
Ask HN: What can we do about spam calls with spoofed numbers? - charleshan
I received 14 spam calls in the past two days. I just called back one of the numbers and the person on the other end was not the person that called me. She told me that this has been happening to her too.<p>It looks like spammers are using other people&#x27;s numbers to make these calls. What can we do to stop this?
======
porpoisely
I had the same problem. What helped me was I simply stopped answering any
calls from numbers I didn't recognize. After a while, I stopped getting spam
calls. My guess is after a while, these spammers eventually mark a number as
defunct or unresponsive and stop calling. If someone I know is calling me and
I don't answer, they can always text, email, etc me.

Interestingly, a while back, I got a call from a number that looked so
familiar but I didn't recognize. I didn't answer but I couldn't get that
number out of my mind. So I started looking through my contacts to see if it
was someone I knew. Turns out, it was my own number. I couldn't believe it.
These spammers were somehow spoofing my own number to call me.

~~~
gregmac
"Spoofing" caller ID is a feature, not a bug or hack. Pretty much all VoIP
providers let you send a callerID name/number [1]. If they don't, it's because
they've done extra work to explicitly block it. If you're using Asterisk, for
example, setting the number is a simple command [2] before you call the dial
command, and is trivial to script.

CallerID name is more complex [3], as some providers will pass it along and
some won't, and the termination provider (the one that receives the call) may
or may not accept it. However, many VoIP providers have a way to register CNAM
entries, this just also isn't totally reliable due to the way CNAM database
sharing works [4].

Take away is: CallerID name and number are ENTIRELY unreliable as a means of
identification or authentication. In fact, the only thing it's really useful
for these days is that you get a call from a number in your contact list, it
probably really _is_ that person because it's unlikely that (a) by random
chance the spammer choose a number that is in your contacts, and (b) has
compromised your contact list and is using it to choose caller ID numbers.

[1]
[https://en.wikipedia.org/wiki/Caller_ID_spoofing#Technology_...](https://en.wikipedia.org/wiki/Caller_ID_spoofing#Technology_and_methods)

[2] [https://www.voip-info.org/setting-callerid/](https://www.voip-
info.org/setting-callerid/)

[3]
[https://en.wikipedia.org/wiki/Caller_ID_spoofing#Caller_name...](https://en.wikipedia.org/wiki/Caller_ID_spoofing#Caller_name_display)

[4] [https://www.onsip.com/blog/how-caller-id-works-why-it-
might-...](https://www.onsip.com/blog/how-caller-id-works-why-it-might-take-
months-to-update)

~~~
tomjen3
> "Spoofing" caller ID is a feature, not a bug or hack

So was annonymous e-mail resenders and open proxies in a more genteel and
dignified age.

Today, clearly the feature is being misused too much, so we need to shot it
down. Make the CEO of any telecom company who forwards a spoofed call
personally liabled for 100k in damages and that problem is solved. Some
businesses may want a callback to go to their main-number, but frankly if
somebody calls me I want a way to call them back.

~~~
gregmac
I agree. I didn't mean to imply it's a GOOD feature, just that it's not an
exploit of any kind.

The ability to set your outgoing number is very useful for a number of
reasons, but only being able to do it from a list of numbers you've verified
you have ownership of would go a long way. They could even do something
similar to how SSL providers do domain verification.

~~~
tomjen3
I could live with that, but I really would want to call back e.g my bank, and
not end up in a phone tree.

~~~
gregmac
Ah, I see. Unfortunately that's an aspect of the way the PBX is setup, and
nothing to do with how caller ID works specifically. Most extensions don't
have a DID (direct inward dial [1]) number, and unfortunately many inbound
routing setups (especially for call centers) have no way -- or at list no
advertised way -- to get to a spot where outside callers can dial an
extension. For most PBX systems (eg, freepbx [2]) it's an option whether to
allow direct extension dialing as part of the IVR.

[1]
[https://en.wikipedia.org/wiki/Direct_inward_dial](https://en.wikipedia.org/wiki/Direct_inward_dial)

[2]
[https://wiki.freepbx.org/display/FPG/IVR+Module+User+Guide#I...](https://wiki.freepbx.org/display/FPG/IVR+Module+User+Guide#IVRModuleUserGuide-
EnableDirectDial)

------
nulbyte
I set up Tasker[1] with a profile to reject incoming calls if the caller is
not in my contacts. As an individual, that or DND settings are most effective.

Consumers as a group can contact regulators or legislators to urge this be
fixed. The technological fix is not that difficult: telcos should whitelist
numbers for specific customers so a customer can only use a number as outbound
caller id if they are assigned or have otherwise validated the number.
Reputable providers like Twilio already do this. This solves the oft-repeated
claim that there are legitimate reasons to "spoof" caller id. You can't say
it's spoofing if it's your number and you're the one calling...

But telcos don't do this. They don't care if caller ID is accurate, because
their customers don't care if caller ID is accurate; most pay for it anyway.

[1]: [http://tasker.joaoapps.com/](http://tasker.joaoapps.com/)

------
fredophile
Move to another part of the country.

I got my current phone number when I first moved to the US. Now I live on the
other side of the country. The spam callers always use the same area code as
my phone number in an attempt to appear like local numbers. Anytime I get a
call from a California number that isn't in my phone I can safely ignore it.

~~~
skolos
I can confirm. I am in the same situation and it works well, although I still
hate distraction these calls produce.

------
joecool1029
There's not much you as an individual can do to stop it. I have the same issue
with Comcast filling my PO Box with shitloads of junkmail.

The phone system is designed to accept anyone calling on it, and there's no
authentication mechanisms in place for securing it since it all has to
interoperate and is built on dated standards.

There are basically two solutions to stopping the problem (instead of treating
the symptom). The first is to increase costs to make phone calls (voip made
this basically free and it gets abused). This was the old deterrant.

The other is to have providers work on an authentication method for their
network, they are starting to do this with STIR/SHAKEN:
[https://transnexus.com/whitepapers/stir-and-shaken-
overview/](https://transnexus.com/whitepapers/stir-and-shaken-overview/)

Legislation won't help unless it is on the providers to require
authentication.

~~~
51lver
Why is voip basically free for mass abuse, but expensive for individuals and
legitimate organizations? I would love a few dozen phone numbers, but I don't
see any free options other than google voice.

~~~
nitrohorse
MySudo used to be a free option for up to 9 VoIP numbers but they’ve moved to
paid plans (1#/$1/month, 3#s/$5/month, and 9#s/$15/month) [0].

[0] [https://mysudo.com/plans](https://mysudo.com/plans)

------
nathan_long
Individual solutions: "Do not disturb" mode that only rings for contacts,
using one of the robocall-blocking apps (eg Nomorobo).

Industry solutions are supposedly forthcoming - see STIR/SHAKEN standards for
caller verification. T-Mobile says they're doing something with this:
[https://www.t-mobile.com/news/caller-verified-
note9](https://www.t-mobile.com/news/caller-verified-note9)

------
jvagner
I added two entries to my contacts:

PHONE on

PHONE off

...when the calls reach a certain volume, I just forward all calls immediately
to voicemail, which also says, "I don't answer this phone anymore -- leave me
an email."

After a few days or a week, I turn phone back on and see how it goes.

It ebbs and flows.

For business calls, I direct everything to Google Voice.

For personal, my friends/family know they can still FaceTime me or text me and
I'll call back.

I don't actually get a lot of calls to my cellphone, and would gladly pay for
data without calling.

From a previous thread, here or on Reddit:

"You actually can turn off cellular network calling altogether, if you are
willing to do that.

Dial (star)#67# (or call 611 if it doesn't show up there) to see what number
your voicemail center is. Then dial (star)21(star)1(that number)#. That will
automatically forward all calls, at the network level, to your voicemail.

To cancel this, dial #21#."

~~~
justusthane
I'm not sure what you mean by this...what do the "PHONE on" and "PHONE off"
contacts do?

~~~
51lver
Those contacts are used to dial the special number to enable or disable
forwarding all calls directly to voicemail.

------
AnimalMuppet
First thing ( _before_ the problem you're trying to address): There is a "do
not call" registry. For reasons that I do not understand, (most) spammers
respect it for our home phone, but not for cell phones. That thing needs to
have teeth in it - like, sending-people-to-jail kinds of teeth. It's a
travesty that spammers can just run all over that registry.

If that were in place, then the answer would be "put your number on the do not
call list". But for whatever reason, that fix doesn't currently work.

On, then, to the problem you're trying to address. It needs to become illegal
and/or technologically impossible to spoof caller ID _to a number that you don
't own_. That is, if you're Apple, and you want all your outgoing calls to
present as your main number, that's fine, because you own that number. But
masquerading as a number you don't own? No way. It needs to be either
impossible or illegal, preferably both.

But what about someone who's, for example, a whistleblower, and can't give out
their number without blowing their identity? They could still _block_ the
number, but not _change_ it. The caller ID shows up as "Unavailable" or
"Blocked" (I just had one of those while making this comment, in fact.) The
recipient can then decide to reject that call simply because of the lack of
caller ID (as I in fact did).

------
rthomas6
This isn't a solution for most people, but I started using the "screen call"
button on my Pixel 2 for numbers I don't know, and it's been great. The
illegal telemarketers will just hang up, and the number of calls I get have
steadily declined.

~~~
jlmorton
Screen call is such a good feature. For those that don't know, Pixel devices
allow you to press a "Screen Call" button when you receive a call.

For the caller, they'll hear a Google Assistant voice that says, "Hi, the
person you're calling is using a screening service from Google and will get a
copy of this conversation. Go ahead and say your name and why you're calling."

As the caller speaks, the conversation is transcribed in real-time to your
phone. If you know the person, you can pick up. If it's a spam call, you can
press "Block Number and Report Spam."

~~~
donclark
Would this be a great app for the rest of us that do not have a pixel 2
device?

~~~
brightsize
Google Voice has a similar screening service. From the GV help forum ...

"when call screening is enabled:

If the caller's name and phone number are in your Google Contacts, or the
caller is a business known to Google (e.g. it shows up in Google Maps with an
information box), then that name will be played to you. If the caller's number
is not in either of those places, then their calls will be screened every
time, until/unless you add them to Contacts."

------
zw123456
This is probably never going to happen... But, IMHO, I think the best way
would be to implement a very small fee for each call placed. Even if it was a
penny or a few cents, most people, if not all will never feel that but it
would put most of the robo-callers out of business since they place thousands
if not millions of calls per month.

~~~
maccio92
There's a company that implemented this for email using cryptocurrency.
[https://bitbounce.com/](https://bitbounce.com/)

Any unfamiliar senders get an autoreply asking for them to pay a fee to send
the email. You as the receiver get paid this fee (-30%) for each email
received (not read)

~~~
zw123456
Interesting. Also, there used to be a feature for cell phones that was called
"Caller Pays" where the caller paid to place a call to you (back when they
charged you per minute to talk on a cell phone) but of course the cell company
kept the money. But maybe cell companies could come up with something like
that now but the customer gets the fee. For friends who call one another, it
would cancel each others fees out over time but it would put scammers out of
business.

~~~
51lver
You're receiving a collect call from "imattheairportnowpickmeupplease" would
you like to accept this call?

~~~
techsupporter
Bob Wehadababyitsaboy on line two.

[https://www.youtube.com/watch?v=9JxhTnWrKYs](https://www.youtube.com/watch?v=9JxhTnWrKYs)

------
existencebox
It's absurd that there aren't more steps being taken.

Just this morning I had 4 calls between 5 and 8:00, and I can't turn my phone
off. (On-call for work.)

Our government is busy shutting itself down over nonsense, yet pathological
problems that are meaningfully impacting citizens are going entirely unmanaged
for years. (To the FCC's credit, STIR/SHAKEN is a good step but I think it's
very much a too-little-too-late situation; I haven't been able to empty my
voicemail box in years lest it get filled up again within a day by spam.)

To make this not just be a rant (and since I see others who are concretely
affected in similar ways) Shouldn't we be pursuing our govts/reps to be more
aggressive in everything from investigating and prosecuting violations
(spammers) to ensuring proper incentives for carriers to help defend against
this? Is there anyone who has been a champion for this in the past?

------
paulie_a
I get ten to twenty a day. If I'm bore and have a few minutes I'll answer and
waste the persons time by asking vague questions.."oh which car warranty is
expiring?". "oh which student loan are you referring to?". Which credit card?,
Huh do you work for United healthcare? Because that's my insurance provider,
you should know that already.

They either hang up or start shotgunning large company names. I try to stall
them a bit.

Then aggressively use Google fi to block and report as spam.

It's ridiculous that cell networks actively allow this. This should not be
possible. And for US based spammers, they should arrest and prosecute every
single person at the company. No exceptions. You are involved in a criminal
conspiracy to commit fraud. Fuck throw Rico their way.

Many of the operations are overseas but there are plenty in the US.

------
madamelic
I made [https://phoneprivacy.co](https://phoneprivacy.co) which lets you have
multiple phone numbers. I use it for separating my life (family, friends, etc)

Also helps with bots because it gives off number disconnected signal not just
forwarding them to a voicemail or something, which I think helps kill it
pretty quick.

You can do whitelists (no one but these people can get through) or blacklists
(everyone but these people can get through).

Let me know your thoughts. Additionally there are others that do similar
things, but I built mine out of this pain. :)

------
theWheez
Ha. Got a spam call exactly when I started typing this response.

Honest to god, the new call screening feature on my Pixel is the most useful
new feature from my phone in the last 5 years.

------
murph-almighty
I simply changed the way I screened calls.

If I don't recognize your number, I immediately send it to voicemail. If it's
something I need to worry about, I call back.

My hope is that eventually spam callers will catch on to the fact that they've
had no hits on my number and drop me from the list. I assume that no amount of
interaction I have with them will get me off the list, so I simply choose not
to interact with them.

Broadly speaking, you could also probably set up Do Not Disturb settings on
your device, and I'd love it if we could filter calls unless they're from
specific people during a specific time (e.g. family calls during work).

Long term, the best way we fight this is with our vote. The current FCC
administration seems uninterested in this problem, and I think voting in a new
administration may provide different results. Engage with your federal
representatives as well!

~~~
charleshan
> I'd love it if we could filter calls unless they're from specific people
> during a specific time (e.g. family calls during work).

You can do this on android. I usually have Do Not Disturb enabled while I work
and I put my buzzer number on the whitelist for deliveries.

~~~
murph-almighty
I use an Apple device- I haven't dug too deeply into what I can do here, but
it's my next mini-project.

~~~
flying_kangaroo
At a minimal level, Apple also provides a do-not-disturb mode that ignores
everything but calls from contacts that you specifically add to your
"favorites" list.

------
blackboxlogic
I believe international telecom industries are working[1][2] on it. I don't
know an ETA. I signed up on their mailing list without knowing what to expect.
The content of each email is beyond me but looking at the clout on the email
signatures convinced me this was a serious and viable movement.

TLDR; this is a technical approach to preventing number spoofing except where
authorized. Presumably to be implemented by the international telecom
industry.

[1] [https://transnexus.com/whitepapers/understanding-stir-
shaken...](https://transnexus.com/whitepapers/understanding-stir-shaken/) [2]
[https://datatracker.ietf.org/wg/stir/about/](https://datatracker.ietf.org/wg/stir/about/)

------
endymi0n
Why would you want to censor free speech? In the proud land where companies
are free from unnecessary regulation in order to create unlimited growth, jobs
and opportunity?

Snark aside, sometimes I‘m happy about that the bureaucracy monster EU I
happen to live in simply forbids crap like this.

------
bootsz
I started using the Hiya app on my iphone a couple months ago and it has
basically stopped just about all spam calls. I was previously getting at least
1 a day. I'm using the free version.

[https://hiya.com/](https://hiya.com/)

~~~
jwineinger
I installed AT&T's Call Protect app over the holidays. It says it is powered
by Hiya. It has yet to block or even flag a spam call for me.

------
devereaux
Get a phone number in an area code far away from where you live, but where
there aren't too many overlapping prefixes so you can recognize them quickly.

Then any "local" call is likely to be spam. Filter as needed with a rule
matching this areacode.

~~~
bisby
I did this by moving across the country. Anytime I get a call that is "local"
to my phone number, I know it is not for me. (sometimes spam, sometimes
misdial, never someone I know (I have all their numbers in my phone already)).

Anytime I get a call that is local to my actual location, it's almost always
someone who has a legitimate need to get a hold of me (or my ISP trying to
upsell me to landline phone)

------
_bxg1
I've never understood how number spoofing can be so easy in the first place.
Are there no security mechanisms? Are numbers not somehow tied to a physical
line/sim card? We don't have a widespread problem with domain spoofing (when
it does happen it's because one of the mechanisms has been actively
compromised, not because there simply isn't one). I don't see how this is
different, aside from telco companies just not caring enough to do anything
about it.

I'm seriously wondering. If anybody can enlighten me, I'd appreciate it.

~~~
herodotus
When an organization makes an out-going call, they generally wish to show
their central number to the caller. So if someone from within Apple (for
example) called you, the caller ID would show the Apple general phone number,
rather than the actual caller's number. To achieve this, the business exchange
server that companies use has a field in which they can place any phone number
they choose. This field was seen by the designers of digital telephony
switching as merely a convenience feature for customers. Of course, the
"feature" is now widely abused. I think it would take much effort to come up
with a system that forced a legitimate number to be placed in that field.

~~~
_bxg1
You'd just need a "certificate authority" system like we have with domains.
Companies that wish to use a "virtual" phone number register as such with the
provider (they probably already do), and the provider keeps a whitelist of
those, which is enforced crytographically. Email had the same problem before
MX records.

Maybe the challenge is doing all this in such a way that's compatible with
legacy systems, though I'd think all of the complexity would live on the
business exchange servers and the network itself, so "dumb" phones shouldn't
have to know the difference.

Either way, I've learned to never underestimate the laziness and capacity for
anti-consumerism of telecom companies.

------
shanecleveland
Just be glad your number is not being used as the spoofed number. Had this
happen to a coworker. He was getting hundreds of calls, voicemails and texts
from people wondering why he was calling/pranking them. I assume some people
just saw a missed call and were curious or have a business reason for
returning missed call. But its amazing how many people don't understand what
was really happening, including people angry with him. it's gradually died
down over a few weeks. Carrier support line implied there is nothing they can
do.

------
enonevets
1\. I never pick up numbers I don't recognize.

2\. If a number I don't recognize calls but doesn't leave a voicemail or
follow up with a text, I ignore it so long as it doesn't call back. If it does
but the same pattern repeats where they don't leave any messages, I blacklist.

3\. If they do leave a voicemail and it's obvious this is spam, I blacklist.

Eventually with enough blacklists and repeatedly not picking up, I get maybe
3-4 spoof calls a month now. Not completely all gone but it sure has
diminished greatly.

------
EliRivers
Do you get a lot of phone calls from numbers you don't recognise that you do
want to answer? I can't remember the last time I answered the phone when it
was an unrecognised number.

~~~
tatersolid
My doctor once needed to reach me about something important. He called me from
a random desk phone at the hospital. My phone setup at the time rejected it
with no voicemail option for the caller.

Same thing happens in all sorts of real-life situations; whitelisting to
numbers in your contacts list can be a serious problem.

Cryptographically Authenticated caller ID, including a human or organization
name, seems to be the only real solution.

~~~
EliRivers
Sure. Thus far, anyone who really does need to reach me for something
important finds a way to do so that doesn't involve me answering their call. I
also don't bother with voicemail; turned it off. I never bothered checking it,
so it was creating unrealistic expectations that I'd get their message.

Sure, it's a risk. One day someone could try to phone me with life-or-death
information, completely out of the blue (if I was waiting for a life-or-death
call, I'd be expecting the phone to ring so might answer it). This is a risk I
choose to take, in exchange for not answering the phone. I'm usually not near
it anyway, so miss most calls as it is. It's the future, everyone; stop
answering the phone!

------
sirbranedamuj
I set my voicemail to something along the following lines:

"If I don't recognize your number or was not expecting your call, I am not
picking up the phone. If you need to reach me, leave a voicemail now or send
me a text. Otherwise, keep calling and I'll catch on eventually."

If I'm expecting a phone call, I tend to be more willing to picking up
unrecognized numbers. Otherwise, I don't pick up. If it's actually important,
the person can leave me a voicemail.

------
harshulpandav
Maybe I'm not aware or not done my homework. But I wonder if there's a service
that allows our phone number to be wrapped by another number. That way we can
give our original number to only trusted parties/family and the wrapper number
to outside world. In which case if we receive too many spam calls, we can
simply change the wrapper number.

~~~
filoleg
That sounds like Google Voice, that’s how it works for me:

You have one physical real number and one number that is attached to google
voice. You give the google voice one to random parties and the physical one to
your friends/family. All calls to google voice will still reach your real
phone, but they will be routed through google voice first. You can later
discard that number and get a different google voice number.

~~~
brightsize
GV will also ring >1 phone if you choose. So, for example, an inbound call to
your GV number could ring both your cell and landline phones and you pick up
the one that's more convenient for you.

------
51lver
I'd like a way to prompt callers to confirm it's a human before ringing my
phone. "Please press one to continue your call or wait to be directed to
voicemail". I do not want to give google control of my phone number though, so
google voice is out. A native android app would be better.

Hell, tmobile should offer this as a free service.

~~~
cheald
Android kind of does this (at least on my Pixel). It rings, but I have a
"screen call" button that says "this person's using a screening service, tell
us who you are and why you're calling". It answers the call and transcribes
any response to text for me to read. If I want, I can pick up the phone.

It's functionally just an answering machine, but it's well executed. Most
spammers just bounce off as soon as it picks up.

~~~
51lver
that's pretty close to what I want in a FOSS app. So how could a normal person
create that without purchasing a second phone line, or giving up control of
their existing line?

Answering my own question...
[https://stackoverflow.com/questions/26924618/how-can-
incomin...](https://stackoverflow.com/questions/26924618/how-can-incoming-
calls-be-answered-programmatically-in-android-5-0-lollipop)

------
richardknop
I only answer phone calls from people in my contact list. So if I get a phone
call and it shows a number on the screen instead of name (Mom, Hassan, Seb
etc), that means it’s somebody not in my contacts list, so I ignore it. The
only exception is when I am expecting a scheduled call (interview or
something).

------
tonyquart
It's called spoofing. I think there's nothing we can do about this except
ignoring those calls and keep spreading the word to everyone about these spam
calls. Almost everyday I find reports about such calls at sites like
[http://whycall.me](http://whycall.me).

------
chmielewski
2600 says to forward them to voicemail and have your greeting start with the
three-toned telecom information sound (bee baaaugh eeeeeep... at least in the
US). Then they will likely take you out of their system as they identify that
the number is not in service.

------
boonez123
We need to fight back and create AI to carry on a dialogue with the spam
caller as long as possible.

~~~
sxates
Check out the Jolly Roger AI:

[https://www.youtube.com/channel/UC3OxCWLEmoIhNMm-
hnvBm9Q](https://www.youtube.com/channel/UC3OxCWLEmoIhNMm-hnvBm9Q)

------
skraelingjar
I have a free google voice number that I give out like candy in lieu of the
main number I've had for years and all calls to it are automatically sent to
voicemail. I also use the default answering message. This has cut down on 90%
of spam calls for me.

~~~
sxates
Not sure how that helps people who's main number is already 'in the wild'.

~~~
blang
Port your number:
[https://support.google.com/voice/answer/1065667?hl=en](https://support.google.com/voice/answer/1065667?hl=en)

------
synaesthesisx
This is especially frustrating using an iOS device, as Apple still hasn't
fixed incoming call notifications (if you get a call while using your device
it takes up the whole screen, rather than a banner)

------
typealias
Last year I built an automated call screener using Google’s cloud speech APIs.

Extremely effective, runs headless on a $5 VPS box by proxying calls through
VoIP, but the added latency is a bit of a no-go.

------
soared
If you have AT&T they have an app called AT&T Call Protect which is pretty
good at blocking fraud/spam calls. Free version is fine, haven't used the paid
version.

------
sl1ck731
Wait until millenials are the oldest generation and these calls preying on
older and unknowing people aren't profitable to make anymore.

~~~
51lver
Our kids are going to reject phone calls like we reject faxes...

------
charleshan
One solution would be to make an automated filter for all my calls with the
ability to manage a whitelist.

Is there an app for this?

~~~
typealias
Depends if you’re on iOS or Android. iOS really only supports blacklisting
with the exception of Do Not Disturb contact/favorite whitelisting.

------
eddie_31003
Every number not in my contact lists gets sent to Voicemail initially. My vm
is full btw. lulz....

------
amboo7
Just use Truecaller app.

