How can scam callers fake a mobile phone number?

The how - depending on the protocol.

Signalling System No. 7 - ISDN User Part spec (found here: https://www.itu.int/rec/T-REC-Q.763-199912-I/en) allows you to specify both a calling party number (3.10) and generic number (3.26) (the UK spec adds an additional presentation number so you have 3). This will typically require the help of an operator which is 'connected' to the network on the PSTN. A real business case can be made; like a generic, non geo support numbers appearing on the persons phone instead of the geographical number of the office which called. Either a bit of social engineering or findings a less scrupulous operator is all you really need to do

SIP has FROM and P-Asserted-Identity headers which follow the same process

Caller id is just a user settable field. There are two numbers, ANI which is how telcos are supposed to keep track of who to charge. NO one uses it, because users don't like it. And caller id is sent out on the second ring, but again, user can set that to anything. Corps have to adhere to the TCPA, others don't and SIP calls are cheap and globally routable. https://www.fcc.gov/sites/default/files/tcpa-rules.pdf

It is actually incredibly easy! If you are using a voip line, it is just a configurable field in the UI. You can do it with any voip phone app (e.g. [1]) and a voip provider (e.g. [2]). I have an old archived video showing it here [3]. It is not so interesting though, just me poking around in a voip provider's UI.

To address the other question about phone providers verifying stuff. SHAKEN/STIR [4] protocols are supposed to address this, but I think the telcos are still in ramp up time.

1. https://www.zoiper.com/

2. https://voip.ms

3. https://odysee.com/@cybering:1/spoofing-call-id-using-voip:2...

4. https://www.fcc.gov/call-authentication#:~:text=STIR%2FSHAKE....

> Shouldn't my mobile phone network verify that the caller - which was also inside their network - is a valid subscriber?

Since the advent of number portability, the area code and prefix no longer signify anything about what carrier a particular number belongs to. You could very easily take your T-Mobile number to Verizon, for example.

STIR/SHAKEN is supposed to stop the spoofing. For an explanation, see https://en.wikipedia.org/wiki/STIR/SHAKEN

I live in Canada, and I and most people I know receive spam calls from spoofed numbers on a semi-regular basis.

Sometimes the number only a few digits off from my number, but other times it has a name like TOLL FREE SERV. A common lure is claiming they are Service Canada or Canada Revenue Agency (or the nonexistent Revenue Canada), and the call will open with nonsensical threats like “A warrant has been placed in your social insurance number”. I have a hunch they often target wealthy international students, as sometimes the messages are entirely in Chinese.

Recently I received three calls in one day. It’s been happening for years, and the phone companies don’t appear to be able/willing/motivated to stop it. Most people I know have just resorted to not picking up calls from unknown numbers.

Because the design of the original caller-id system allows the initiator of the call to attach any set of numbers they like as the caller-id value that is shown on your phone.

One thing people don't know is that the phone network is actually a bunch of duct-taped technology that is pretty old. There has been advancements, and if you're in the US, you'll be happy to know that mobile carriers require stir/shaken handshaking, which is _mostly_ equivalent to https on the web (this is a gross simplification).

The short/simple answer is carriers don't care, because they make money when a call is placed on their network. There is also a difference between what is a valid number (digits are correct) vs a real number (someone owns a number). It is cheap for a carrier to check validity, but not "realness" - to check a real number, a carrier may have to do some sort of data request to any number of carriers to determine if the number is owned.

Because carriers are arcane companies that have a monopoly on a swath of infrastructure and have little care or perspective on what products and consumer experience amounts to.

They buy and install equipment and sell out the voice/data.

They actively oppose, thwart any kind of thoughtful innovation, competition etc. on anything relating to their networks, because they believe they 'own' the network and therefore 'own' everything going on on top of it.

Remember the 10-cent 'WAP' pages? Tiny, crappy, useless little mobile web pages? And they wanted 10-cents each?

Carriers would originally not sell BlackBerry service. They thought it was stupid to have 'email' on their networks. BlackBerry had to buy data and then sell to the C-suite.

Then, BlackBerry literally became the reason that people wanted to buy data. The carriers then said - you can't buy network and resell it, you must sell your products through us.

Imagine if some private companies controlled all of the roads. Any and business wanting to put a car on the road had to pay a toll, and the owners could decide which kinds of cars, when, and for what reason and intervene. They tried to provide the ambulance and transport for everyone and keep messing it up.

It's also an artefact of human organization, even a fairly enlightened community/government body would have difficulty setting clear and appropriate guidance.

The issue becomes problematic when there is a control of a scarce resource.

In truth, it's absurd that people should be able to easily fake 'from' numbers, we should have fixed that a decade ago.

Being able to set outbound Caller ID is something that is common with SIP providers and T1/PRI providers. The most common case today is using SIP. The billing happens at the provider level, and is not based on the user defined Caller ID field. Anyone can setup an Asterisk instance and make the caller ID value on the outgoing calls whatever they want [1].

[1] https://www.voip-info.org/setting-callerid/

I just got a call from the Microsoft Security Team. They informed me my computer was highly infected. I spent 1 hour with them executing all cmd commands they wanted & told them the output.

In the end i told them my wifi was broken and the technician should come by soon to fix it. She turned very aggressive and told me to call my brother Internet provider right now, as this is urgent because the hackers are already in my system. I told her to call me again the next day.

I might have forgot to mention i am using a mac (and had to google the result of all commands & screens). I wanted to setup a VM and trace them or maybe even let them execute a manipulated cmd.exe to create a reverse shell. But after my attempts to buy some time so i could set everything up, they gave up and never called again.

So sad, i am still scared of all the „viruses of very dangerous hackers“…

I always figured that the ability to set an arbitrary phone number was a feature for the benefit of large corporate PBX systems. Every person at the company gets their own phone number, but the number of physical connections to the phone company is limited. The PBX can set the identity on an outgoing call to match the phone number of the person who initiated the call, no matter which physical line it uses.

Back in the day you used to be able to spoof caller ID using in-band signalling. it was like a few fun sounding handshake tones and some static-sounding data that you would play after the official one, and that was called orange boxing. That was the Bell 202 FSK signal and I remember hearing it on landlines up until a decade ago if the phone was picked up as soon as it started ringing.

In Canada caller ID also includes the name along with the number from Nortel equipment, while in the USA it's just number. Nobody I know has a landline anymore except for businesses because if it's just the odd crazy person who still makes a super annoying life-interrupting phone call, more than half of calls are just fraud shit with spoofed caller ID and everything. It's so easy you could get started doing it yourself with freepbx installed on some 5$ VPS within minutes. Honestly we need better telephony systems, but everything is being completely superseded by chat apps anyways. Again only crazy people give me actual phone calls anymore and I have two lines between two countries.

Fun things to do to the fraudsters: Talk really quietly and when they are like 'sir i cannot hear you' put yourself on speakerphone and YELL into the phone as hard as you can, and you win the game when you can hear them rip their headset off in ear pain because they turned their volume up to hear you. Either that or ask them what they're wearing until they get mad at you and call you homophobic things.

Since you are on T-Mobile verify you have scam id and scam block enabled: https://www.t-mobile.com/support/plans-features/self-service...

> which was also inside their network

A phone number isn't like an IP address, the call isn't coming from that number and almost certainly didn't originate on the t-mobile network

The FCC recently reduced the amount of time some companies have to implement STIR/SHAKEN to June 30, 2022.

https://docs.fcc.gov/public/attachments/DA-21-1593A1.pdf

>The Commission recently shortened the extension for a subset of small voice service providers likely to be the source of illegal robocalls.

Signalling system 7 has no authentication.

That's the bottom line.

Adding authentication is pretty obviously not trivial, not just because of protocol upgrade issues, but also because end-to-end authen. won't be easy to add at all, and hop-by-hop authen. w/ something like "egress filtering" won't work in the age of phone number portability.

What might work is a TCP-like return routability test. I.e., have the network ask the ostensible device "did you mean to make this call?", though that might have other issues (think of how SYN spoofing can be used for DDoS attacks).

I.e., preventing caller ID scams is really hard.

Caller ID is for "presentation" only, not billing. Anyone with the appropriate access can set their caller ID to whatever they want. Some VOIP providers don't do any validation that you "own" the number you are providing. Years ago, when I had an Asterisk PBX set up using a super cheap SIP provider, you could put anything you wanted in for a caller ID.

There are legitimate use cases for this. Imagine if you are a company with 1000's of physical locations. You want them all calls to appear that they are coming from the corporate headquarters.

https://en.wikipedia.org/wiki/Caller_ID_spoofing

I think a much better question is, why can scammers spoof a phone number? We hear lots of excuses from the carriers about how this is out of their control, this is how the system works, etc. Why don't they feel like they have a fire lit under their asses to fix the issue?

My immediate guess is that they must make money off of scam calls somehow. A scam call is still a call.

This is why I like having my number from where I lived in 2005 (see https://xkcd.com/1129/ ) - any calls from "my area code" are automatically spam unless it is a particular number I know.

Decades ago, an American company called DAK used to sell a box that picked up on an incoming call (land line, pre-cellular era) and played a short message, usually something like "Please enter your extension number" or "enter security code." If the correct code was not entered, it simply hung up. No ring, no answering machine, no hassle.

The nice thing was, you could pass your phone number out to everyone, but it would only ring for the people you gave the code to. And it was easy to manage, just give your number as "555-1212 ext.382" or whatever. And if the code got spread too widely, you could just change it and give anyone you wanted to hear from the new code.

I keep hoping someone will make an app like that for cellular phones, but most people seem to like saving their spam calls in their voicemail boxes to review them later.

I wish phone calls came with a verified (cryptographically) description of the route a call took to get to me. Then I could use a library/app to filter by source or by bad actor (providers that lie about the route). That would enable services like UBlock Origin, allowing for user-generated blocklists.

I hate to sound like a conspiracy theorist, but it's pretty easy for a carrier to determine devices that are making spam calls because they log everything, and they could simply create and distribute apps to their customers to enable reporting of spam calls, but somehow for years they've left it up to dodgy 3rd party app providers and the calls keep rolling.

I don't think carriers have any incentive to stop spam calls because they gain a lot of money every year in billing minutes for those spam calls (mostly prepaid accounts are affected by the billing unfortunately)...

I wouldn't dare go as far to say that the calls are possibly even sponsored or conducted by profiteers in the game... (People who sell prepaid and metered phone services)

Just a personal opinion though.

> Ask HN: How can scam callers fake a mobile phone number?

International Telephone Standards. VoIP VoIP Companies like https://www.sipgatebasic.co.uk/tour

And if you set up a VoIP number and a pbx like freeswitch or asterisk, they will send the ringing tones down to the caller so if you have the pbx set to record calls you can listen to what the caller is chatting about whilst they are ringing you, hearing the ringing tone at their end waiting for you to pick up. All a bit spooky but thats the technology for you!

> - How can a spam caller call me with a source phone number that does not exist?

Again they have the VoIP number but when you ring it they can play a dead line tone down to you instead or a ringing tone. With VoIP and Freeswitch/asterisk and probably other PBX's you control all of that.

> - Shouldn't my mobile phone network verify that the caller - which was also inside their network - is a valid subscriber? Otherwise, how can they bill someone for this call?

Depends on the telecoms standards in the country and/or the telecoms provider.

> - How does this kind of scam call work technically? Any member of the public can set up VoIP number and PBX's like freeswitch and asterisk and do this.

If its not a VoIP then telecoms companies and the security services in your country, or maybe you mobile phone is hacked and your mobile has logged onto a local fake cell instead which is slightly different to the VoIP setup above but I dont know how much this device can do. https://en.wikipedia.org/wiki/Stingray_phone_tracker#Active_...

and you can do things like this https://www.wired.com/2010/07/intercepting-cell-phone-calls/

The easiest way is to have a SIP gateway that uses a too long number to display. Usually it's around 12-13 digits for the subscriber number depending on the country code, so all digits before that (after in SIP) will be cut out on most phones.

I think the relevant spec for that is E.164 which enforces 15 digits overall (1-3 for country code and 12 for subscriber number).

There are also lots of SIP gateways that have an ISP license or a phone provider license. They're the same types that allow to fake the numbers for their customers, and usually you can transfer some still in use mobile numbers to them as well. Because apparently law enforcement doesnt do anything against them.

And yes, never use 2FA via SMS. Never.

> - How can a spam caller call me with a source phone number that does not exist?

The same way they make a call with any source number. The two source numbers in a call (ANI and CallerID which don't need to be the same) have historically been not required and not validated. See stir/shaken for a modern effort to change this. Coming soon to a carrier near you; maybe.

Being able to set the source number enables many useful things as well as some spam/harassment/fraud uses. It requires a lot or coordination to allow the former and restrict the latter.

TLDR: don't trust caller id. Don't call people back unless you know the number/it's an expected call.

> - Shouldn't my mobile phone network verify that the caller - which was also inside their network - is a valid subscriber? Otherwise, how can they bill someone for this call?

Call billing records don't use caller id in the way you're thinking. If you pay for incoming calls, they're charged regardless of the source number, but it's recorded for informational purposes.

For outgoing calls, the call record is made closer to the source and is tied to the line that made the call, not the source number.

For intercarrier calls (which almost certainly the case here), the source carrier bills its customer and the interconnecting carriers count minutes on calls and settle up for net difference in flows (calling carrier pays, but interchange fees are going to zero among US carriers)

> - How does this kind of scam call work technically?

Get a phone account where you can set the caller id and calls are cheap; call a lot of people; successfully scam one or two; take the money and run.

Some voip accounts let you set caller id. Traditional primary rate interfaces (T1) usually do too.

I don't know the answer to your question(s), but if you're curious, you can download an app right through the play store to fake your number. I used to prank my friends all the time.

Used to take about 5 minutes to configure an Asterisk [1] PBX, obtain a provisioned DID from a VoIP provider and set your outbound caller ID with Set(CALLERID()) [2]. Doing so allows you to configure both your text label and call-back number.

[1] https://www.asterisk.org/

[2] https://www.voip-info.org/setting-callerid/

Do you know how e-mail lets you set anything you want in 'From' field and only relies on optional stuff like DMARC to, maybe, verify it?

It's almost exactly the same with phone calls, that 'From' field is just set at a provider level instead of user level - and there are many providers over the world, including some that allow the user to set this field however they like.

If you hang up be sure that you have really disconnected the line. https://bc.ctvnews.ca/beware-of-the-delayed-disconnect-phone...

This should be an easily solvable problem. All calls should come from a paid account and be trace-able to the payee (by the phone company). I don't get why there is so much phone spam. If we need new standards, let's get on it!

seriously, never pick up the phone unless you know the caller. every stranger who calls you is trying to waste your time in some way

even 'legit' businesses that call you from random numbers are basically a spam channel / are training you to get phished -- for example health insurance and credit card. every time I call back on their official # to ask what they want, it's 10-20 minutes to figure out what they wanted (if they even know!)

we somehow aren't a society that can legislate to prevent spammers from using the phones. at this point let's pivot and punish legit businesses who use the phones to waste my time

They are doing ANI spoofing. By using a service they can show you any number you want. The law only states that you can’t do this if you are trying to commit a crime.

Try https://assistant.dasha.ai/ to block such calls.

paris hilton knew how to do it back in 2006, checking lindsey lohan's voicemail by pretending to call her from her own phone

https://www.infoworld.com/article/2658949/paris-hilton-accus...

Just never answer the phone. If they really want to talk to you -- they'll find another way.

Hoping this is something that doesn't need to be said here, but just in case:

This is why you should NEVER provide personal information over the phone if you didn't initiate the call. It doesn't matter if your caller ID says it's your doctor's office or your bank or whatever.

Hang up and call them back at the number you normally use to reach them, from their website or the back of your credit/debit card for example. Make sure you're talking to the people you think you are.

Otherwise they can phish all kinds of info out of you.