Swatting and phone scams: Hazards of caller ID spoofing

The anonymity caller ID spoofing provides means people regularly fall victim to swatters and phone scammers

When I was a kid in the 60s, 70s and arguably the 80s, the telephone provided me with a source of entertainment. I was able to make a free local call to anyone while maintaining full anonymity. I could pretend to be anyone I wanted to be, ask people if their refrigerator was running and then tell them that they should catch it, or play a multitude of pranks.

Caller ID was not available, so each time you answered the phone there was a great level of anticipation and mystery finding out who was on the other end each time the phone rang.

Today, almost everyone has caller ID with name display. Because of this, your number and name are shown to the person you're calling. And from their perspective, a certain level of confidence is assumed because we believe and trust what we see.

Enter caller ID spoofing and the problem of swatting

Caller ID spoofing is easily accomplished through various services, and several ways exist that provide anonymous calling. The law in the U.S. currently mandates all wireless carriers support 911 from all devices. This includes the popular pay-as-you-go “burner.” Even when there is no active service plan, 911 emergency calling is supported. 

+ More on Network World: FBI warns emergency 911 swatters are a growing menace +

Regrettably, no plan also means there is no telephone number, which translates to no location information in the cellular network or no account identity information. A similar method of hiding identity from police, recently shutdown by the FCC under a special waiver, is the exploitation of the IP Relay Service. It is used by persons who are deaf, deaf-blind, and hard of hearing, as well as individuals who have speech disabilities for calls to 911 originating from unverified devices. 

In the past, these calls had to be passed to police and were a common target for swatters—people who make fake emergency calls in the hopes of eliciting a SWAT-like response from the police.The ability of these pranksters to hide behind a veil of anonymity leaves public safety with no other option but to respond in full force.

Legitimate reasons for blocking or spoofing

Blocking or spoofing a phone number has many legitimate reasons—from exercising your right to anonymity to a doctor wishing to call patients from his private cellphone and doesn't want that private number displayed.

Spoofing services exist that allows a caller to send whatever caller ID they choose, such as their office. Companies calling on behalf of of their clients may want to show their client's telephone number for the very same reasons. Even police investigators and reporters doing research for articles may want to mask their number with one that's legitimate but doesn't personally identify them as an individual.

What about the law? Does the FCC have an opinion on this? As it turns out, indeed they do and have dedicated an entire page on Spoofing and Caller ID. Under the Truth in Calling Act, FCC rules prohibit any person or entity from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm or wrongly obtain anything of value. This allows the legitimate uses noted previously to be legal, but protects consumers from those who wish to use this for illegal purposes.

The rules also provide the ability for callers to block their number from being displayed—a capability that must be provided to consumer's free of charge by the carrier. This service is typically activated on a per call basis on most carriers by simply dialing *67 before the number you wish to call. This sets the privacy bit to "TRUE," which causes the caller ID display on the person’s phone that you're calling to show as Private, Anonymous, Unknown or some other text indicating privacy was requested. Similarly, phone numbers that are flagged as unlisted numbers carry this privacy indicator on every call made.

Calling 911

A common question I'm often asked is, "What about 911 calls? Can you block your phone number when calling 911?" No. When you call 911, the public switched telephone network sends your call to a special 911 central office. These central office switches are only for 911 traffic and are set to ignore the privacy flag preset on the account in the case of unlisted numbers, as well as any *67 requests. So, fortunately, using this method to “swat” someone simply doesn't work.

Despite this, there are many other nefarious methods out there, and swatting still occurs. Fortunately, though, police agencies are becoming more familiar with the tactics being used, as well as the social engineering side of the problem, and are taking steps to profile the incidents and train and educate public safety officials and call takers. 

This all plays back into standard data security procedures and maintaining a level of hygiene around your personal data. With identity theft being so rampant, and so much big data being available on the internet, it can be increasingly simple to locate information about a potential target and then impersonate that target as being the primary actor in a horrific event, ultimately provoking a SWAT response—and your home being on the 6 o'clock news.

Con artists’ use of spoofing

In addition to fooling police departments, scammers can use spoofed caller ID for phishing expeditions. Even the Division of Consumer and Business Education at the FTC issued a warning to consumers as recently as this past May: “Don’t rely on caller ID to verify who’s calling. It can be nearly impossible to tell whether the caller ID information is real.” 

To prevent from getting scammed, the FTC recommends the following four tips:

  1. If you get a strange call from the government, hang up. If you want to check it out, visit the official (.gov) website for contact information. Government employees won’t call out of the blue to demand money or account information.
  2. Don’t give out—or confirm—your personal or financial information to someone who calls.
  3. Don’t wire money or send money using a reloadable card. In fact, never pay someone who calls out of the blue, even if the name or number on the caller ID looks legit.
  4. If you feel pressured to act immediately, hang up. That’s a sure sign of a scam.

The FTC also offers consumers a list of steps on their 10 Ways to Avoid Fraud web page, and reminds the public that if you’ve received a call from a scammer, either with or without fake caller ID information that you can easily report it to the FTC online, as well as with the FCC.


Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022