The practice of altering Caller ID information, whether for fraudulent purposes or otherwise, has come to be referred to as "spoofing."
Caller ID spoofing refers to the alteration of caller ID information (number and/or name) by the originator of a telephone call. Caller ID spoofing is not, in itself, illegal and it may have legitimate uses:
- Some businesses with a large number of employees may alter the Caller ID information in order to provide a single number for those customers returning calls placed by its employees.
- Telemarketers are required to transmit caller ID information, but they are allowed to substitute the name of the seller on behalf of which the telemarketing call is placed and the seller's customer service telephone number.
Unfortunately, to the detriment of some telephone subscribers, the ability to manipulate Caller ID information enables a practice known as "vishing." Vishing is the practice of leveraging IP-based voice message technologies to socially engineer the intended victim into providing personal, financial or other confidential information for the purpose of financial reward.
Caller ID spoofing is used in support of vishing:
- By changing Caller ID data, this can help the vishers reinforce their social engineering story as well as make it more difficult to track the source of an attack.
Vishing is expected to have a high success rate because:
- Telephone systems have a much longer record of trust than newer, Internet-based messaging.
- A greater percentage of the population can be reached via a phone call than through email.
- There is widespread adoption and general acceptance of automated phone validation systems.
- The telephone makes certain population groups, such as the elderly, more reachable.
- Timing of message delivery can be leveraged to increase odds of success.
- The telephone allows greater personalization of the social engineering message.
- Increased use of call centers means that the population is more accepting of callers from foreign countries asking for confidential information.
The most profitable uses of the information gained through a vishing attack include:
- Controlling the victim's financial accounts
- Purchasing luxury goods and services
- Identity theft
- Making applications for loans and credit cards
- Transferring funds, stocks and securities
- Hiding criminal activities, such as money laundering
- Obtaining personal travel documents
- Receiving government benefits
Caller ID spoofing is relatively easy to accomplish. For individuals with little to no computer knowledge, spoofing services are readily available over the Internet from such providers as SpoofCard.com, CallerIDFaker.com, PhoneGangster.com, telespoof.com, and numerous others.
Spoofing practices will likely vary considerably depending upon the spoofer's purpose and scale of activity, whether the spoofers are casual pranksters forging identities or whether they are more committed, organized, large-scale criminal operators.
The Office of the Attorney General (OAG) recommends that the MN Public Utilities Commission continue its effort to determine whether a technological solution to Caller ID Spoofing is feasible. It should be the Commission, not the industry, which determines whether the costs associated with a technological solution outweigh the public benefit of accurate and reliable Caller ID information. Until such a solution is implemented, the OAG recommends that regulatory entities, as well as Caller ID providers, educate consumers about the severe limitations of Caller ID service.