Caller ID spoofing causes nearly $1 billion (EUR 850 million) in financial losses from fraud and scams each year, according to a new Europol position paper that calls for technical and regulatory solutions to fight the problem.
Phone calls and texts are the primary attack vectors, accounting for about 64% of reported cases, Europol said in the report.
Caller ID spoofing is accomplished by manipulating the information displayed on a user’s caller ID, typically using Voice over Internet Protocol (VoIP) services or specialized apps to show a fake name or number “that appears legitimate and trustworthy,” Europol said.
“The ability of malicious actors to conceal their true identity and origin, severely impedes the capacity of law enforcement agencies (LEAs) to trace and prosecute cybercriminals,” Europol said.
Caller ID Spoofing Attack Types
Europol outlined some of the caller ID spoofing attack types seen by EU law enforcement agencies.
Criminals often spoof caller IDs to impersonate organizations like banks, government agencies, utility companies, or even family members, in scam calls to get recipients to reveal sensitive information, make fraudulent payments, or initiating money transfers under false pretenses.
Tech support scammers impersonate legitimate tech support services to convince victims of non-existent computer issues in order to demand payment, install malware or obtain remote access for exploitation.
Caller ID spoofing can also be used in swatting attacks to make it appear that an emergency call originated from a victim’s address.
Organized crime networks have even set up “spoofing-as-a-service” platforms to automate caller ID spoofing, “with the aim of lowering the barrier for others to be able to commit crimes,” Europol said. “By offering such services, criminals can easily impersonate banks, LEAs or other trusted entities.”
Europol Calls for Regulatory and Technical Response
Europol surveyed law enforcement agencies across 23 countries and found significant barriers to implementing anti-caller-ID spoofing measures. “This means that the combined population of approximately 400 million people remain susceptible to these types of attacks,” the report said.
The law enforcement agency said there is an “urgent need for a coordinated, multi-faceted approach to mitigate cross-border caller ID spoofing.”
“The transnational nature of spoofing attacks demands seamless information sharing and coordinated action among Internet Service Providers (ISPs), telecommunications providers, law enforcement and regulatory bodies,” the agency said.
Among the technical controls that are needed are “robust international traceback mechanisms” that include a neutral, cross-jurisdictional system for hop-by-hop tracing, standardized processes for information sharing, and APIs and signaling checks.
Also needed are mechanisms for validating inbound international calls, and vendor-neutral tools with standardized interfaces for Do Not Call (DNC)/ Do Not Originate (DNO) lists, unallocated number lists, blacklisting, and malformed number detection.
“Through multi-stakeholder collaboration, to address emerging threats and develop effective countermeasures, digital security can be significantly enhanced,” Europol said. “This will ensure citizens are better protected from the adverse effects of caller ID spoofing.”
The report also acknowledged the importance of being prepared for other mobile threats such as SIM-based scams, anti-regulatory subleasing, the use of anonymous prepaid services in cybercrime, callback scams and smishing attacks.
