Why caller ID spoofing is getting worse — and what "verified" actually means

If you have ever received a call that looked like it was coming from your own bank — number, branch name, and all — and turned out to be a scammer, you have met caller ID spoofing. It is not exotic. It is not a hack. It is the phone network behaving exactly as it was originally designed to behave, decades before anyone thought to lie about who was calling.

Here is what is actually going on, in plain language.

Caller ID was never a security feature

When your phone rings, the number on the screen does not come from some central authority verifying the call. It comes from the caller themselves — or more precisely, from whatever system the caller routed the call through. That system says "this call is from 212-555-0100", and the receiving carrier more or less takes it at face value.

This worked fine when every phone line was tied to a specific physical wire in a specific building. It works badly now that anyone can acquire hundreds of numbers through an internet provider and attach any outbound caller ID they like.

The two things that usually happen

1. Neighborhood spoofing. The call comes from a totally unrelated number, but the spoofed caller ID matches your area code and prefix. You are statistically more likely to answer a number that looks local.
2. Institutional spoofing. The spoofed caller ID matches a bank, government agency, or utility. The goal is to piggyback on a brand's trust for the first thirty seconds of the call — long enough to get you into a scripted flow.

Both are trivial for anyone with a few dollars and an account on the right provider.

The "verified" checkmark

You may have noticed a green checkmark or a "Verified" label next to some incoming calls. That is the consumer-facing surface of a framework called STIR/SHAKEN. Stripped of acronyms, it does two things:

• When a call originates, the carrier that first handled it signs a token saying we are letting this call through with this caller ID, and here is how confident we are that the caller is entitled to use it.
• Every carrier along the way passes that token forward. When the call lands on your phone, your carrier checks the signature.

If the chain checks out, you see the badge. If it breaks — because an intermediate carrier stripped the token, or because the originating carrier admitted it could not vouch for the caller ID — you do not.

What the badge does and does not tell you

It does tell you: this call was not trivially spoofed somewhere between its origin and your handset.

It does not tell you: the caller is who they say they are, that the call is not a scam, or that the number shown is tied to the organization the caller claims to represent. A scammer who legitimately owns a number can still place calls with full verification — the badge only vouches for the plumbing, not the intent.

The green checkmark is an integrity seal on the envelope, not a background check on the sender.

Why it still matters

For all its limits, STIR/SHAKEN has measurably reduced the volume of the crudest spoofing — the kind where a call looks like it is coming from your own phone number, or from a number that does not route. What it has not stopped is the middle tier: calls that come through fully verified carriers, with real numbers leased to real entities, used for scams anyway.

So the short version: trust what you see on your phone's screen a little less than you probably do. Treat a "verified" badge as necessary but not sufficient. And when in doubt, hang up and call the organization back using a number you looked up yourself.