcement — produced $789 million in FTC-reported losses in 2024, up $171 million from 2023. Business impersonation, particularly scammers spoofing bank fraud-department numbers, generated $377 million in FTC-reported losses from older adults alone in 2024. Tech support fraud — callers posing as Microsoft, Apple, or telecommunications companies — produced $1.46 billion in FBI IC3-reported losses across all ages, consistently among the top categories by dollar volume.
Older adults absorb a disproportionate share of the damage. The FBI's IC3 recorded $4.885 billion in losses from 147,127 complaints by victims over 60 in 2024 — a 43 per cent increase over 2023. Some 7,500 victims over 60 each reported individual losses exceeding $100,000, with an average individual loss in that group of $83,000. The FTC's dedicated Protecting Older Consumers report found that reported fraud losses by older adults rose more than fourfold, from $600 million in 2020 to $2.4 billion in 2024. The FTC notes that because most fraud goes unreported, it estimates actual losses experienced by older adults in 2024 could be as high as $82 billion.
Grandparent and family emergency scams — where a spoofed family member's number calls claiming an arrest or accident — generated only 357 complaints to IC3 in 2024, recording $2.7 million in losses. That figure is not the true scale; it is a measure of how rarely victims report. A single federal case unsealed in 2024 charged 16 defendants in a grandparent fraud ring estimated to have stolen more than $55 million over seven months. The gap between reported and actual losses is the core problem that fraud statistics cannot resolve.
In Canada, the Canadian Anti-Fraud Centre reported fraud losses of approximately $638 million CAD in 2024 while estimating this represents only 5 to 10 per cent of actual losses. INTERPOL estimated global fraud losses at approximately $442 billion in 2025, with fraud-related notices rising 54 per cent. In the United Kingdom, consumers lost an estimated £11.4 billion to scams in 2024 — roughly 0.4 per cent of GDP — with only 18 per cent of victims recovering any money.
The Legal Response and Its Limits
U.S. federal law addresses spoofing through two primary statutes. The Truth in Caller ID Act, signed December 22, 2010, prohibits transmitting misleading caller identification information with intent to defraud, cause harm, or wrongfully obtain something of value. Penalties reach $10,000 per violation. A 2019 expansion through the RAY BAUM's Act extended coverage to international calls targeting U.S. recipients and to text messages. The TRACED Act, signed December 30, 2019, strengthened enforcement substantially: it extended the statute of limitations for intentional violations from two to four years, removed the requirement to issue a warning citation before penalising first-time offenders, mandated STIR/SHAKEN deployment, and established the USTelecom Industry Traceback Group as the official body for identifying illegal robocall originators.
FCC enforcement has produced large fines. A $299,997,000 forfeiture order — the largest in FCC history — was issued in August 2023 against a network behind more than five billion auto warranty robocalls that had used over one million spoofed caller IDs. The agency reported a 99 per cent drop in auto warranty scam robocalls following that action. Earlier major actions included a $225 million proposed forfeiture against Rising Eagle Capital Group for health insurance scam robocalls and $120 million against Adrian Abramovich for 100 million neighbour-spoofed calls. In 2024, the FCC issued a $6 million proposed fine against political consultant Steve Kramer for AI-generated voice calls impersonating a sitting U.S. president before a primary election — the first enforcement action involving deepfake voice cloning. Kramer was also criminally indicted in New Hampshire.
Criminal prosecutions have targeted the infrastructure layer. In 2016, the DOJ unsealed indictments against 61 individuals and entities in a transnational IRS impersonation ring that used spoofed U.S. government numbers to defraud victims of hundreds of millions of dollars, with domestic defendants receiving sentences of up to 20 years. Joint FBI-CBI operations in India resulted in a 700 per cent increase in arrests related to call-centre fraud in 2024 compared to the prior year. A coalition of 51 state attorneys general — the Anti-Robocall Multistate Litigation Task Force — targets voice providers facilitating illegal traffic; Phase 2 investigations in 2025 reached major carriers including Inteliquent, Bandwidth, Lumen, and Peerless.
The deterrence picture is mixed. The auto warranty campaign was largely dismantled. Aggregate reported losses have nonetheless nearly tripled since 2020. The infrastructure enabling spoofing is distributed, low-cost, and routinely rebuilt after enforcement actions. Fines are often issued against entities that cannot or will not pay. Overseas originators face limited reach from U.S. or Canadian regulators.
What Spoofing Cannot Do
Understanding the limits of spoofing is as important as understanding what it can do. Spoofing the display number does not intercept calls to that number. If a caller presents your bank's fraud line and you hang up and call that number back, you reach the real bank — not the scammer. This is the single most reliable defence currently available to anyone with a phone.
Spoofing gives the attacker no access to your accounts, PINs, passwords, or security questions. The display number is cosmetic. Everything the scammer knows about you must be extracted through conversation. If a caller claiming to be from your bank already knows your account number, that information came from a data breach or another source — not from the spoofing technique itself.
Spoofing does not grant access to the spoofed number's voicemail — with one exception the FCC has specifically warned about. Some voicemail systems configured to grant automatic access when called from the account owner's number can be exploited if no PIN has been set. This is a separate vulnerability in voicemail configuration, not an inherent feature of spoofing, and it is remedied by setting a voicemail PIN.
Carriers retain complete Call Detail Records for every call regardless of what caller ID displays. Spoofed calls are traceable through CDR analysis, carrier cooperation, and the USTelecom Traceback Group process. The process takes time, particularly for calls originating internationally, but the displayed number being false does not make the call invisible to law enforcement.
What You Can Do Right Now
The most effective protection requires no technology. The FCC's official guidance is direct: if a call creates urgency — an arrest warrant, a suspended account, a family emergency — hang up. Call back using a number you obtained independently, from the organisation's website, from the back of your card, or from a prior statement. Never use a number the caller provides. Never trust a caller ID display as confirmation of identity.
Major carriers in the United States provide free call-filtering tools. AT&T's ActiveArmor automatically flags fraud and spam calls and maintains a network-level block list, with an enhanced paid tier. T-Mobile's Scam Shield labels suspected fraud calls as "Scam Likely" at the network level; Scam Block can be activated by dialling #662#. Verizon's Call Filter provides spam detection and a Neighbourhood Filter option that routes same-area-code suspected spam calls to voicemail. In Canada, carriers including Telus offer call-screening options that require callers to press a digit before the call connects — effectively blocking all automated diallers.
Third-party applications add an additional layer. Hiya, which also powers Samsung's built-in spam detection, maintains a large database of known scam numbers. Nomorobo, listed on the FCC's official consumer resources, uses a simultaneous-ring approach to intercept robocalls on traditional landlines and a mobile app for wireless numbers. RoboKiller uses audio fingerprinting to identify known scammers even when numbers change. All of these tools improve over time as more calls are reported; none of them catch everything.
The Do Not Call Registry (donotcall.gov in the United States; lnnte.gc.ca in Canada) should be used, but its protections are limited. The FTC explicitly states the registry does not block calls and will not stop scammers operating illegally. Political calls, charities, surveys, and organisations with an existing business relationship are exempt from registry compliance. Scammers are by definition already operating outside the law. Registration removes you from compliant telemarketing lists. It does not protect against spoofed fraud calls.
Payment method recognition is a practical filter. No legitimate bank, government agency, law enforcement body, or technical support team will ask for payment by gift card, wire transfer, cryptocurrency, or prepaid debit card. This applies regardless of what number they called from, what name appeared on your screen, or how urgent the situation sounds. The FCC ruled AI-generated voices in robocalls illegal in February 2024 — but that ruling does not make the technique unavailable to scammers operating from outside U.S. jurisdiction.
Reporting matters even when it feels futile. Complaints filed with the FTC at ReportFraud.ftc.gov, the FCC at consumercomplaints.fcc.gov, and in Canada with the Canadian Anti-Fraud Centre at 1-888-495-8501 feed the datasets that identify patterns and support enforcement actions. The AARP has found that the overwhelming majority of fraud victims never report to law enforcement or federal agencies. That silence directly limits what investigators can do.
