Caller ID Spoofing: How It Works, Why It's Illegal, and What Carriers Do About It

If you run outbound campaigns at any volume, you have thought about caller ID. You have probably also watched your answer rates drop and wondered whether your numbers are getting flagged — or whether someone else is spoofing numbers in your area code and poisoning the well for everyone. Caller ID spoofing is one of the most misunderstood topics in telecom. Operators conflate legitimate CID management with illegal spoofing. Carriers conflate spoofing with fraud. Regulators conflate everything into enforcement actions that sometimes hit legitimate businesses.

This article is written by SIPNEX, an FCC-licensed carrier that holds its own STIR/SHAKEN Service Provider certificate. We sign outbound calls with our own cryptographic keys. We see spoofing attempts on our network and we block them. Everything below comes from the carrier side of the problem — not from a compliance consultant reading the statute, but from the people who implement the technical controls.

What caller ID spoofing actually is

Caller ID spoofing is presenting a phone number on an outbound call that does not belong to you or that you are not authorized to use. At the technical level, it is trivially easy. When your PBX or dialer places a call over a SIP trunk, it constructs a SIP INVITE message. That message contains a From header and optionally a P-Asserted-Identity header. The From header is what most carriers use to determine the caller ID displayed to the recipient. Your system sets this value. If your carrier does not validate it, you can put anything in that field — any 10-digit number, whether you own it or not.

Before STIR/SHAKEN existed, there was no standardized mechanism for carriers to verify whether the calling number in the From header actually belonged to the caller. The originating carrier trusted its customer. The terminating carrier trusted the originating carrier. The recipient’s phone displayed whatever number it received. The entire system ran on trust, and that trust was exploited at industrial scale by robocallers, scammers, and fraud operations.

The distinction between spoofing and legitimate CID management matters. If you operate a call center and you display your main business number on outbound calls instead of individual agent DIDs, that is not spoofing — you own that number and you are authorized to use it. If you rotate through a pool of DIDs that your carrier provisioned to your account, that is not spoofing — those are your numbers. If you present a number you found on the internet, bought from a shady DID broker, or simply invented, that is spoofing regardless of your intent.

The technical mechanism is the same in both cases — your system sets the From header. The difference is authorization. Do you have the legal right to present that number? Did your carrier verify that right before signing the call? Those two questions determine whether you are managing caller ID or spoofing it.

The law: Truth in Caller ID Act and FCC enforcement

The primary federal law governing caller ID spoofing is the Truth in Caller ID Act, codified at 47 U.S.C. § 227(e). The statute makes it illegal to “cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value.”

Three elements must be present for a violation: the caller ID must be misleading or inaccurate, the transmission must be knowing (not accidental), and there must be intent to defraud or cause harm. This means that accidentally displaying a wrong number due to a misconfigured PBX is not a federal offense — though it may still trigger carrier-level consequences. Deliberately presenting a bank’s phone number to trick consumers into sharing account information is a clear violation.

The FCC enforces the Truth in Caller ID Act with penalties up to $10,000 per violation and up to $1,000,000 for ongoing violations. The Commission has pursued enforcement actions against both individual robocall operations and the carriers that facilitated them. In recent years, the FCC has expanded its focus upstream — going after originating carriers and gateway providers that allow spoofed traffic onto the US telephone network. If you are a carrier that lets spoofed calls through, you are now a target alongside the caller.

The FCC’s 2024 and 2025 enforcement actions accelerated this trend significantly. The Commission issued cease-and-desist orders to multiple gateway providers, required downstream carriers to block traffic from non-compliant originators, and imposed forfeiture orders in the tens of millions of dollars. The message is clear: the FCC is treating spoofing as a network integrity problem, not just a consumer protection issue.

State laws add additional layers. Several states have their own anti-spoofing statutes with criminal penalties. Florida, for example, classifies certain spoofing as a felony. California’s law extends beyond the federal statute to cover spoofing without the intent requirement in certain contexts. If you operate nationally, you are subject to the strictest applicable state law for each call you place.

How STIR/SHAKEN fights spoofing at the carrier level

STIR/SHAKEN is the technical framework that finally gives the telephone network a way to verify caller ID claims. Here is how it works from the carrier’s perspective.

STIR (Secure Telephony Identity Revisited) is an IETF standard for cryptographic signing of caller ID. SHAKEN (Signature-based Handling of Asserted information using toKENs) is the implementation framework developed by ATIS and the SIP Forum for deploying STIR on production SIP networks. Together they allow the originating carrier to make a verifiable, cryptographic assertion about the calling number.

When SIPNEX originates a call, we evaluate the calling number against our records. Is this DID assigned to the customer placing the call? Did we provision it or verify it through a port? Based on that evaluation, we assign an attestation level:

A-level (Full Attestation): We have a direct customer relationship with the caller AND we have verified that the caller has authority to use the phone number. This is the gold standard. The call is signed with our SP-KI private key and an Identity header is attached to the SIP INVITE. When the terminating carrier validates the signature, it can confirm that an FCC-authorized carrier verified the number. The recipient’s phone displays “Verified Caller” or equivalent.

B-level (Partial Attestation): We have a direct customer relationship but cannot verify authority over the specific phone number. This happens when a customer presents a number we did not provision — perhaps a number they ported from another carrier where the port paperwork is still processing, or a number they claim to own but have not yet verified with us.

C-level (Gateway Attestation): The call entered our network from another carrier or gateway. We can identify the upstream source but cannot verify anything about the actual caller or the number. Gateway traffic gets C-level at best.

The critical insight for operators: a spoofed call mathematically cannot receive A-level attestation from a compliant carrier. If the number does not belong to the caller and the carrier’s database reflects that, the signature will not claim full attestation. This is why attestation level directly impacts answer rates — terminating carriers and call-blocking apps increasingly use it as a signal. A-level calls pass through. B and C level calls get scrutinized, labeled, or blocked.

The network effect makes spoofing progressively harder. As more carriers implement STIR/SHAKEN (the FCC mandate requires it for all carriers with IP infrastructure), the unsigned or B/C-signed call becomes the anomaly. The unsigned call that would have sailed through in 2019 now triggers spam labels on most handsets.

What legitimate operators need to know

If you are running legal outbound campaigns — collections, insurance, solar, political, appointment setting — you are not spoofing. But you need to understand the system to protect yourself.

Use numbers you are authorized to use. Every DID you present as outbound caller ID should be a number provisioned to your account by your carrier or verified through a completed port. If you are using DIDs from a third-party source that your carrier has not verified, you are operating in B-level territory at best and you are one complaint away from a carrier investigation.

Get A-level attestation from a direct carrier. If your carrier is a reseller, your calls are being signed by an upstream carrier that has no relationship with you. That upstream carrier signs at B-level because it cannot verify your number authority — it only knows the reseller. Moving to a direct carrier like SIPNEX that holds its own STIR/SHAKEN certificate means your calls get signed at A-level because we have the direct customer relationship and we verified your DIDs.

Monitor your numbers proactively. Register with the Free Caller Registry at freecallerregistry.com. Check your numbers against Hiya, TNS, and First Orion analytics platforms. If a number starts getting flagged, pull it from rotation before the reputation degrades further. Do not wait for answer rates to collapse — by then the damage is done and remediation takes weeks.

Understand that reputation is per-number and per-carrier. Your CID reputation is not just about your behavior. If the previous owner of a recycled DID was a robocaller, that number may already be flagged when you receive it. If your carrier has a poor network reputation because it allows spoofed traffic from other customers, your calls may be treated with suspicion even if your own behavior is perfect. The carrier you choose affects your reputation before you dial a single call.

How SIPNEX handles caller ID verification

We take a straightforward approach: verify before signing.

When you become a SIPNEX customer and we provision DIDs to your account, those numbers are immediately registered in our STIR/SHAKEN database as authorized for your trunk. When you place a call presenting one of those DIDs, our signing infrastructure verifies authority and signs at A-level. The process is automatic and adds zero latency to call setup.

If you port numbers to SIPNEX, we verify authority through the porting documentation (Letter of Authorization, account verification with the losing carrier). Once the port completes and we have confirmed ownership, those numbers are added to your authorized CID list and receive A-level attestation.

If you present a number that is not in your authorized list — a number we did not provision and you have not ported — we sign at B-level. You will notice because your answer rates on that number will be lower. This is by design. We are protecting our SP-KI certificate reputation and your long-term calling health simultaneously.

If we detect patterns consistent with illegal spoofing — presenting numbers that belong to banks, government agencies, or other businesses, or rapidly rotating through large blocks of unverified numbers — we investigate and can suspend service. Our Acceptable Use Policy is explicit about this. We operate a zero-tolerance policy for illegal spoofing because the reputational cost of tolerating it falls on our certificate, which affects every customer on our network.

This is the advantage of being on a carrier that owns its own STIR/SHAKEN certificate rather than inheriting one from an upstream provider. We have direct incentive to keep our network clean because our reputation is our own asset. A reseller has no certificate to protect — their upstream carrier absorbs the risk and may not care about your specific traffic.

The answer rate connection

Everything above connects to the number operators actually care about: answer rate.

When STIR/SHAKEN was first mandated in 2021, the impact on answer rates was modest because deployment was incomplete. By 2026, the effect is dramatic. T-Mobile, AT&T, and Verizon all use attestation data in their call-filtering decisions. Third-party analytics companies like Hiya, TNS, and First Orion weight attestation level heavily in their spam-scoring algorithms.

The practical impact: A-level attested calls from a carrier with a clean certificate reputation get through to the handset with a neutral or positive display. B-level calls from reseller trunks get scrutinized and increasingly labeled. C-level and unsigned calls are often blocked outright or sent to voicemail with a “Spam Risk” label.

For a call center running 100,000 outbound calls per month, a 15 percent answer rate difference between A-level and B-level attestation represents 15,000 additional conversations. At any reasonable conversion rate, that is the difference between a profitable campaign and a failing one. The cost of using a direct carrier versus a reseller is measured in pennies per minute. The cost of lost answer rate is measured in revenue.

Frequently asked questions

Is caller ID spoofing legal?

Displaying a phone number you own or are authorized to use is legal — that is caller ID management, not spoofing. Displaying a number you do not own with intent to defraud, cause harm, or wrongfully obtain something of value is illegal under the Truth in Caller ID Act (47 U.S.C. § 227). The line is authorization and intent. A call center showing its main business number is legal. Someone displaying a bank’s number to harvest account information is a federal crime with penalties up to $10,000 per violation. Several states add criminal penalties including felony charges for certain spoofing conduct.

How does STIR/SHAKEN prevent spoofing?

STIR/SHAKEN requires the originating carrier to cryptographically sign each outbound call with an attestation of how confident it is that the caller is authorized to use the presented number. A-level means fully verified. B-level means the carrier knows the customer but has not verified the specific number. C-level means the carrier cannot verify anything about the caller. Because the signature is cryptographic and tied to the carrier’s certificate, it cannot be forged. A spoofed call — where the caller presents a number they do not own — cannot receive A-level attestation from a compliant carrier because the carrier’s database will not confirm authority over that number.

Can my business legally display a different caller ID number?

Yes, as long as you are authorized to use the number and you are not doing so with intent to mislead. Common legitimate examples: a call center displaying its main toll-free number instead of individual agent DIDs, a doctor’s office displaying the practice number instead of a personal cell, a business displaying a local presence number in the area code it is calling. The key requirement is that you have the legal right to use the number — it is assigned to your account, ported to your carrier, or otherwise authorized for your use. Your carrier should have that number in your authorized CID list so it receives proper attestation.

What happens if I accidentally use a phone number I do not own?

If you misconfigure your PBX or dialer and present an unverified number, a compliant carrier like SIPNEX will sign the call at B-level instead of A-level. Your answer rates on that number will be lower but you will not face immediate legal consequences because the Truth in Caller ID Act requires knowing intent. However, if the pattern continues, your carrier may flag the account for review. Carriers are required to monitor for spoofing patterns, and repeated use of unauthorized numbers — even if unintentional — can trigger an investigation. Fix misconfigurations immediately and verify your outbound CID list with your carrier.

How do I check if my caller IDs are getting flagged as spam?

Start with the Free Caller Registry at freecallerregistry.com — register your business and your numbers. Then check the major analytics platforms that feed carrier spam labels: Hiya (powers T-Mobile Scam Shield and Samsung Smart Call), TNS (powers AT&T Call Protect), and First Orion (agreements with multiple carriers). Each platform has a portal where you can look up your numbers and see their reputation status. Also monitor your answer rates per DID in your dialer dashboard — a sudden drop on a specific number usually means it has been flagged before the analytics platforms update their public-facing tools. Pull flagged numbers from rotation immediately and file remediation requests with the relevant analytics providers.

---

SIPNEX is an FCC-licensed carrier with its own STIR/SHAKEN Service Provider certificate. We verify number authority before signing and we sign at A-level for every DID we have provisioned or verified. Request a dialer-grade trunk or see our published rates.