Caller ID spoofing made easy

Fraud scams perpetrated over the telephone are a growing menace. A common technique used by fraudsters is to spoof the calling number so the caller-ID field can be whatever the fraudster wants.

For example, to perpetrate an IRS scam a fraudster would set the calling number to be the Internal Revenue Service. When the victim answers the phone and sees the IRS as the caller-ID, they will be more susceptible to providing private information such as their social security number.

In the past, spoofing the calling number (also known as ANI spoofing) for a telephone call required some technical expertise was not possible for the common criminal. But a new company has made calling number spoofing an easy and low cost web service.

The company is Solid Cloud LLC, located in Scottsdale, AZ. They offered a web service called bitphone. The service is similar to many other web-based phone applications.

You use your computer to make a Voice over IP (VoIP) call to any telephone worldwide. The difference is that bitphone offers two key features for individuals who want to spoof the calling number and remain totally anonymous. First, the caller can enter any calling number they choose when they make the call. Spoofing Caller-ID could not be any easier. Second, bitphone takes payment in Bitcoin, or forty-three alternative digital coins, so the bitphone user spoofing the calling number can remain completely anonymous.

The prices for using bitphone are reasonable. The rate per minute for calls to the US is 0.0795900 mBTC/min and the surcharge for caller-ID spoofing is 0.4 mBTC per call. A mBTC is a milli-Bitcoin or one thousandth of a Bitcoin. At today's rate, a milli-Bitcoin is worth about $0.228. So the bitphone rate per minute for a domestic US call is $0.021 per minute and the price for caller-ID spoofing is $0.0912 per call. If the courts subpoena Solid Cloud LLC for information about suspected fraudsters using their bitphone service, there is no possible way to track down a fraudster if they made the call from a public wifi hot spot and paid with Bitcoin.

For victims of telephone based fraud scams, the existence of a site that makes life easy for fraudsters is an outrage and seems unlawful. Unfortunately, there is nothing explicitly unlawful about bitphone's operation, even if it does offer features that may be useful for fraudsters. To help provide legal cover, bitphone includes the FCC's caller-ID and spoofing guidelines in its Terms and Condition that users must accept and again in its Support FAQs.

Under the Truth in Caller ID Act, FCC rules:

  • Prohibit any person or entity from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value.
  • Subject violators to a penalty of up to $10,000 for each violation of the rules.

To make matters worse, the “Truth in Caller ID Act of 2009” only applies "to any person within the United States." It is perfectly legal for a fraudster outside the USA to spoof their caller ID.

The Anti-Spoofing Act of 2015 (H. R. 2669) would plug this loophole for international users and was sent to congressional committee on June 4, 2015. The benefits of this common sense, bipartisan bill (11 Republican and 10 Democratic sponsors) are obvious. However, it is given only a 23% chance of being passed into law by the website

This same bill passed the house in 2014, but expired in the Senate of the last Congress without a vote. Restoring integrity to the calling number and the public voice network is the single best solution for preventing telecom fraud and should be a higher priority for the FCC and US lawmakers.