Why trust in phone numbers is eroding, and what we must do about it

TL;DR

• Caller ID can be faked, hijacked, or misused, and it often is.
• Telecom infrastructure still relies on trust, not proof, making spoofing trivial for bad actors.
• Even real numbers can be taken over via SIM swap attacks.
• STIR/SHAKEN is a partial fix, but not adopted globally, and not effective against legacy systems.
• Trust the call? Only if you can prove the source.

Prefer to listen instead? We got you.

A Familiar Ring, And a Warning Sign

This morning, I noticed a missed call from a mobile number while waiting for a legitimate callback. Curious, I looked it up on a “who called me” website, it came back neutral. So I called it back. Within seconds, I was met with a recorded message: “This number is not in service.”

I’d likely just witnessed a spoofed call in the wild.

I used https://who-called.co.uk to check the number beforehand, a useful tool for spotting suspicious patterns or scam reports, even though this one came back as ‘neutral’ at the time.

We trust caller ID far more than we should. Most of us don’t question the numbers that flash across our screens. We assume if the number looks familiar, local, or official, it must be genuine. But those assumptions no longer hold. This post explores how caller ID is being undermined, what’s really going on beneath the surface, and what we can all do about it.

Caller ID Still Works. But It’s No Longer Proof.

Let’s be clear: caller ID hasn’t stopped working. Most of us rely on it daily, recognising friends, taking delivery updates, returning missed calls. In low-risk, casual contexts, it still adds convenience.

But the moment trust matters, when money, authority, or urgency enter the picture, caller ID breaks down.

I’ve even fallen for the classic premium-rate trap: call back a seemingly normal number, only to be charged heavily for a service you didn’t request.

It’s a system designed for a simpler time, and attackers are now exploiting that simplicity.

When a call is made:

• The originating carrier tells the network what number to display.
• The network passes it along, largely without question.
• Your phone simply shows what it’s told, even if it’s a lie.

A Broken Trust Model in Telecoms

Unlike modern digital systems that use cryptographic proof (think HTTPS, JWTs, SSO), telecom identity is built on trust, not verification.

When a call is made:

• The originating carrier tells the network what number to display.
• The network passes it along, largely without question.
• Your phone simply shows what it’s told, even if it’s a lie.

This design is a relic from a time when phone providers were few, borders were respected, and fraud wasn’t globalised. Today, with cheap VoIP, cross-border SIP trunking, and grey routes, any number can be faked, including mobiles, landlines, 0800 numbers, government helplines, and even the police.

Spoofing Is Now a Tool, Not a Trick

Caller ID spoofing was once the preserve of well-funded cybercrime groups, intelligence agencies, and nation-state actors, organisations with the resources and infrastructure to build or co-opt international telecom networks. But that’s no longer the case.

Today, this capability is increasingly available to opportunistic scammers, mid-tier fraud rings, and even lone actors with enough cryptocurrency and curiosity. The barrier to entry has dropped dramatically:

• Spoofing-as-a-service platforms exist on Telegram and dark web forums
• Grey-market SIP trunking providers offer caller ID injection with little vetting
• SIM farms, GSM gateways, and VoIP kits can be purchased online for under £500
• Some actors simply rent pre-configured setups for campaigns on demand

Return on investment is shockingly high. One scam campaign impersonating HMRC or a bank can yield thousands in a day. And for persistent actors, the setup costs are offset quickly, especially when targeting the vulnerable or running international operations.

This evolution has turned spoofing from a niche TTP into a scalable fraud business model.

Bad actors can spoof a number in minutes using:

• SIP trunking providers that accept custom “From” headers
• GSM gateways or SIM farms that blend international traffic into domestic routes, often used in termination fraud or to obscure true call origins.
• Off-the-shelf spoofing services available on Telegram or the dark web

They pair this with urgent scripts, leaked personal data, and, increasingly, AI voice cloning, making their pitch even harder to question.

We’re not in the age of spoofing experiments.
We’re in the age of spoofing infrastructure.

Sometimes They Don’t Spoof. They Take Over.

As I was writing this article, my LinkedIn feed served up a stark reminder of how deep this rabbit hole goes: a breaking story about a major telecom breach.

In April 2025, SK Telecom, South Korea’s largest mobile provider, disclosed a breach where attackers accessed sensitive SIM card metadata. While names and financials weren’t exposed, the attackers gained access to internal SIM provisioning data.

This kind of breach opens the door to SIM swap attacks, a form of telecom identity hijacking. Unlike spoofing, where a caller fakes the number they’re calling from, SIM swapping involves convincing or compromising the mobile network to transfer your real number to a new SIM card under the attacker’s control.

Once done, they receive your calls, SMS messages, and can often bypass SMS-based 2FA protections. The number is real. The infrastructure is real. But the person receiving the communication isn’t you.

Even when the number is genuine, the person answering might not be.

Traditionally, SIM swaps were seen as tools of nation-state actors, espionage units, or criminal syndicates targeting high-profile individuals, CEOs, journalists, dissidents, or fintech executives.

However, they’ve increasingly been used in broader financial fraud and cryptocurrency theft schemes. While they remain more complex than spoofing, SIM swaps have been seen targeting ordinary consumers, especially those with exposed credentials, reused passwords, or publicly available personal data.

This wasn’t a spoofed number. It was a real number, with the network infrastructure behind it quietly compromised. This breach highlights the fragility of our assumptions around telecom identity. Trusting the number on your screen assumes the entire chain, from network to SIM to voice path, is uncompromised. That assumption no longer holds.

Source:
https://www.bitdefender.com/en-us/blog/hotforsecurity/hackers-access-sensitive-sim-card-data-at-south-koreas-largest-telecoms-company/

Why Has It Taken So Long to Fix?

The telecom industry has been slow to evolve, for several reasons:

• The protocols (SS7, SIP) were never designed for proof-based identity
• Spoofing often happens across international routes, where no single regulator can intervene
• Some VoIP aggregators profit from high-volume grey traffic and have little incentive to enforce stricter controls
• The average consumer still believes “if the number looks right, it must be safe”

Even with the rollout of newer protocols like SIGTRAN, SCTP, and Diameter, the core problem remains: telecom signalling still assumes inherent trust between networks. SIGTRAN simply moves legacy SS7 traffic onto IP, without changing its fundamental insecurity. And while Diameter is used in LTE and 5G, it still relies on trusted relationships between carriers, meaning a compromised peer can inject rogue traffic just like before.

The protocols evolved, but the trust model didn’t.

And what about 5G, the current darling of mobile infrastructure? While 5G introduces improvements in network slicing, user plane integrity, and encryption, its signalling layer still relies on Diameter and roaming trust. Many 5G implementations are non-standalone (NSA), using 4G LTE cores, so they inherit legacy vulnerabilities. Even in standalone 5G (SA), if interconnects and carrier relationships remain weakly authenticated, identity assertions can still be spoofed or subverted. In short: 5G adds performance, but not always identity assurance.

STIR/SHAKEN: A Step Forward, Not a Cure

Surprisingly, in a space where Europe often leads in digital privacy and regulation, it’s the United States that has taken a more assertive stance on authenticating telecom traffic. The introduction of STIR/SHAKEN marks a rare case where U.S. regulatory and industry collaboration outpaced global peers.

The U.S. Federal Communications Commission (FCC), empowered by the TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence Act), mandated that major carriers implement STIR/SHAKEN by 30 June 2021. The TRACED Act, passed in 2019, gave the FCC the authority to enforce stronger measures against illegal robocalls and caller ID spoofing, and was a pivotal moment in establishing accountability across U.S. telecoms.

The framework applies to SIP-based (VoIP) calls within the U.S., but:

• It does not cover legacy SS7 networks or calls that cross international borders
• Rogue and non-participating VoIP providers remain a loophole
• Not all devices or carriers reliably show verification status to end users

So while the U.S. is ahead in rolling out a signed caller ID framework, calls within the country are still not guaranteed safe, and spoofing threats remain for many scenarios, particularly cross-border or legacy traffic.

The U.S. introduced STIR/SHAKEN, a framework for digitally signing caller ID data, to combat spoofing on VoIP networks.

It works by:

• Having carriers cryptographically sign the caller ID metadata
• Verifying the signature at the destination network
• Displaying “verified” or “partially verified” labels where possible

But:

• STIR/SHAKEN only applies to SIP-based (VoIP) calls. It does not work on traditional SS7 or other legacy signalling systems, which still carry a significant share of voice traffic
• It’s not globally mandated, so international spoofing still bypasses it
• The UK and EU lag behind in adoption

Without a global trust framework or enforcement, it’s patchwork at best.

Rethinking Caller ID as a Trust Signal

Caller ID was designed to be helpful, not to serve as proof of identity. Today, that distinction matters more than ever.

It’s easy to equate a recognisable number with trust. But just like the “From” field in an email, caller ID can be faked, manipulated, or stolen, and it often is. The number on your screen tells you who the caller claims to be, not who they truly are.

So what should Caller ID be?

Think of it as display metadata, a clue, not a credential.

Just as cybersecurity professionals know not to trust a domain name without validating the certificate behind it, we now need to teach ourselves, and others, to interpret Caller ID cautiously:

• Was the call expected?
• Is the number one you dialled or verified independently?
• Does the request feel rushed, secretive, or high-pressure?
• Would you act the same way if the number were anonymous?

This isn’t about fear. It’s about informed caution.

Caller ID can still play a role in convenience and context, but when the stakes are high, we have to lean on verification, not assumption.

Trust should be earned based on:

• Call context (was it expected?)
• Channel separation (did you initiate it?)
• Independent verification (can you call them back on a known number?)

So What Needs to Change?

Caller ID spoofing isn’t a problem that can be solved by users alone. It’s a systems issue, rooted in legacy protocols, weak enforcement, and a lack of global alignment. Addressing it requires action from telecom providers, regulators, and individuals at every risk tier, from everyday consumers to journalists, executives, and public figures.

For the Telecom Industry:

The telecoms ecosystem needs to reintroduce accountability at the protocol level.

• Implement call authentication where technically possible, SIP, VoIP, or local equivalents
• Block unverifiable or suspicious calls at the network edge, not the handset
• Display verification status clearly on handsets and calling apps
• Ensure that caller ID presentation aligns with verified origins, not just what was received

For Regulators and Governments:

The UK and many European regulators have now explicitly rejected STIR/SHAKEN, not due to inaction, but because it doesn’t align with local telecom infrastructure. Ofcom has instead proposed alternatives like the Common Number Database (CDB), published as NICC ND1214, which could provide better caller authentication within UK and EU networks.

At the same time, governments must:

• Mandate caller authentication frameworks tailored to national infrastructure
• Support international number validation agreements to reduce grey-route spoofing
• Recognise that telecom impersonation is a cybersecurity issue, not just a nuisance
• Prioritise the transition away from legacy PSTN systems with safety for vulnerable users in mind

For Individuals, With Different Risk Profiles:

Your response depends on your exposure. For most people:

• Be cautious with unexpected calls, especially those requesting personal or financial data
• Cross-check important numbers with trusted sources before engaging
• If in doubt, hang up and call back via official channels

For higher-risk groups (journalists, activists, executives):

• Avoid sharing sensitive information over unsecured calls
• Consider using end-to-end encrypted call apps when practical
• Be aware of SIM swap and spoofing risks, and review telecom account protections

Ultimately, this is about recognising that the number on your screen is no longer enough. Trust needs to be contextual, layered, and verified, not assumed by default.

Caller ID Is Dying. Long Live Caller ID.

We’re not throwing it out, but we must reframe how we use it.

Caller ID still helps with context. But trust must move up the stack, toward cryptographic validation, verified infrastructure, and situational awareness.

Until then, treat every unexpected call like a knock on the door from a stranger in uniform:

Check the badge. Don’t just read the label.

In a world where anyone can wear a convincing disguise, the smartest response is no longer instinct, it’s verification.

Join the Discussion

Have you received a spoofed call lately? Do you work in telecoms, cybersecurity, or policy? I’d love to hear your thoughts, whether you’ve seen this trend firsthand or have a view on what needs to change.

Drop a comment or message me, let’s keep the conversation going.