BreachExpress

Cybersecurity, explained for the rest of us.

Phishing & Scams

Spoofed Caller ID: Why Your Own Number Is Calling You

Margot 'Magic' Thorne@magicthorneMay 16, 202611 min read
A smartphone screen showing an incoming call from the user's own phone number

You glance at your phone. The screen shows an incoming call. The number on the display is your own.

For a moment, you wonder if you're looking at a glitch. Then you wonder if someone cloned your phone. Then you answer, because you need to know what's happening.

A recorded voice tells you your Social Security number has been suspended due to suspicious activity. Press 1 to speak with an agent. Press 2 to, you hang up.

What you just experienced is caller ID spoofing, and it's one of the more disorienting variations of a decades-old phone scam. The call didn't come from your phone. No one hacked your device. The scammer simply told the phone network to display your number when the call arrived.

Here's how it works, why it's legal for legitimate uses but abused for fraud, and what you can actually do when your own number shows up on your screen.

The mechanism behind caller ID spoofing

Caller ID was added to the phone system in the 1980s. It transmits the calling number as a separate data signal before the voice connection establishes. The receiving phone reads that signal and displays the number.

The system was designed with trust assumptions that no longer hold. The network doesn't verify that the number in the caller ID signal matches the number actually placing the call. It just displays whatever number gets sent.

VoIP services (Voice over Internet Protocol, the technology behind most modern business phone systems and many residential services) made spoofing trivial. When you place a call through VoIP, you're sending data packets, and one of those packets contains the caller ID field. You can set that field to any number you want.

Some VoIP providers offer legitimate spoofing as a feature. A business with multiple locations might want all outbound calls to display the main customer service number, regardless of which office is calling. A doctor calling a patient from a personal cell phone might want the office number to appear instead.

The same technology that enables those legitimate uses also enables fraud. Scammers use VoIP services to place calls with spoofed caller IDs. Some services explicitly prohibit spoofing for fraudulent purposes, but enforcement is inconsistent. Others operate outside U.S. jurisdiction and don't enforce restrictions at all.

When a scammer spoofs your own number, they're exploiting a specific psychological response. Most spoofed calls use fake business numbers (banks, government agencies, tech support companies) to impersonate authority. Spoofing your own number creates confusion instead. You answer because the situation doesn't make sense, and that moment of confusion is the opening the scammer needs.

Why this tactic works

The FTC's 2024 Consumer Sentinel Network Data Book reports that imposter scams accounted for around $2.7 billion in losses that year. Phone calls remain a primary delivery method, and spoofed caller ID increases answer rates.

When you see your own number calling, you're facing a scenario your brain hasn't categorized yet. You know it shouldn't be possible, but there it is. That cognitive dissonance creates a brief window where you're more likely to engage.

Once you answer, the scam follows a familiar pattern. The most common version is the government imposter: your Social Security number has been suspended, there's a warrant for your arrest, your benefits are in jeopardy. The FTC's guidance on imposter scams describes the core tactics: urgency, authority, and consequences if you don't act immediately.

Other variations include tech support scams (your computer has been compromised, call this number to fix it), financial scams (fraudulent charges on your account, verify your information to stop them), and utility scams (your power will be shut off unless you pay immediately).

The spoofed number is just the opener. The actual scam happens in the conversation that follows. The goal is to extract money (usually through wire transfer, gift cards, or cryptocurrency) or personal information (Social Security numbers, bank account details, passwords).

Some calls are fully automated robocalls. Others connect you to a live person once you press a button. The live-person version is often more effective because the scammer can adapt to your responses and build a more convincing narrative.

What the law says

The Truth in Caller ID Act, passed in 2009, makes it illegal to spoof caller ID with the intent to defraud, cause harm, or wrongfully obtain anything of value. Violators face fines up to $10,000 per violation.

The law doesn't prohibit spoofing itself. It prohibits spoofing for fraudulent purposes. That distinction matters because legitimate spoofing is common and useful. The law targets intent, not technology.

Enforcement is difficult. Many spoofing operations run from outside the United States, beyond the reach of U.S. law enforcement. Even domestic operations are hard to trace because VoIP calls can be routed through multiple providers across multiple countries before reaching your phone.

The FCC has taken action against some spoofing operations, but the scale of the problem exceeds enforcement capacity. Researchers estimate that around half of all calls to U.S. phones are scams or spam, and a significant portion use spoofed caller ID.

Phone carriers have implemented technical measures to reduce spoofing. STIR/SHAKEN is a framework that verifies caller ID authenticity before the call reaches your phone. When a call passes verification, your phone displays a checkmark or "Verified" label. When verification fails, some carriers label the call "Scam Likely" or block it entirely.

STIR/SHAKEN works, but it's not universal. Not all carriers have implemented it. Not all calls pass through systems that support it. International calls often bypass verification. And scammers adapt by using numbers that pass verification (often by compromising legitimate business phone systems) or by rotating through numbers faster than carriers can block them.

What happens when you answer

If you answer a call from your own number, you'll typically hear one of three things.

First possibility: silence, followed by a disconnect. This is an automated system testing whether your number is active. If you answer, your number gets flagged as valid and added to lists sold to other scammers. You've just made yourself a more attractive target.

Second possibility: a recorded message. Government imposter scams are the most common. The recording claims to be from the Social Security Administration, the IRS, or law enforcement. It describes a problem (suspended benefits, unpaid taxes, an arrest warrant) and instructs you to press a number to speak with an agent.

If you press the number, you connect to a live scammer who will try to extract payment or personal information. The conversation is designed to keep you off-balance. The scammer may use official-sounding language, reference real government procedures, or transfer you to a "supervisor" to add credibility.

Third possibility: a live person from the start. This version often begins with a question designed to get you to say "yes." ("Can you hear me?" is a common opener.) Some scammers record your "yes" response and use it to authorize fraudulent charges, though this tactic is less common than the panic around it suggests.

The live-person version then pivots to the actual scam. Tech support scams often start here, with the caller claiming to be from Microsoft or Apple and warning you about malware on your computer. Financial scams might claim to be from your bank's fraud department, asking you to verify recent transactions.

The common thread across all variations: urgency. The scammer wants you to act before you think. They want payment now, information now, access to your computer now. They want you to make decisions in a state of fear or confusion.

The cultural reference that fits

In You've Got Mail, Kathleen Kelly runs a small bookstore competing against a corporate chain. She knows her customers personally, remembers their preferences, builds relationships over time. The chain store uses data, scale, and impersonal efficiency to undercut her on price.

The caller ID spoofing scam works the same way, but inverted. The scammer isn't trying to build a relationship. They're trying to exploit the one piece of information that should be uniquely yours, your own phone number, to create a moment of trust through confusion.

Kathleen's bookstore fails not because her service is worse, but because the economics don't scale. Caller ID spoofing succeeds for the opposite reason: it scales perfectly. One scammer can place thousands of calls per hour using automated systems, spoofing a different number for each call, testing which psychological hooks work best.

The personal touch that made Kathleen's bookstore valuable is exactly what the scammer is faking. They're not trying to know you. They're trying to make you think the call is somehow connected to you because it's coming from your own number.

How to respond

If you see your own number calling, don't answer. There is no legitimate reason for your own number to appear on an incoming call. It's always spoofing, and it's always a scam.

If you've already answered, hang up immediately. Don't press buttons. Don't follow instructions. Don't engage with questions. Just disconnect.

Don't call the number back. You can't call yourself, and attempting to do so won't reach the scammer. It will either fail or, in some cases, connect you to a different scam operation that monitors for return calls to spoofed numbers.

Report the call to the FTC at ReportFraud.ftc.gov. The FTC uses these reports to identify patterns, track scam operations, and coordinate enforcement actions. Individual reports rarely lead to immediate action, but aggregate data drives policy and prosecution.

Report it to your phone carrier. Most carriers have dedicated fraud reporting channels. AT&T customers can forward spam texts to 7726 (SPAM) and report calls through the AT&T Call Protect app. Verizon offers similar reporting through the Verizon Call Filter app. T-Mobile has Scam Shield. Check your carrier's website for specific instructions.

Some carriers allow you to block your own number. This is a workaround that stops this specific spoofing tactic. The scammer will simply switch to a different number, but blocking your own number prevents the cognitive dissonance that makes this variation effective.

Third-party call-blocking apps (Nomorobo, RoboKiller, Hiya, and others) can also block calls from your own number. These apps maintain databases of known scam numbers and use algorithms to identify likely scams based on call patterns. They're not perfect, but they reduce volume.

Enable your carrier's built-in spam protection if available. Most carriers offer free spam labeling and paid spam blocking. The free tier labels suspected scam calls as "Scam Likely" or similar. The paid tier blocks them before your phone rings.

Do not give out personal information over the phone to unsolicited callers, regardless of what number appears on caller ID. If someone claims to be from your bank, your utility company, or a government agency, hang up and call the organization directly using a number you find independently (from your bill, from the official website, from the back of your credit card).

Do not make payments via wire transfer, gift cards, or cryptocurrency based on phone instructions. Legitimate organizations do not demand payment through these methods. If someone insists on one of these payment methods, it's a scam.

If you've already provided information or made a payment, act immediately. If you gave banking information, contact your bank to freeze your accounts and dispute fraudulent charges. If you gave your Social Security number, place a fraud alert on your credit reports through one of the three major credit bureaus (Equifax, Experian, TransUnion). If you sent money, contact the payment service to attempt recovery, though success rates are low.

File a report with the FBI's Internet Crime Complaint Center (IC3). The IC3 tracks internet-enabled crimes, including phone scams that originate through VoIP. Their 2024 Internet Crime Report shows that phone-based scams continue to generate substantial losses, and reporting helps build cases against organized operations.

Why this won't stop

Caller ID spoofing persists because the cost-benefit ratio favors scammers. The technology is cheap, the scale is massive, and the success rate is high enough to justify the effort.

A single scammer using automated systems can place thousands of calls per day. Even a 1% answer rate yields dozens of potential victims. Even a 1% conversion rate among those who answer yields real money.

Enforcement is reactive and slow. By the time a specific spoofed number gets blocked, the scammer has moved to a different number. By the time a VoIP provider shuts down an abusive account, the scammer has opened accounts with other providers.

Technical solutions like STIR/SHAKEN help, but they're not comprehensive. International calls often bypass verification. Compromised legitimate phone systems can pass verification while still being used for fraud. And scammers continuously test new tactics to evade detection.

The fundamental problem is that the phone system was designed for a different era. Caller ID was added when long-distance calls were expensive and phone fraud was rare. The system assumed that the number in the caller ID field was accurate because there was no incentive to lie.

VoIP eliminated the cost barrier and made spoofing trivial. The incentive structure flipped. Now the default assumption should be that caller ID is unreliable, but the system still treats it as trustworthy.

Changing that assumption requires changing how people think about phone calls. For decades, caller ID has been treated as a reliable identifier. Teaching people that it's not, that any number can be spoofed, including their own, is a slow cultural shift.

What you can control

You can't stop scammers from spoofing your number. You can't prevent your own number from appearing on someone else's phone when a scammer uses it. You can't make the phone system verify caller ID universally.

What you can control is how you respond when you see your own number calling.

Don't answer. Don't engage. Don't assume the call is legitimate just because the number looks impossible.

Report it. The FTC and your carrier both need data to identify patterns and take action.

Block your own number if your carrier or app allows it. This is a narrow fix for a specific tactic, but it removes one psychological hook.

Extend the same skepticism to any unsolicited call, regardless of what number appears. Caller ID is not authentication. A call that claims to be from your bank is not from your bank just because the number matches. A call that claims to be from a government agency is not from that agency just because the caller ID says so.

If someone calls claiming to represent an organization, hang up and call back using a number you verify independently. This applies to banks, utilities, government agencies, tech companies, and any other organization that might contact you.

Treat your phone number the way you treat your email address: as a public identifier that anyone can spoof. You wouldn't trust an email just because the "From" field says it's from your bank. Apply the same logic to phone calls.

The spoofed-caller-ID scam works because it creates a moment of confusion. You see something impossible, and your brain tries to make sense of it. In that moment, you're vulnerable.

The defense is to recognize that the impossible thing on your screen is just data, and data can be faked. Your own number calling you isn't a mystery. It's a scammer using a cheap trick to get you to answer.

Don't give them the satisfaction.

A phone screen with a declined call and the FTC reporting interface visible
→ Filed under
caller ID spoofingphone scamsvishingimpersonation scamsvoice phishingrobocalls
ShareXLinkedInFacebook

Frequently asked questions

No. What you're seeing is caller ID spoofing, where scammers manipulate the phone system to display any number they want. Your phone isn't calling itself.
No. Caller ID spoofing doesn't require access to your device. The scammer is manipulating data sent through the phone network, not your phone itself.
Your own number creates confusion and curiosity. You're more likely to answer a call that looks impossible, and that moment of confusion makes you vulnerable to the scam pitch that follows.
Hang up immediately. Don't engage, don't press buttons, don't follow instructions. Then report it to the FTC and your phone carrier.
Some carriers and call-blocking apps allow you to block your own number. It's a workaround that stops this specific tactic, though scammers will simply switch to a different spoofed number.

You might also like

Split screen showing a traditional phishing email with obvious errors next to a polished AI-generated version with perfect grammar
Phishing & Scams

Why Phishing Emails Are Getting Better with AI: Separating Hype from Reality

AI-generated phishing is real, but the threat isn't what the headlines suggest. Here's what's actually changing, what's staying the same, and how to recognize it.

11 min · Margot 'Magic' Thorne · May 15

Abstract visualization of AI language model generating phishing email text with targeting parameters
Phishing & Scams

AI Phishing Emails: How Machine Learning Changes the Attack

AI-generated phishing uses language models to craft personalized, grammatically flawless emails at scale. Here's the mechanism, what makes it different, and how to recognize it.

12 min · Margot 'Magic' Thorne · May 14

Smartphone screen displaying incoming call with 'Scam Likely' warning label and decline button highlighted
Phishing & Scams

Robocalls in 2026: Step-by-Step Guide to Actually Stop Them

Robocalls exploit outdated phone systems and lax enforcement. Here's the step-by-step method to reduce them using carrier tools, device settings, and FTC reports.

12 min · Margot 'Magic' Thorne · May 12