How Phone Spoofing Works and Why It's So Hard to Catch

Investigators know spoofing from both sides. It's a tool used to get subjects to answer calls — local number spoofing significantly increases answer rates. It's also used against investigators by subjects who want to identify them, harass them, or gather information without revealing who's calling. Understanding exactly how spoofing works technically clarifies both why it's so prevalent and why it's so resistant to enforcement.

What Caller ID Actually Is

Caller ID is not a verified identity system. It was never designed to be. The technology was developed in the 1980s and 1990s to display the number a call was originating from — a convenience feature for the person receiving the call, not a security or authentication mechanism.

The caller ID information displayed on your phone is data transmitted alongside the call. In the traditional phone network (the Public Switched Telephone Network, or PSTN), this data was set by the originating carrier and passed through the network as a parameter. The receiving carrier displayed whatever parameter it received. There was no validation step — no check that the number being transmitted actually matched the physical line the call originated from.

This was acceptable when phone numbers mapped directly to physical telephone lines. If someone claimed to be calling from 603-555-1234, that number had to correspond to an actual telephone line, and the carrier connecting that line would set the caller ID accordingly. Spoofing that was technically difficult.

VoIP changed everything.

VoIP and the Death of Caller ID Integrity

Voice over Internet Protocol routes calls as data packets over the internet rather than through traditional phone network circuits. Services like Skype, Google Voice, WhatsApp calling, and carrier VoIP all use this technology. VoIP systems set the caller ID data in software, not hardware.

In most VoIP implementations, the originating system sends a SIP (Session Initiation Protocol) packet that includes a "From" field containing the caller's number. This field is set by the software making the call. It can be set to anything. The traditional phone network trusts this parameter because it was engineered to trust carrier-provided caller ID data — a trust assumption that made sense when only carriers could originate calls, and carriers were accountable entities with regulatory obligations.

VoIP shattered that assumption. Anyone with a VoIP account and basic technical knowledge can set their outbound caller ID to any number before making a call. Many VoIP providers explicitly offer this as a feature for legitimate purposes — businesses often want outbound calls to display the main company number rather than individual employee extensions.

How Spoofing Services Work in Practice

The proliferation of spoofing-as-a-service made this even simpler. Services like SpoofCard (now subject to more regulatory scrutiny), various VoIP providers, and offshore calling platforms allow users to enter any originating number they want before placing a call. The call routes through the provider's VoIP infrastructure, the specified number is placed in the SIP header, and that number appears on the recipient's caller ID.

The call itself travels through multiple carriers before reaching the recipient. Each carrier in the chain passes along the caller ID parameter it received — they don't verify it, they relay it. By the time the call reaches the recipient, the original caller has been laundered through multiple network hops, each one adding distance between the displayed number and the actual origin.

Neighbor spoofing — displaying a number with the same area code and first three digits as the recipient's number — became widespread because answer rates for local-looking numbers are significantly higher than for out-of-area or toll-free numbers. This is the most common form of call spoofing most people experience daily.

Why It's Nearly Impossible to Trace

The fundamental tracing problem: the number displayed is not the number that placed the call. Working backward from the displayed number leads to whatever random subscriber has been assigned that number — typically a legitimate person with no connection to the spoofed call.

To trace a spoofed call to its actual origin, you need the call records from every carrier that handled the call in sequence, working backward from the recipient's carrier to the originating carrier. This requires:

Subpoenas to multiple carriers. Each carrier in the chain holds records only for the leg of the call that crossed their network. Getting the full picture requires legal process against each carrier involved. This takes months and significant legal resources.

Cooperation from foreign entities. Many spoofing services route calls through carriers in jurisdictions outside U.S. legal reach. A call that originates from a service in Eastern Europe, routes through a carrier in the Caribbean, and terminates on a U.S. network involves two foreign entities who are under no obligation to respond to U.S. subpoenas.

Short retention windows. Call routing records are often retained for only 90 days or less. By the time law enforcement identifies that spoofing occurred and begins the legal process to trace it, the records at the originating carrier may already be gone.

Prepaid accounts and fake identities. Even when the originating VoIP account is identified, it may have been created with a prepaid payment method and a fake name, leaving no usable identity information.

STIR/SHAKEN: The Industry Response

The FCC mandated implementation of STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs) by major U.S. carriers. This is a framework that adds cryptographic attestation to calls — essentially, the originating carrier signs the call with a digital certificate that says "I can verify this number is assigned to the caller I'm connecting."

In practice, STIR/SHAKEN is a significant improvement over the previous baseline of nothing, but it has substantial limitations:

It only works when both carriers support it. STIR/SHAKEN provides attestation at the originating carrier. If the originating carrier is a small provider, an overseas provider, or a VoIP service that hasn't implemented the standard, the call arrives without attestation and carries no verified identity information.

It doesn't prevent spoofing — it flags suspicious calls. STIR/SHAKEN attestation levels tell the recipient's carrier whether the number was verified (A attestation), partially verified (B), or unverified (C). Carriers can use this information to route flagged calls to spam labels or block them. But unverified calls can still go through — they just arrive without the verified badge.

International calls bypass it almost entirely. A call that originates overseas and terminates in the U.S. often arrives without STIR/SHAKEN attestation because the originating carrier isn't in the U.S. system. International call spoofing remains largely unmitigated.

What Investigators Need to Know

For investigators on the receiving end of spoofed calls from subjects:

The displayed number is meaningless. Don't call back a number that appears to be harassing you — you'll reach an innocent person whose number was spoofed. The call to a random spoofed number creates a problem for them and gets you no information about who's actually calling.

Call detail records from your carrier are the starting point. If you're experiencing a pattern of harassment calls, request your call detail records from your carrier. These show the actual originating number as received by your carrier, which may differ from what your phone displayed in cases where your carrier's equipment captures more routing information. Work with an attorney if you're pursuing this through law enforcement.

If they need to identify themselves, they already know your number. A spoofed call to your personal cell is confirmation that your number is in a database they can access. This is one of the reasons keeping your personal cell off broker sites matters — it reduces the population of people who can easily find your number to call or spoof from.

Your own use of spoofing tools. The Truth in Caller ID Act makes it illegal to transmit misleading or inaccurate caller ID information with intent to defraud, cause harm, or wrongfully obtain anything of value. Using a spoofed number to get a subject to answer a call in the course of legitimate investigation occupies a legal gray area that varies by jurisdiction and context. Know your jurisdiction's rules before using number spoofing in your professional work.

The Bottom Line

Phone spoofing is a direct consequence of how the phone system was designed — for convenience and interoperability, not security. STIR/SHAKEN is a partial mitigation, not a solution. International spoofing, small-carrier gaps, and the inherent architecture of VoIP mean that spoofing remains a practical tool for anyone willing to use it.

For investigators, this means treating caller ID as unverified by default, protecting your real number from public exposure, and using a dedicated work number that can be changed if it gets used against you. See the full guide on phone number privacy for investigators for specific steps.