Caller ID spoofing: how scammers fake phone numbers

Published 30 April 2026 · 7 min read

If you've ever answered a call that showed your bank's number on the screen, only to find a scammer on the other end — you've met caller ID spoofing. The display name on your phone is, surprisingly, just a piece of text the originating phone system can set to almost anything. Here's how it works, why it's still happening despite Australian regulation, and what you can do about it.

What is caller ID spoofing?

Caller ID spoofing is the practice of forging the phone number (and sometimes the name) shown on the recipient's phone. Instead of the call appearing as "Unknown" or showing the real originating number, the screen shows whatever the scammer wants you to see — your bank, the ATO, an Australia Post depot, or even your own number.

The technical name for the data being faked is Calling Line Identification (CLI) in Australia, or Caller ID internationally. It travels through the phone network as a separate field from the actual call routing. Crucially, the network historically didn't verify whether the originating party had any right to use the number it claimed to be calling from.

How scammers actually do it

Almost all spoofing today happens through Voice over IP (VoIP). Most overseas VoIP gateways let the originating party set the CLI to any string. From a scammer's perspective, the workflow looks like this:

1. Buy access to a VoIP termination service that hands off calls into the international PSTN.
2. In the dialler software, set the "from" number to whatever they want — say, a real Commonwealth Bank service line.
3. Place the call. By the time it reaches an Australian carrier and lands on a customer's phone, the spoofed CLI has propagated through several systems that don't (or can't) verify it.

From the recipient's view, there's no obvious tell — the screen just shows the bank's number. A naïve callback would even reach the real bank, because the displayed number is genuine; it just wasn't actually used to make the call.

"Neighbour spoofing" — why local numbers feel safer

One of the most effective spoofing tactics is neighbour spoofing: the scammer matches the area code and the first few digits of the recipient's own number. A 0412 phone gets calls from 0412, 0413, 0414. A landline in the 02 9XXX range gets calls from numbers in the same exchange.

Why does it work? Familiarity bias. We're more likely to answer a number that looks like a local mobile or a nearby exchange than a 1300 or international prefix. Scammers know this and tune their dial-out lists accordingly. If you've noticed an uptick in calls from your own area code that you don't recognise, neighbour spoofing is almost certainly why.

What Australia is doing about it

The ACMA (Australian Communications and Media Authority) has been gradually tightening the rules:

• Since December 2020, the Reducing Scam Calls Industry Code requires telcos to identify and block obvious scam calls, including ones with implausible CLIs (e.g. an international call presenting as an Australian mobile number).
• The code was extended to SMS in 2022 to cover the equivalent problem for text-message scams.
• Major Australian carriers have collectively blocked hundreds of millions of scam calls under these rules. Telstra, Optus, TPG and Aussie Broadband all publish quarterly transparency numbers.

Australia doesn't yet mandate STIR/SHAKEN — the cryptographic call-authentication framework now mandatory in the United States and Canada — but the ACMA's working groups have flagged it as the longer-term direction. In the meantime, the rules-based blocking catches a lot, but determined scammers still get through, especially via offshore origination.

How to spot a spoofed call

• The displayed number doesn't match the format. Phony flags numbers that aren't valid Australian formats with a "spoofed" indicator on the number page — that's a strong tell on its own.
• The caller resists callbacks. "Don't hang up — if you call back you'll lose your place in the queue." A real organisation is happy for you to call back through their published number.
• The number is your own. If your phone shows your own number calling you, it's spoofed by definition.
• Inconsistent details. The voice on the line says they're from one bank, but the displayed name on your phone is a different bank or a generic label.
• Quiet, then a click, then a script. Many spoofed scam calls run on auto-diallers — there's a short delay while the system patches you to a live agent, and the agent launches into a script regardless of what you say.

What if your number is being spoofed?

If you start getting angry callbacks from people you've never called, your number has been picked up by a spoofing operation. There's not a lot you can do to stop it — your phone wasn't compromised; the scammer is just using your number on the outbound CLI of someone else's calls. But:

• Tell callers what's happening. A short voicemail message ("If you got a call from this number that wasn't me, it's a scam — sorry for the confusion") cuts down on repeat callbacks.
• Lodge a complaint with your carrier. They can flag your number in their fraud-detection system.
• Report to Scamwatch and the ACMA. Multiple reports about the same victim-number help the ACMA identify the originating service.
• Don't change your number unless it gets unbearable. Spoofers cycle through numbers — yours will likely fall out of rotation in a few weeks.

What it means for looking up unknown numbers

Spoofing has a knock-on effect: a number you look up on Phony might have a clean reputation despite being used (without the owner's knowledge) in a recent scam wave. That's why Phony combines three signals — the number itself, the community reports, and any matching threat alerts from Scamwatch and other sources. A clean record on a real Australian number, paired with a fresh scam alert about that exact number being spoofed, tells you what's actually going on.

If you've answered a call where the number on your screen feels too good to be true — or too official — assume it might be spoofed, hang up, and call the real organisation on the number from their website. It costs you 30 seconds and rules out the most common attack vector instantly.