The phone rings on a Tuesday afternoon. The caller ID says “Wells Fargo.” A pleasant voice tells you there’s been suspicious activity on your account, and they need to verify your identity to protect you — could you confirm your full Social Security number and your debit card PIN?
You hesitate. The number on your phone matches the one on the back of your card. Surely if it really were Wells Fargo calling, that would be the right number. So you read the digits.
It wasn’t Wells Fargo.
The number that appeared on your screen was real, but the call was not. Caller ID — the little label that tells you who’s calling — is one of the easiest pieces of identity to fake. Scammers can show any number they want, including the actual customer service line of the company they’re pretending to be from. The technology is cheap, automated, and available to anyone with an internet connection.
How Caller ID Spoofing Actually Works
When a phone call is placed, the caller’s phone or computer sends a piece of information called Caller ID to the receiving phone. That information is not verified by the phone network — it is taken at face value. Whatever the calling system says the number is, that is what shows up on your screen.
Scammers use cheap voice-over-internet (VoIP) services that let them set the displayed number to anything. They pick the number of a real, trusted institution — your bank, your credit card company, the IRS, Medicare, your power company — and dial out. To you, the call looks like it is coming from that institution. To the scammer, it costs almost nothing.
There is no technology you can buy that reliably blocks spoofed calls. Carriers have been working on a system called STIR/SHAKEN that helps, but it is not universal and it does not stop a determined scammer.
The Calls Most Likely to Be Spoofed
Spoofed calls almost always have one of these shapes:
- A call from your “bank” about suspicious account activity
- A call from “Medicare” or “Social Security” about a problem with your benefits
- A call from “the IRS” about back taxes you owe
- A call from your “power company” saying your service will be shut off in an hour
- A call from a “police officer” about a missed jury duty summons
- A call from a “tech support team” who detected a virus on your computer
- A call from a relative who is “in trouble” and needs money wired immediately
The common thread: the caller asks you to do something quickly, and the action involves money, personal information, or a remote-access program. Real institutions almost never call you out of the blue and demand any of these things on the phone.
The One Habit That Beats Spoofing Every Time
Hang up and call back on the number you already have for that institution.
Not the number that just called you — that’s the scammer’s, even if it shows up labeled correctly on caller ID. Use the number printed on the back of your debit card, your credit card statement, your power bill, or your Medicare card. Use the number stored in your phone for that family member. Use the number you can find by typing the company’s name into a search engine yourself.
If the call was real, the actual customer service line will pick up and confirm whatever the issue was. If the call was a scam, the actual line will tell you they did not call you, and you avoided handing your information to a stranger.
A few extra habits help:
- Never read out a verification code, card number, PIN, or Social Security number to someone who called you. Real institutions don’t ask for these the way scammers do.
- Never let anyone you don’t already work with install software on your computer to “fix” a problem on the phone. That is the most dangerous outcome of a spoofed call — once they have remote access, they can move money themselves.
- Take time. Spoofed calls work because the caller creates urgency. “I need to call you back in five minutes” is a complete, polite sentence. A real emergency will still be there in five minutes.
If you suspect a spoofed call, you can report it to the Federal Trade Commission at ReportFraud.ftc.gov and to your phone carrier. Your carrier may be able to block the underlying number, even if the displayed Caller ID was fake.
How LurkAlert Helps
LurkAlert protects your computer from the kinds of follow-up attacks that spoofed calls often try to set up. Many “your bank” or “Microsoft tech support” calls don’t actually need your account number — they need you to install a remote access tool on your computer. Once that tool is installed, the scammer drives the rest of the conversation from your screen.
Our monitoring center watches your computer for exactly that pattern. If a remote access program is installed without your permission, a real person on our team is alerted in real time and reaches out before any damage is done. We can’t answer your phone for you, but we can stand between you and the scammer’s next move on the device they’re really after.
If you’d like that layer of always-on protection while you’re updating your “call back on the number I already have” habit, we’re here to help.
