Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What can we do about spam calls with spoofed numbers?
40 points by charleshan 36 days ago | hide | past | web | favorite | 81 comments
I received 14 spam calls in the past two days. I just called back one of the numbers and the person on the other end was not the person that called me. She told me that this has been happening to her too.

It looks like spammers are using other people's numbers to make these calls. What can we do to stop this?

I had the same problem. What helped me was I simply stopped answering any calls from numbers I didn't recognize. After a while, I stopped getting spam calls. My guess is after a while, these spammers eventually mark a number as defunct or unresponsive and stop calling. If someone I know is calling me and I don't answer, they can always text, email, etc me.

Interestingly, a while back, I got a call from a number that looked so familiar but I didn't recognize. I didn't answer but I couldn't get that number out of my mind. So I started looking through my contacts to see if it was someone I knew. Turns out, it was my own number. I couldn't believe it. These spammers were somehow spoofing my own number to call me.

"Spoofing" caller ID is a feature, not a bug or hack. Pretty much all VoIP providers let you send a callerID name/number [1]. If they don't, it's because they've done extra work to explicitly block it. If you're using Asterisk, for example, setting the number is a simple command [2] before you call the dial command, and is trivial to script.

CallerID name is more complex [3], as some providers will pass it along and some won't, and the termination provider (the one that receives the call) may or may not accept it. However, many VoIP providers have a way to register CNAM entries, this just also isn't totally reliable due to the way CNAM database sharing works [4].

Take away is: CallerID name and number are ENTIRELY unreliable as a means of identification or authentication. In fact, the only thing it's really useful for these days is that you get a call from a number in your contact list, it probably really is that person because it's unlikely that (a) by random chance the spammer choose a number that is in your contacts, and (b) has compromised your contact list and is using it to choose caller ID numbers.

[1] https://en.wikipedia.org/wiki/Caller_ID_spoofing#Technology_...

[2] https://www.voip-info.org/setting-callerid/

[3] https://en.wikipedia.org/wiki/Caller_ID_spoofing#Caller_name...

[4] https://www.onsip.com/blog/how-caller-id-works-why-it-might-...

> "Spoofing" caller ID is a feature, not a bug or hack

So was annonymous e-mail resenders and open proxies in a more genteel and dignified age.

Today, clearly the feature is being misused too much, so we need to shot it down. Make the CEO of any telecom company who forwards a spoofed call personally liabled for 100k in damages and that problem is solved. Some businesses may want a callback to go to their main-number, but frankly if somebody calls me I want a way to call them back.

I agree. I didn't mean to imply it's a GOOD feature, just that it's not an exploit of any kind.

The ability to set your outgoing number is very useful for a number of reasons, but only being able to do it from a list of numbers you've verified you have ownership of would go a long way. They could even do something similar to how SSL providers do domain verification.

I could live with that, but I really would want to call back e.g my bank, and not end up in a phone tree.

Ah, I see. Unfortunately that's an aspect of the way the PBX is setup, and nothing to do with how caller ID works specifically. Most extensions don't have a DID (direct inward dial [1]) number, and unfortunately many inbound routing setups (especially for call centers) have no way -- or at list no advertised way -- to get to a spot where outside callers can dial an extension. For most PBX systems (eg, freepbx [2]) it's an option whether to allow direct extension dialing as part of the IVR.

[1] https://en.wikipedia.org/wiki/Direct_inward_dial

[2] https://wiki.freepbx.org/display/FPG/IVR+Module+User+Guide#I...

I set up Tasker[1] with a profile to reject incoming calls if the caller is not in my contacts. As an individual, that or DND settings are most effective.

Consumers as a group can contact regulators or legislators to urge this be fixed. The technological fix is not that difficult: telcos should whitelist numbers for specific customers so a customer can only use a number as outbound caller id if they are assigned or have otherwise validated the number. Reputable providers like Twilio already do this. This solves the oft-repeated claim that there are legitimate reasons to "spoof" caller id. You can't say it's spoofing if it's your number and you're the one calling...

But telcos don't do this. They don't care if caller ID is accurate, because their customers don't care if caller ID is accurate; most pay for it anyway.

[1]: http://tasker.joaoapps.com/

Move to another part of the country.

I got my current phone number when I first moved to the US. Now I live on the other side of the country. The spam callers always use the same area code as my phone number in an attempt to appear like local numbers. Anytime I get a call from a California number that isn't in my phone I can safely ignore it.

I can confirm. I am in the same situation and it works well, although I still hate distraction these calls produce.

Works in Canada too.

But the more people do it, the less useful it will become.

Looking at my log, <50% are from my same area code.

There's not much you as an individual can do to stop it. I have the same issue with Comcast filling my PO Box with shitloads of junkmail.

The phone system is designed to accept anyone calling on it, and there's no authentication mechanisms in place for securing it since it all has to interoperate and is built on dated standards.

There are basically two solutions to stopping the problem (instead of treating the symptom). The first is to increase costs to make phone calls (voip made this basically free and it gets abused). This was the old deterrant.

The other is to have providers work on an authentication method for their network, they are starting to do this with STIR/SHAKEN: https://transnexus.com/whitepapers/stir-and-shaken-overview/

Legislation won't help unless it is on the providers to require authentication.

Note that you can combine the two approaches: Small charges for unverified calls and zero charge for verified ones. This seems to get the best of both worlds.

Why is voip basically free for mass abuse, but expensive for individuals and legitimate organizations? I would love a few dozen phone numbers, but I don't see any free options other than google voice.

MySudo used to be a free option for up to 9 VoIP numbers but they’ve moved to paid plans (1#/$1/month, 3#s/$5/month, and 9#s/$15/month) [0].

[0] https://mysudo.com/plans

Catalog Choice[0] has really helped cut down on the junk mail I receive.

[0] https://catalogchoice.org

Individual solutions: "Do not disturb" mode that only rings for contacts, using one of the robocall-blocking apps (eg Nomorobo).

Industry solutions are supposedly forthcoming - see STIR/SHAKEN standards for caller verification. T-Mobile says they're doing something with this: https://www.t-mobile.com/news/caller-verified-note9

I added two entries to my contacts:



...when the calls reach a certain volume, I just forward all calls immediately to voicemail, which also says, "I don't answer this phone anymore -- leave me an email."

After a few days or a week, I turn phone back on and see how it goes.

It ebbs and flows.

For business calls, I direct everything to Google Voice.

For personal, my friends/family know they can still FaceTime me or text me and I'll call back.

I don't actually get a lot of calls to my cellphone, and would gladly pay for data without calling.

From a previous thread, here or on Reddit:

"You actually can turn off cellular network calling altogether, if you are willing to do that.

Dial (star)#67# (or call 611 if it doesn't show up there) to see what number your voicemail center is. Then dial (star)21(star)1(that number)#. That will automatically forward all calls, at the network level, to your voicemail.

To cancel this, dial #21#."

I'm not sure what you mean by this...what do the "PHONE on" and "PHONE off" contacts do?

Those contacts are used to dial the special number to enable or disable forwarding all calls directly to voicemail.

First thing (before the problem you're trying to address): There is a "do not call" registry. For reasons that I do not understand, (most) spammers respect it for our home phone, but not for cell phones. That thing needs to have teeth in it - like, sending-people-to-jail kinds of teeth. It's a travesty that spammers can just run all over that registry.

If that were in place, then the answer would be "put your number on the do not call list". But for whatever reason, that fix doesn't currently work.

On, then, to the problem you're trying to address. It needs to become illegal and/or technologically impossible to spoof caller ID to a number that you don't own. That is, if you're Apple, and you want all your outgoing calls to present as your main number, that's fine, because you own that number. But masquerading as a number you don't own? No way. It needs to be either impossible or illegal, preferably both.

But what about someone who's, for example, a whistleblower, and can't give out their number without blowing their identity? They could still block the number, but not change it. The caller ID shows up as "Unavailable" or "Blocked" (I just had one of those while making this comment, in fact.) The recipient can then decide to reject that call simply because of the lack of caller ID (as I in fact did).

This isn't a solution for most people, but I started using the "screen call" button on my Pixel 2 for numbers I don't know, and it's been great. The illegal telemarketers will just hang up, and the number of calls I get have steadily declined.

Screen call is such a good feature. For those that don't know, Pixel devices allow you to press a "Screen Call" button when you receive a call.

For the caller, they'll hear a Google Assistant voice that says, "Hi, the person you're calling is using a screening service from Google and will get a copy of this conversation. Go ahead and say your name and why you're calling."

As the caller speaks, the conversation is transcribed in real-time to your phone. If you know the person, you can pick up. If it's a spam call, you can press "Block Number and Report Spam."

It's an okay feature. The feature I really wish they had is to auto-reject any calls not on my contact list. I'm just glad they finally added auto-rejecting any calls considered spam by their systems.

Would this be a great app for the rest of us that do not have a pixel 2 device?

Google Voice has a similar screening service. From the GV help forum ...

"when call screening is enabled:

If the caller's name and phone number are in your Google Contacts, or the caller is a business known to Google (e.g. it shows up in Google Maps with an information box), then that name will be played to you. If the caller's number is not in either of those places, then their calls will be screened every time, until/unless you add them to Contacts."

This is probably never going to happen... But, IMHO, I think the best way would be to implement a very small fee for each call placed. Even if it was a penny or a few cents, most people, if not all will never feel that but it would put most of the robo-callers out of business since they place thousands if not millions of calls per month.

hmm maybe i should switch to a 1900 number


There's a company that implemented this for email using cryptocurrency. https://bitbounce.com/

Any unfamiliar senders get an autoreply asking for them to pay a fee to send the email. You as the receiver get paid this fee (-30%) for each email received (not read)

Interesting. Also, there used to be a feature for cell phones that was called "Caller Pays" where the caller paid to place a call to you (back when they charged you per minute to talk on a cell phone) but of course the cell company kept the money. But maybe cell companies could come up with something like that now but the customer gets the fee. For friends who call one another, it would cancel each others fees out over time but it would put scammers out of business.

You're receiving a collect call from "imattheairportnowpickmeupplease" would you like to accept this call?

Bob Wehadababyitsaboy on line two.


It's absurd that there aren't more steps being taken.

Just this morning I had 4 calls between 5 and 8:00, and I can't turn my phone off. (On-call for work.)

Our government is busy shutting itself down over nonsense, yet pathological problems that are meaningfully impacting citizens are going entirely unmanaged for years. (To the FCC's credit, STIR/SHAKEN is a good step but I think it's very much a too-little-too-late situation; I haven't been able to empty my voicemail box in years lest it get filled up again within a day by spam.)

To make this not just be a rant (and since I see others who are concretely affected in similar ways) Shouldn't we be pursuing our govts/reps to be more aggressive in everything from investigating and prosecuting violations (spammers) to ensuring proper incentives for carriers to help defend against this? Is there anyone who has been a champion for this in the past?

I get ten to twenty a day. If I'm bore and have a few minutes I'll answer and waste the persons time by asking vague questions.."oh which car warranty is expiring?". "oh which student loan are you referring to?". Which credit card?, Huh do you work for United healthcare? Because that's my insurance provider, you should know that already.

They either hang up or start shotgunning large company names. I try to stall them a bit.

Then aggressively use Google fi to block and report as spam.

It's ridiculous that cell networks actively allow this. This should not be possible. And for US based spammers, they should arrest and prosecute every single person at the company. No exceptions. You are involved in a criminal conspiracy to commit fraud. Fuck throw Rico their way.

Many of the operations are overseas but there are plenty in the US.

I made https://phoneprivacy.co which lets you have multiple phone numbers. I use it for separating my life (family, friends, etc)

Also helps with bots because it gives off number disconnected signal not just forwarding them to a voicemail or something, which I think helps kill it pretty quick.

You can do whitelists (no one but these people can get through) or blacklists (everyone but these people can get through).

Let me know your thoughts. Additionally there are others that do similar things, but I built mine out of this pain. :)

Ha. Got a spam call exactly when I started typing this response.

Honest to god, the new call screening feature on my Pixel is the most useful new feature from my phone in the last 5 years.

I simply changed the way I screened calls.

If I don't recognize your number, I immediately send it to voicemail. If it's something I need to worry about, I call back.

My hope is that eventually spam callers will catch on to the fact that they've had no hits on my number and drop me from the list. I assume that no amount of interaction I have with them will get me off the list, so I simply choose not to interact with them.

Broadly speaking, you could also probably set up Do Not Disturb settings on your device, and I'd love it if we could filter calls unless they're from specific people during a specific time (e.g. family calls during work).

Long term, the best way we fight this is with our vote. The current FCC administration seems uninterested in this problem, and I think voting in a new administration may provide different results. Engage with your federal representatives as well!

> I'd love it if we could filter calls unless they're from specific people during a specific time (e.g. family calls during work).

You can do this on android. I usually have Do Not Disturb enabled while I work and I put my buzzer number on the whitelist for deliveries.

I use an Apple device- I haven't dug too deeply into what I can do here, but it's my next mini-project.

At a minimal level, Apple also provides a do-not-disturb mode that ignores everything but calls from contacts that you specifically add to your "favorites" list.

just silence the ringer on calls you don't recognize and let them ring out to voicemail (leaks a little less information that way).

I believe international telecom industries are working[1][2] on it. I don't know an ETA. I signed up on their mailing list without knowing what to expect. The content of each email is beyond me but looking at the clout on the email signatures convinced me this was a serious and viable movement.

TLDR; this is a technical approach to preventing number spoofing except where authorized. Presumably to be implemented by the international telecom industry.

[1] https://transnexus.com/whitepapers/understanding-stir-shaken... [2] https://datatracker.ietf.org/wg/stir/about/

Why would you want to censor free speech? In the proud land where companies are free from unnecessary regulation in order to create unlimited growth, jobs and opportunity?

Snark aside, sometimes I‘m happy about that the bureaucracy monster EU I happen to live in simply forbids crap like this.

I started using the Hiya app on my iphone a couple months ago and it has basically stopped just about all spam calls. I was previously getting at least 1 a day. I'm using the free version.


I installed AT&T's Call Protect app over the holidays. It says it is powered by Hiya. It has yet to block or even flag a spam call for me.

Get a phone number in an area code far away from where you live, but where there aren't too many overlapping prefixes so you can recognize them quickly.

Then any "local" call is likely to be spam. Filter as needed with a rule matching this areacode.

I did this by moving across the country. Anytime I get a call that is "local" to my phone number, I know it is not for me. (sometimes spam, sometimes misdial, never someone I know (I have all their numbers in my phone already)).

Anytime I get a call that is local to my actual location, it's almost always someone who has a legitimate need to get a hold of me (or my ISP trying to upsell me to landline phone)

I've never understood how number spoofing can be so easy in the first place. Are there no security mechanisms? Are numbers not somehow tied to a physical line/sim card? We don't have a widespread problem with domain spoofing (when it does happen it's because one of the mechanisms has been actively compromised, not because there simply isn't one). I don't see how this is different, aside from telco companies just not caring enough to do anything about it.

I'm seriously wondering. If anybody can enlighten me, I'd appreciate it.

When an organization makes an out-going call, they generally wish to show their central number to the caller. So if someone from within Apple (for example) called you, the caller ID would show the Apple general phone number, rather than the actual caller's number. To achieve this, the business exchange server that companies use has a field in which they can place any phone number they choose. This field was seen by the designers of digital telephony switching as merely a convenience feature for customers. Of course, the "feature" is now widely abused. I think it would take much effort to come up with a system that forced a legitimate number to be placed in that field.

You'd just need a "certificate authority" system like we have with domains. Companies that wish to use a "virtual" phone number register as such with the provider (they probably already do), and the provider keeps a whitelist of those, which is enforced crytographically. Email had the same problem before MX records.

Maybe the challenge is doing all this in such a way that's compatible with legacy systems, though I'd think all of the complexity would live on the business exchange servers and the network itself, so "dumb" phones shouldn't have to know the difference.

Either way, I've learned to never underestimate the laziness and capacity for anti-consumerism of telecom companies.

I as a consumer however do not wish to have to navigate a phone tree to get back to whomever left me a voice mail.

As I suggested elsewhere you make the CEO personally liable and a technical solution will be found. It will probably just mean that the telephone company sent the relevant information and ignored what came from the subscriber.

If you have the time listen to this:


it gives a lot of information about the subject

Just be glad your number is not being used as the spoofed number. Had this happen to a coworker. He was getting hundreds of calls, voicemails and texts from people wondering why he was calling/pranking them. I assume some people just saw a missed call and were curious or have a business reason for returning missed call. But its amazing how many people don't understand what was really happening, including people angry with him. it's gradually died down over a few weeks. Carrier support line implied there is nothing they can do.

1. I never pick up numbers I don't recognize.

2. If a number I don't recognize calls but doesn't leave a voicemail or follow up with a text, I ignore it so long as it doesn't call back. If it does but the same pattern repeats where they don't leave any messages, I blacklist.

3. If they do leave a voicemail and it's obvious this is spam, I blacklist.

Eventually with enough blacklists and repeatedly not picking up, I get maybe 3-4 spoof calls a month now. Not completely all gone but it sure has diminished greatly.

Do you get a lot of phone calls from numbers you don't recognise that you do want to answer? I can't remember the last time I answered the phone when it was an unrecognised number.

My doctor once needed to reach me about something important. He called me from a random desk phone at the hospital. My phone setup at the time rejected it with no voicemail option for the caller.

Same thing happens in all sorts of real-life situations; whitelisting to numbers in your contacts list can be a serious problem.

Cryptographically Authenticated caller ID, including a human or organization name, seems to be the only real solution.

Sure. Thus far, anyone who really does need to reach me for something important finds a way to do so that doesn't involve me answering their call. I also don't bother with voicemail; turned it off. I never bothered checking it, so it was creating unrealistic expectations that I'd get their message.

Sure, it's a risk. One day someone could try to phone me with life-or-death information, completely out of the blue (if I was waiting for a life-or-death call, I'd be expecting the phone to ring so might answer it). This is a risk I choose to take, in exchange for not answering the phone. I'm usually not near it anyway, so miss most calls as it is. It's the future, everyone; stop answering the phone!

I set my voicemail to something along the following lines:

"If I don't recognize your number or was not expecting your call, I am not picking up the phone. If you need to reach me, leave a voicemail now or send me a text. Otherwise, keep calling and I'll catch on eventually."

If I'm expecting a phone call, I tend to be more willing to picking up unrecognized numbers. Otherwise, I don't pick up. If it's actually important, the person can leave me a voicemail.

Maybe I'm not aware or not done my homework. But I wonder if there's a service that allows our phone number to be wrapped by another number. That way we can give our original number to only trusted parties/family and the wrapper number to outside world. In which case if we receive too many spam calls, we can simply change the wrapper number.

That sounds like Google Voice, that’s how it works for me:

You have one physical real number and one number that is attached to google voice. You give the google voice one to random parties and the physical one to your friends/family. All calls to google voice will still reach your real phone, but they will be routed through google voice first. You can later discard that number and get a different google voice number.

GV will also ring >1 phone if you choose. So, for example, an inbound call to your GV number could ring both your cell and landline phones and you pick up the one that's more convenient for you.

I'd like a way to prompt callers to confirm it's a human before ringing my phone. "Please press one to continue your call or wait to be directed to voicemail". I do not want to give google control of my phone number though, so google voice is out. A native android app would be better.

Hell, tmobile should offer this as a free service.

Android kind of does this (at least on my Pixel). It rings, but I have a "screen call" button that says "this person's using a screening service, tell us who you are and why you're calling". It answers the call and transcribes any response to text for me to read. If I want, I can pick up the phone.

It's functionally just an answering machine, but it's well executed. Most spammers just bounce off as soon as it picks up.

that's pretty close to what I want in a FOSS app. So how could a normal person create that without purchasing a second phone line, or giving up control of their existing line?

Answering my own question... https://stackoverflow.com/questions/26924618/how-can-incomin...

I only answer phone calls from people in my contact list. So if I get a phone call and it shows a number on the screen instead of name (Mom, Hassan, Seb etc), that means it’s somebody not in my contacts list, so I ignore it. The only exception is when I am expecting a scheduled call (interview or something).

It's called spoofing. I think there's nothing we can do about this except ignoring those calls and keep spreading the word to everyone about these spam calls. Almost everyday I find reports about such calls at sites like http://whycall.me.

2600 says to forward them to voicemail and have your greeting start with the three-toned telecom information sound (bee baaaugh eeeeeep... at least in the US). Then they will likely take you out of their system as they identify that the number is not in service.

We need to fight back and create AI to carry on a dialogue with the spam caller as long as possible.

I have a free google voice number that I give out like candy in lieu of the main number I've had for years and all calls to it are automatically sent to voicemail. I also use the default answering message. This has cut down on 90% of spam calls for me.

Not sure how that helps people who's main number is already 'in the wild'.

This is especially frustrating using an iOS device, as Apple still hasn't fixed incoming call notifications (if you get a call while using your device it takes up the whole screen, rather than a banner)

Last year I built an automated call screener using Google’s cloud speech APIs.

Extremely effective, runs headless on a $5 VPS box by proxying calls through VoIP, but the added latency is a bit of a no-go.

If you have AT&T they have an app called AT&T Call Protect which is pretty good at blocking fraud/spam calls. Free version is fine, haven't used the paid version.

Wait until millenials are the oldest generation and these calls preying on older and unknowing people aren't profitable to make anymore.

Our kids are going to reject phone calls like we reject faxes...

One solution would be to make an automated filter for all my calls with the ability to manage a whitelist.

Is there an app for this?

Depends if you’re on iOS or Android. iOS really only supports blacklisting with the exception of Do Not Disturb contact/favorite whitelisting.

Every number not in my contact lists gets sent to Voicemail initially. My vm is full btw. lulz....

Just use Truecaller app.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact