How Call Spoofing Works

[Man]

Call spoofing is a technique in which an attacker changes the caller ID information to hide their real number or to impersonate someone else (such as a bank, government agency, or acquaintance). It is an illegal practice often used in fraudulent schemes (such as voice phishing or identity theft). Below is a technical explanation of how spoofing works for educational purposes so you can understand the risks and protect yourself.

1. What is SIP?​

SIP is a signaling protocol used to establish and manage communication sessions in VoIP networks. It operates on a client-server model and uses text messages (similar to HTTP) to:

• Registration of devices on the network.
• Establishing and ending calls.
• Transferring information about session parameters (e.g. audio/video codecs).

Example of SIP request:

INVITE sip:user@example.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.100:5060
From: <sip:caller@example.com>
To: <sip:callee@example.com>
Call-ID: 1234567890@example.com
CSeq: 1 INVITE
Content-Type: application/sdp
Content-Length: 142

v=0
o=caller 2890844526 2890844526 IN IP4 192.168.1.100
s=-
c=IN IP4 192.168.1.100
t=0 0
m=audio 49170 RTP/AVP 0
a=rtpmap:0 PCMU/8000

2. How does call spoofing work?​

Technical background​

Modern calls are transmitted via VoIP (Voice over IP) or traditional telephone networks (including SS7). Information about Caller ID (number and name of the subscriber) is transmitted separately from the voice signal, which allows it to be modified. The main methods are:

A. Changing SIP Headers (VoIP)​

• SIP (Session Initiation Protocol) controls the establishment of VoIP calls. An attacker can forge fields in SIP requests:
  • From: Sender's name and number.
  • P-Asserted-Identity (PAI): Authenticated identity of the caller.
  • Remote-Party-ID (RPID): Additional information about the caller.
• Example:
  

  INVITE sip:user@example.com SIP/2.0
  From: <sip:+18005551234@example.com>
  To: <sip:target@example.com>

  Here +18005551234 is a fake bank support service number.

B. Using VoIP services with spoofing support​

• Some legitimate services allow you to specify a custom Caller ID for corporate purposes (for example, to display a single company number). Attackers abuse this:
  • SpoofCard (https://www.spoofcard.com): Send calls with a fake number.
  • Burner (https://www.burnerapp.com): Temporary numbers for anonymous calls.
  • TextNow (https://www.textnow.com): Free calls with the ability to change Caller ID.

C. Software Spoofing Tools​

• SIPVicious (https://www.sipcrack.org): A tool for testing VoIP network vulnerabilities, including Caller ID modification.
• Asterisk (https://www.asterisk.org): An open-source PBX system that can be configured by attackers to spoof calls.
• Wireshark + SIP Requests: Manually modify fields in SIP packets to manipulate Caller ID.

D. Manipulation with SS7 (for mobile networks)​

• In traditional mobile networks, an attacker can exploit vulnerabilities in the SS7 protocol to change the sender's number data. For example:
  • Sending MAP_SEND_ROUTING_INFORMATION command to redirect calls.
  • Using tools like SS7 MAP Explorer to change network settings.

F. Voice Templates and AI​

• Modern AI models (like Google Duplex) can generate natural speech, making calls more convincing. An attacker can combine Caller ID spoofing with voice synthesis to impersonate bank employees or friends of the victim.

3. Examples of real attacks​

Example 1: Tax fraud​

• The attacker sends a call with a Caller ID displaying the tax service number.
• Posing as an inspector, he claims the victim owes taxes and threatens arrest if the money is not transferred immediately.

Example 2: Attack on crypto exchange clients​

• The attacker calls the owner of the crypto wallet from a number spoofed to look like Binance support.
• Convinces the victim to send a 2FA code to "confirm security", after which he withdraws the cryptocurrency to his wallet.

Example 3: Corporate Spoofing​

• The attacker calls a company employee, introducing himself as the director.
• Using a fake internal line number, he asks to urgently transfer money to a "partner account", citing an urgent project.

4. Why is call spoofing dangerous?​

1. Caller ID Trust:
   People tend to trust a number, especially if it matches an official one.
2. Psychological pressure:
   The attacker uses fear (e.g. threats of arrest) or urgency to prevent the victim from verifying the information.
3. Difficulty of tracking:
   VoIP services and anonymous numbers make it difficult to identify the attacker.
4. Combination with other attacks:
   Spoofing is often combined with vishing, SMS phishing or SS7 attacks to increase effectiveness.

5. How to protect yourself from call spoofing?​

A. Don't trust Caller ID​

• Even if the number looks official, do not give out the details over the phone.
• Call back the official number listed on the company's website or receipt.

B. Check the authenticity​

• Ask the caller his name, title and department.
• Let them know that you will call back later to verify the information.

C. Use secure authentication methods​

• Ditch SMS codes in favor of hardware tokens (like YubiKey) or authenticator apps (like Google Authenticator).
• Set up two-factor authentication using biometrics or secure keys.

D. Install Call Blocking Tools​

• Use spam blocking apps:
  • Truecaller (Android/iOS) — identifies suspicious numbers.
  • RoboKiller — blocks autodialers and spam.

E. Training and Awareness​

• Educate loved ones (especially older ones) about the risks of spoofing.
• Conduct social engineering training (e.g. attack simulations) in companies.

F. Use STIR/SHAKEN​

• These call authentication standards (implemented in some countries) encrypt Caller ID data to prevent it from being spoofed.
• Check with your carrier to see if they support STIR/SHAKEN.

6. Legal consequences​

Call spoofing violates the laws of many countries:

• USA: Truth in Caller ID Act (fines up to $10,000 per violation).
• Russia: Article 138 of the Criminal Code of the Russian Federation (unauthorized access to computer information) and Article 159 (fraud).
• EU: GDPR (unlawful collection of personal data, fines up to €20 million).

7. Educational resources​

If you want to learn about protection against spoofing and other attacks:

• Books: "The Art of Deception" (Kevin Mitnick), "Hacking Exposed 7" (McGraw-Hill).
• Platforms: TryHackMe (social engineering courses), OWASP .
• Certifications:
  • Certified Ethical Hacker (CEH) - analysis of social engineering methods.
  • CISSP — Cybersecurity.

Summary​

Call spoofing is a powerful social engineering tool that can be used both offensively and defensively. Never try to use these methods in real life — it is illegal and dangerous. Instead, focus on protecting your data and educating others. If you are interested in practical examples or code for learning — let me know!

 

[Jollier]

How Call Spoofing Works (Number Substitution): A Complete Analysis​

Spoofing (Caller ID substitution) is a technology that allows attackers to change the number that is displayed to the recipient of the call. This is used in fraudulent schemes, phishing and bypassing blocking.

Technical Basics of Spoofing​

1. Via VoIP (SIP telephony)​

• How it works:
  • The attacker registers with a VoIP provider or hacks a SIP account.
  • In a SIP request (INVITE), replace the From: field with the desired number.
  • The operator transmits a fake Caller ID.
• Example: A fraudster calls the victim, posing as a bank (+1-XXX-BANK).

2. Via SS7 (in cellular networks)​

• How it works:
  • Exploits vulnerabilities in the SS7 signaling protocol.
  • Sends false commands (ISUP IAM), replacing the number.
• Difficulty: Requires access to SS7 network (rare, but possible).

3. Through fake services​

• Sites/apps: SpoofCard, SpoofTel, some SIP providers.
• Functionality: Allows you to manually enter any number for substitution.

Why do people use spoofing?​

1. Phishing/Vishing – calls “from the bank” asking to provide the CVV or code from the SMS.
2. Fraud with relatives - "I got into an accident, I urgently need money!"
3. Bypassing blocking - if the fraudster's number is blocked, they call from new ones.
4. Pranks/Hacktivism are not always a crime, but they can break the law.

🛡 How to detect number substitution?​

Call back – if the number does not exist or belongs to another person, it is spoofing.
Check Truecaller / "Who called" – some services mark suspicious numbers.
Pay attention to the context – banks never ask for CVV or SMS codes over the phone.

Protection against spoofing​

For regular users​

Don't trust Caller ID - always call back official numbers.
Don't give SMS codes, CVV, passwords - even if the call is "from the bank".
Install antispam (Hiya) - helps filter suspicious calls.

For business (if your numbers are being faked)​

Enable STIR/SHAKEN – call authentication technology (works in the US, is being implemented in Russia).
File complaints with operators – if scammers use your number.

Legality and counteraction​

• In the US – prohibited (Truth in Caller ID Act), fines up to $10K.
• In the Russian Federation, it falls under Article 159 of the Criminal Code of the Russian Federation (fraud).
• Problem: Fraudsters use anonymous services, they are difficult to catch.

Conclusion: Spoofing is a dangerous tool for fraudsters, but vigilance and technologies (STIR/SHAKEN, antispam) reduce the risks.

 

[Professor]

What is call spoofing (number substitution)?​

Call spoofing is a technique in which criminals change the caller ID to hide their real phone number or impersonate another person or organization. This allows the scammers to trick the victim into believing the call is coming from a trusted source, such as a bank, government agency, or friend.

How does call spoofing work?​

1. Using VoIP (IP telephony):
   • Most spoofing attacks are carried out through VoIP services. These services allow attackers to manually specify the number and name that will be displayed on the call recipient's screen.
   • For example, an attacker may provide the number of a bank or other organization to gain trust.
2. Number substitution services:
   • There are paid services that provide the ability to replace Caller ID. The user enters the number from which the call is supposedly made and the recipient's number. After that, the service processes the call and replaces the identifier.
   • Such services operate on a prepayment basis and provide a PIN code to activate the service.
3. Software and bots:
   • Attackers can use specialized software or even bots in messengers (for example, Telegram) to quickly and easily replace numbers. This makes the technology accessible even to people without technical knowledge.
4. Substitution through "orange boxes":
   • These are hardware or software devices that intercept the Caller ID signal and replace it with another one. This method is less common, but is still used in some cases.

Examples of Spoofing Uses​

1. Bank fraud:
   • Fraudsters call the victim, posing as bank employees, and report "suspicious activity" on the account. They ask for card details or codes from SMS to "protect funds."
2. Technical support:
   • Fraudsters call, pretending to be technical support employees of well-known companies, and convince the victim to install malware or provide access to the device.
3. IRS or Internal Revenue Service:
   • In some countries, fraudsters use tax office numbers to intimidate victims with threats of arrest for "tax evasion" and force them to transfer money.
4. Surveillance and blackmail:
   • Spoofing can be used to spy on people or to blackmail them by posing as acquaintances or colleagues of the victim.

Why is spoofing dangerous?​

• Financial losses: Victims may provide fraudsters with bank card details or transfer money to "safe accounts."
• Identity Theft: Attackers can use the information they obtain to steal your identity.
• Reputational risks: Companies whose numbers are used for spoofing may lose the trust of their customers.

How to protect yourself from call spoofing?​

1. Don't trust Caller ID:
   • Please note that the number displayed may be fake. If the call seems suspicious, call back the official number of the organization.
2. Use antispam applications:
   • Install apps like Truecaller that can identify suspicious numbers and block them.
3. Do not give out personal information over the phone:
   • Never provide bank card details, passwords or codes from SMS unless you initiated the call.
4. Check the information:
   • If the caller claims to be from a bank or government agency, check the information through the official website or hotline.
5. Report suspicious calls:
   • In some countries, you can file a complaint with regulatory authorities such as Roskomnadzor or the FCC.

Conclusion​

Call spoofing is a powerful social engineering tool used by criminals to deceive and steal data. Being aware of spoofing methods and taking precautions can help you protect yourself and your data from scammers.