Scorpiones Group

Caller ID Spoofing – What It Is and What to Do About It

the advance of smartphones replacing many of the phone lines people use, caller ID is part of our daily life.
Being aware of this fact and how to use this to your advantage is a must.

What is Caller ID?
Caller identification (Caller ID) is a service that allows the receiver of a phone call to determine the identity of the caller.
Caller ID is initially sent over at the start of the phone call and identifies the incoming caller before the receiver answers the phone.

Caller ID is not associated with the actual phone number but is part of the initial call setup,
which allows the caller to manipulate the Caller ID to display a different number from the number that is calling.

What is Caller ID Spoofing?
If you have ever received a call where the caller said that you called them when you have not, then your number was most likely spoofed by another person.
There are many phone scams that use Caller ID spoofing to hide their identity because Caller ID spoofing makes it impossible to block the number.

Anyone can spoof their outbound Caller ID by using an online service like Spooftel and SpoofCard, which allow anyone willing to pay to spoof numbers.
These services are meant to protect the caller’s number from being displayed and claim they aren’t intended for malicious purposes, but they have limited control over who uses the service.

Spoof Caller ID
If you have a spare computer and a VOIP service you can also use Asterisk to spoof caller ID.

Under the realm of cell phones like the iPhone, Android or the Blackberry you can look at SpoofApp.
SpoofApp uses the SpoofCards method mentioned above but bundles the features into a package on your cell phone.

Companies can also control their Caller ID if they have their PRI or SIP connection, the technical names for multi-line enterprise telephony setups.

Caller ID Spoofing will hurt your business unless you protect yourself from it.
A business in Tel Aviv on June 22, 2019, received about 300 calls in one hour.
Due to the high volume of calls, the business did not have enough resources to answer all of the calls.
It quickly became apparent that the businesses number had been used in a series of spoofed calls and the calls were not from customers but from the recipients of the spoofed calls.

This hurt the business, as they were busy answering calls from people who were not customers.
Not only does this cause a monetary loss, but the business’ reputation could have also been impacted as individuals assumed they were using auto-dialers to call people in the area.

SMS Spoofing
You hear a lot of talk about mobile content security nowadays, particularly as a threat to the long-awaited emergence of mobile advertising.
First, there is classic "mobile content spam," where the content provider has a service agreement with the operator and sends questionable content.

There is SMS flooding, where the content provider "floods" a foreign SMS center with numerous messages.
There is also SMS Faking, where a hacker simulates the behavior of an SMS switch to send messages.
And, finally, there is SMS "spoofing" where the hacker uses an engine to simulate mobile devices, especially in roaming situations.

It is the last type of attack, SMS spoofing, which is undoubtedly one of the fastest growing methods to penetrate mobile operators.

Essentially, the SMS message is reset to alter who the sender appears to be.
One of the main problems with identifying and dealing with SMS spoofing is that there are a number of legitimate uses for this technology, including corporate branding of a message, setting a mobile number for return phone calls and identifying the text with products or services from the vendor.

SMS spoofing is achievable because almost all phones today have access to, and are accessible from, the Internet.

It can be maliciously used by fraudsters for Phishing attacks, such as SMS Spoofing a message from your bank asking you to “change your current password” and by doing so you are practically giving away your bank credentials to the thief.

What should you do?
  • Identity thieves and other fraudsters often pose as representatives of banks, credit card companies, creditors, or government departments to get people to reveal their account numbers and other sensitive information.
  • Never give out your personal information in response to an incoming call, or rely upon the Caller ID as the sole means of identification, particularly if the caller asks you to carry out an action which might have financial consequences.
  • If someone calls you asking for this information, don't provide it.
    Instead, hang up and call the phone number on your account statement, in the phone book, or on the company's or government department's website to check whether the call was genuine.
    Wait at least five minutes before making the call - this ensures the line has cleared and you're not still speaking to the fraudster or an accomplice.

Tags: Phishing Vishing Social Engineering

Contact Us