In the last week of October, I started receiving three missed calls every day from four different US numbers (all from Miami, to be precise). It continued for four days. I do not have any relatives, friends or colleagues staying in Miami, so three daily calls made me suspicious. When I checked with a techie friend from the US, he dug out some information using caller ID name (CNAM). Out of these four numbers, one was untraceable, two had the name of a telecom services-provider, and one actually had a person's name.
Most of us receive calls from unknown numbers and strange destinations. For example, I noticed some missed calls (unknown calls are silenced on my phone) from +890683800254, +89988991588, +87200004200, +871000009577, +87100003509 and +97800001243. On doing some digging, I discovered that none of these numbers actually exists and are all spoofed. Mostly, the scammers added extra zeros or a number to create a dummy (spoofed) number. Also these numbers appear to be using the E.164 standard, published by the International Telecommunication Union (ITU). E.164 standard requires that a telephone or mobile number has a maximum of 15 digits, separated as the first one to three digits as a country code and the remaining digits corresponding to the subscriber’s number. In the last four numbers, even if you consider the first three digits represent a country code, nowhere in the world a subscriber number starts with zeros!
Fraudsters are making spoofed calls, displaying numbers different from the original ones as a cover while committing cybercrime and financial fraud. Some calls appear to be originating within India but are being made by cybercriminals from abroad by manipulating the calling line identity (CLI).
According to the Union ministry of communication, such spoofed calls have been misused in recent cases of fake digital arrests, FedEx scams, drugs and narcotics in courier, impersonation of government and police officials, disconnections of mobile numbers by the department of telecommunications (DoT) and the telecom regulatory authority of India (TRAI) officials.
In a
release in May 2024, the ministry says DoT and telecom service-providers (TSPs) have devised a system to identify and block such incoming international spoofed calls from reaching any Indian telecom subscriber and directions have been issued to the TSPs for blocking of such incoming international spoofed calls.
However, as you can see from the examples shared above, the initiative from DoT and TSPs remains a work-in-progress.
Even before that, TRAI came out with a calling name presentation (CNAP) service for Indian telcos. The idea behind CNAP is to allow the customer to see the caller's name (the registered user of that particular number) instead of just a number. It is similar to services provided by the TrueCaller app. While some telcos have started trials of CNAP, there has not been much progress due to technical hurdles. For example, CNAP works on 4G and 5G; thus, the trials are limited to areas where these networks are available.
Another—and a major—issue is the modification in CLI or number spoofing by fraudsters. In that case, implementing CNAP without fixing the number spoofing will be futile. However, since it is a policy issue that needs to be looked into and resolved by the government authorities, we, as a common user, can only expect things to move fast and get implemented.
Let us understand what mobile number spoofing is and how you can safeguard yourself from these frauds.
Mobile number spoofing refers to changing or 'spoofing' the caller ID information that appears on a recipient's phone when receiving a call. In other words, the person making the call can alter the phone number that is displayed, making it appear as though the call is coming from a trusted source—such as a bank, government agency, or even a friend or family member—when it is actually coming from a fraudulent or unknown number.
Mobile number spoofing is becoming increasingly common due to the availability of software and services that allow individuals to mask their caller ID easily. Cybercriminals are using this technology to trick people into trusting the caller (name displayed), thus making them more susceptible to giving out sensitive information.
Mobile number spoofing is used by fraudsters for phishing attacks (e.g., pretending to be a bank and asking for personal or financial information), tech support scams (e.g., pretending to be from a well-known tech company offering to fix non-existent problems on your computer or laptop), loan recovery scams (e.g., impersonating a loan recovery agent to scare people into making payments), Robocalls and telemarketing frauds.
In many countries, especially those with a high number of mobile phone users, spoofing is a significant problem. It is so pervasive that regulatory authorities like the US Federal Communications Commission (FCC) and TRAI have issued warnings, and mobile service-providers are implementing call authentication systems to curb this issue. However, it still remains a common tactic used by fraudsters to gain access to personal data or money from an end user.
While there is no guarantee that you will not receive a call from a spoofed number, here are a few suggestions to save you from unwanted sequences of spoofed number frauds.
1. Enable call blocking & screening
Use built-in call-blocking features: Many smartphones have built-in features to block spam and scam calls. For example, on iOS, you can enable 'silence unknown callers' to automatically silence these calls. You can also send calls from unknown numbers to voicemail.
Third-party apps: Several call-blocking apps like Hiya, Truecaller, or RoboKiller help identify and block potential scam calls based on crowdsourced data. However, remember that these apps also have limitations and cannot tell much about spoofed numbers. For example, when searched, TrueCaller shows +97800001243 (11 digits) as +9197800001243 (13 digits) as a parcel delivery scam. Since India follows a 10-digit numbering system, any number from India will have a maximum of 10 digits, excluding +91, the country code. Here, the app added the country code on its own and failed to identify the number starting from +97.
2. Don't answer unknown numbers
If you receive a call from a number you don't recognise, avoid answering. If it is important, they will usually leave a voicemail, or you can call back on a verified number sourced from the official website or authentic customer service number.
If you do answer and the caller is claiming to be from a legitimate organisation (e.g., your bank), hang up and call the organisation directly using a number you know is legitimate.
3. Don't share personal information over the phone
Never give out personal or financial information like your Aadhaar or PAN numbers, credit card number, or account details over the phone, especially if you did not initiate the call. Be suspicious of unsolicited requests for money, especially from unfamiliar numbers or organisations.
4. Use multi-factor authentication (MFA)
Enable multi-factor authentication (MFA) on your financial, social media, and email accounts. This adds an extra layer of security, so even if scammers trick you into giving away your password, they will not be able to access your accounts without the additional authentication method like a text message or app-generated code.
5. Report suspected spoofing
Report any suspicious calls to your mobile carrier and, in some regions, you can also report them to the authorities such as the Chakshu facility on Sanchar Saathi portal (
sancharsaathi.gov.in). This helps authorities track and potentially prevent future scams.
In some cases, you may also be able to block the specific number through your TSP or your device.
6. Stay informed
Educate yourself about common scam tactics. Awareness is key to identifying fraudulent calls. Be sceptical of unsolicited messages asking for payment or sensitive information.
Many regulatory bodies and consumer protection organisations like TRAI in India, FTC in the US or Action Fraud in the UK provide regular updates on new scams and fraud prevention tips.
7. Use verified contact information
If someone claims to be from a reputable or legitimate organisation like a bank, tax authority, or government, hang up and call them back using the verified contact number from their official website or your account statement.
By staying vigilant, using available technologies, and adopting a healthy level of scepticism, individuals can significantly reduce their risk of falling victim to mobile number spoofing and related scams.