Your iPhone, Caller ID Spoofing & All That Jazz

3 minute read
| Analysis

If you’ve been receiving robocalls from numbers not in your contacts, they’re fairly easy to block. But Caller ID spoofing is another, more difficult, matter. Here’s a short introduction.

Spoof - Caller ID

This whole subject is amazingly complex, and there’s a hierarchy of issues. So in this short article, I’ll keep it simple and supply resources for further reading.

First order. Ordinary SPAM calls. If all you have is a smartphone, say an iPhone, and you maintain a contacts list, it’s easy to block robocalls after the first attempt. If the number isn’t in your contacts list, the iPhone will just show the number of origin with no other identifying information.

You can elect to not answer, but there’s always a chance that it’s from a legitimate caller. You can’t know. However, if it’s really important, the legit caller will usually leave a voicemail.

If you let it roll to voice mail either because you didn’t want to answer of your phone wasn’t handy, the nature of the recording will reveal if you want to “Block this caller.” In the phone app, in the Recents tab, tap on the little circled “i” on the right. Scroll down until you see “Block this Caller.” Tap it, and you’re done.

There are many resources to help here. See Jeff Gamet’s tutorial on how to install a SPAM blocker called Whocalls, but another well regarded one is Hiya for iOS.

Second order. Caller ID Spoofing. This is more difficult. The caller disguises the original number and tricks the phone network’s Caller ID system into displaying a customized number. A popular trick is to duplicate your own area code and your number prefix, that is the first three numbers of your own number.

For example, if your number is 303-555-1212, the caller will spoof the Caller ID system to be from 303-555-4410. Even though it’s not in your Contacts, you may surmise that it’s from a neighbor, someone local, or local merchant not in your contacts list.

Caller ID Spoofing is generally legal in the U.S. and Canada because it has other uses. Here’s a great introduction to the issue: “Caller ID Spoofing: All You Need To Know.” This article notes:

In the United States, “Under the Truth in Calling Act, FCC rules prohibit any person or entity from transmitting misleading or inaccurate Caller ID information with the intent to defraud, cause harm, or wrongly obtain anything of value. If no harm is intended or caused, spoofing is not illegal. Anyone who is illegally spoofing can face penalties of up to $10,000 for each violation. In some cases, spoofing can be permitted by courts for people who have legitimate reasons to hide their information, such as law enforcement agencies working on cases, victims of domestic abuse or doctors who wish to discuss private medical matters.

I’ve been receiving a lot of these lately. I even received a call from myself because the spammer, apparently, allowed the spoofed Caller ID number to be the same as the number called.

This gives us a clue that the spoofed number is probably random and is likely from a number already in service. So if you use the techniques described above to “Block this Caller” you may end up blocking a legitimate number from a neighbor, someone local to that prefix, or local merchant who just doesn’t happen to be in your Contacts list.

Currently, I don’t know a way around this. As of this writing, the latest information I could find is from January of this year, from the Hiya blog. “Phone Spoofing Bill Passed in House and Moves to Senate.

Recognizing this growing issue, U.S. Representative Grace Meng (D-Queens) took a stance with the Anti-Spoofing Act (H.R. 2669). Passed by the House of Representatives last November, and most recently by the House, the bill is now making its way to the Senate.

If I can find out more about the status of this legislation, or can shed any more light on any topic I’ve mentioned, I’ll update this article.

The best advice I have is this. Install one of the call blocker apps above. They use a known blacklist to filter SPAM calls. If you still get a call from a number not in your Contacts list, thanks to Caller ID spoofing, just don’t answer. Let voicemail, if recorded, sort out the situation. That way, you won’t need to manually block spoofed, but potentially legit, numbers.

Comments below are always welcome.

7 Comments Add a comment

  1. Scott B in DC

    Using the information from the article, the Anti-Spoofing Act of 2016 (H.R. 2669) was passed by the House of Representatives by a roll call vote on 11/14/16. It was then engrossed by the House and sent to the Senate on 11/15/16 where it was assigned to the Committee on Commerce, Science, and Transportation. When the 114th Congress formally adjourned for the final time on January 3, 2017, and the 115th Congress was gavelled in at noon, all pending bills of the 114th congress were purged. If you remember your “School House Rock” song, “I’m Just A Bill,” this is called dying in committee.

    You can always look up all bills at congress.gov. In this case, you can find H.R. 2669 from the 114th Congress at https://www.congress.gov/bill/114th-congress/house-bill/2669/.

    The bill has been reintroduced again. In the House, the Anti-Spoofing Act of 2017 (H.R. 423) was passed by the House of Representatives on January 23, 2017, and sent to the Senate where it was assigned to the Committee on Commerce, Science, and Transportation. It was passed 398-5 with 31 not voting. All 5 “NO” votes were by Republicans.

    Also, Sen. Bill Nelson (D-FL) introduced the Spoofing Prevention Act of 2017 (S. 134) on January 12, 2017. It was passed by the Senate by Unanimous Consent on August 3, 2017. Unanimous Consent is when bills are passed without objection. If there is an objection, the objector can call for a roll call vote or request an open debate. The bill was sent to the House of Representatives where its status is “Held at the Desk.” This means that the Clerk of the House recognized the duplication of efforts and will work with leadership to determine which bill to put forward.

    In looking at the two bills, there are some minor differences that should not be difficult to work out. However, considering the workload of Congress and the number of controversial issues they appear to have to contend with, do not count on them getting to this anytime soon. Bills like this are worked out during the lull of the holiday season, unless something else pressing gets in the way like the budget, or during the lame duck session which would be after the 2018 mid-term elections.

  2. Scott B in DC

    Using the information from the article, the Anti-Spoofing Act of 2016 (H.R. 2669) was passed by the House of Representatives by a roll call vote on 11/14/16. It was then engrossed by the House and sent to the Senate on 11/15/16 where it was assigned to the Committee on Commerce, Science, and Transportation. When the 114th Congress formally adjourned for the final time on January 3, 2017, and the 115th Congress was gavelled in at noon, all pending bills of the 114th congress were purged. If you remember your “School House Rock” song, “I’m Just A Bill,” this is called dying in committee.

    You can always look up all bills at congress.gov. In this case, you can find H.R. 2669 from the 114th Congress at https://www.congress.gov/bill/114th-congress/house-bill/2669/.

    The bill has been reintroduced again. In the House, the Anti-Spoofing Act of 2017 (H.R. 423) was passed by the House of Representatives on January 23, 2017, and sent to the Senate where it was assigned to the Committee on Commerce, Science, and Transportation. It was passed 398-5 with 31 not voting. All 5 “NO” votes were by Republicans.

    Also, Sen. Bill Nelson (D-FL) introduced the Spoofing Prevention Act of 2017 (S. 134) on January 12, 2017. It was passed by the Senate by Unanimous Consent on August 3, 2017. Unanimous Consent is when bills are passed without objection. If there is an objection, the objector can call for a roll call vote or request an open debate. The bill was sent to the House of Representatives where its status is “Held at the Desk.” This means that the Clerk of the House recognized the duplication of efforts and will work with leadership to determine which bill to put forward.

    In looking at the two bills, there are some minor differences that should not be difficult to work out. However, considering the workload of Congress and the number of controversial issues they appear to have to contend with, do not count on them getting to this anytime soon. Bills like this are worked out during the lull of the holiday season, unless something else pressing gets in the way like the budget, or during the lame duck session which would be after the 2018 mid-term elections.

  3. popvox

    Maybe the solution to the problem is scarier than the problem. Reading the terms of service of the recommended apps I see that we’d be handing over the following:

    Your call and text logs
    Your contacts
    Your phone number

    And that’s without even using your Social Media accounts to sign in.

  4. Lee Dronick

    Caller ID Spoofing is generally legal in the U.S. and Canada because it has other uses.

    What uses?

    Can the phone service providers identify if a number is spoofed? Then display on our devices that the number is not the real caller?

    I have AT&T cell service and they offer a Call Protect app that is kind of like a spam filter service` that your email provider may have. It works pretty well.

    I have a silent ringtone set as the default sound. Family, close friends, and numbers such as my medical clinic have custom ringtones.

    • Scott B in DC

      An expected use of “legitimate” caller ID spoofing is a business call center calling you from what looks like a central number. Your call may come from anywhere but the number you see is the callback number to their central service.

      The carriers know the real numbers. In reality there are two phone number tags. What you see on your phone is the Calling Number Identification (CNID) tag. This is built into the message signal sent to the phone. But the carrier signal has a protocol that identifies the station of origin of all calls. Think of it as the IP address of the origin call. That remote station ID is carried through the call to the remote switch where it is used for routing. At the remote switch, that info is dropped. This is what they use to trace a call.

    • Lee Dronick

      Your call may come from anywhere but the number you see is the callback number to their central service.

      That would be fine if the the caller ID was more than just the number, too many businesses do not include their name. If I don’t know who is calling, I don’t take the call.

      And can we please get more enforcement of the Do Not Call list.

  5. geoduck

    Here’s the solution I use.

    I have half a dozen or so people that call me on the phone. My wife. My elderly aunt, My Doctor, a few others. Everyone else that knows me knows to text or e-mail. I hate talking on the phone. That’s WHY I moved from a dumb phone to an iPhone. So if I get a call and it comes up as a number, it is by definition not anyone I want to talk to. I block it. I don’t care if it’s my area code and prefix. Heck I’ve had calls come in one DIGIT off from mine. Don’t know ’em, don’t want to. They’re blocked.

    OK people have called me a curmudgeon but that’s how I deal with it.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account