The Phone Call That Cost One Company $23.5 Million
In 2024, a finance executive at a multinational firm in Hong Kong joined a video call with what appeared to be the company's CFO and several colleagues. Every face on screen was a deepfake. The voice on the phone that initiated the meeting? A spoofing caller using technology that costs less than a streaming subscription. The executive transferred $25.6 million across 15 transactions before anyone realized something was wrong.
That incident made headlines, but it wasn't unique. The FBI's IC3 received over 880,000 complaints in 2023, with losses exceeding $12.5 billion — and business email compromise schemes, which increasingly start with a spoofed phone call, accounted for a massive share. Caller ID spoofing is the gateway drug for social engineering. If your organization doesn't train employees to recognize and respond to spoofing caller tactics, you're leaving the front door wide open.
This post breaks down exactly how caller ID spoofing works, why it's devastatingly effective, and the specific steps you can take to protect your organization today.
What Is a Spoofing Caller, Exactly?
A spoofing caller is anyone who deliberately falsifies the information transmitted to your caller ID display. The goal is simple: make you trust the call. The number might appear to come from your bank, your IT department, a government agency, or even your own company's main line.
This isn't theoretical. It's trivially easy. VoIP services and SIP trunking let anyone set an outbound caller ID to virtually any number. Dedicated spoofing services exist openly on the internet. A threat actor doesn't need to be a hacker — they need a credit card and five minutes.
How the Technology Works Behind the Scenes
Traditional phone networks use Signaling System 7 (SS7), a protocol designed in the 1970s with zero authentication for caller identity. When a call routes through VoIP gateways, the originating number is simply a field in the SIP header — editable by anyone running the call. There's no cryptographic verification, no certificate authority, no chain of trust.
The STIR/SHAKEN framework, mandated by the FCC, was supposed to fix this. It adds digital signatures to calls so carriers can verify that a call actually originated from the claimed number. But here's the reality I've seen: STIR/SHAKEN only works on IP-based networks. Calls that touch legacy TDM infrastructure — and millions still do — lose their attestation. Threat actors know this and route calls accordingly.
Why Spoofing Caller Attacks Work So Well
I've run social engineering assessments for organizations of all sizes, and phone-based attacks consistently outperform email phishing in terms of success rate. Here's why.
Authority Bias Is Hardwired
When your phone displays "IRS," "Microsoft Support," or your company's own help desk number, your brain shifts into compliance mode. Research in behavioral psychology confirms that perceived authority figures bypass critical thinking. A spoofing caller exploits this reflex before you even say hello.
Urgency Eliminates Deliberation
Email gives you time to hover over links, check headers, and think. A phone call doesn't. The threat actor controls the pace. They create urgency — "Your account has been compromised, I need to verify your identity right now" — and your employee responds in real time with no chance to consult a colleague or check a policy.
Caller ID Is Treated as Proof of Identity
This is the core problem. Most people — including trained professionals — treat caller ID as authentication. It isn't. It never was. It's a display field that anyone can set. Until your entire workforce internalizes this, spoofing caller attacks will keep succeeding.
Real-World Spoofing Caller Attack Patterns
These aren't hypothetical scenarios. These are patterns I've encountered repeatedly and that show up in federal advisories.
The IT Help Desk Impersonation
The attacker spoofs your internal help desk number and calls an employee. "We're seeing unusual login activity on your account. I need you to reset your password through this link I'm texting you." The link goes to a credential theft page. The employee complies because the caller ID matched the real help desk. Multi-factor authentication codes get handed over in the same call. This is how attackers bypass MFA in real time — a technique called MFA fatigue or real-time phishing relay.
The Vendor Payment Redirect
A spoofing caller impersonates a known vendor's accounts receivable department. They reference a real invoice number (obtained from a prior data breach or compromised email) and request the next payment go to "updated" bank details. The Verizon 2024 Data Breach Investigations Report found that pretexting — the core of these calls — was involved in 25% of financially motivated breaches.
The Government Agency Threat
CISA has issued repeated warnings about calls spoofing government numbers. The attacker claims to be from the IRS, Social Security Administration, or even law enforcement. They threaten arrest, asset seizure, or legal action unless the target provides personal information or immediate payment. These calls target individuals but also hit corporate finance and HR departments.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's Cost of a Data Breach Report 2024 put the global average cost of a data breach at $4.88 million. Social engineering — including phone-based attacks — was a top initial attack vector. And here's what I keep telling clients: the breach doesn't start when the ransomware detonates. It starts when an employee trusts a spoofed caller ID and hands over credentials.
Security awareness training isn't optional anymore. It's a control that directly reduces your attack surface. Organizations that invest in regular security awareness training reduce phishing and social engineering susceptibility rates dramatically. But it has to cover voice-based attacks — not just email.
If your team hasn't trained specifically on phone-based social engineering, start with a comprehensive cybersecurity awareness training program that covers vishing, pretexting, and caller ID spoofing scenarios alongside traditional phishing content.
How to Detect a Spoofing Caller
Detection isn't foolproof, but these signals should trigger immediate skepticism in any employee.
- Unexpected urgency: Any caller demanding immediate action — password resets, wire transfers, data disclosure — without prior context is suspect.
- Requests for credentials or MFA codes: No legitimate IT department, bank, or government agency will ask for your password or one-time code over the phone. Ever.
- Callback resistance: If the caller discourages you from hanging up and calling back on a verified number, that's the single biggest red flag.
- Slight audio anomalies: VoIP-originated spoofed calls sometimes have minor latency, echo, or compression artifacts that differ from normal calls on your system.
- Mismatched knowledge: The caller may know your name and department (from LinkedIn or a prior breach) but stumble on internal details only a real colleague would know.
Seven Specific Steps to Stop Spoofing Caller Attacks
1. Implement a Callback Verification Policy
This is the single most effective control. Any request involving money, credentials, access changes, or sensitive data must be verified by hanging up and calling back on a number from your internal directory — not the number displayed on the caller ID. Make this policy written, trained, and enforced.
2. Train Employees on Vishing, Not Just Email Phishing
Most phishing simulation programs focus exclusively on email. That leaves a massive blind spot. Run phone-based social engineering simulations alongside email campaigns. A dedicated phishing awareness training program for organizations should include vishing scenarios that test whether employees verify caller identity before complying with requests.
3. Deploy STIR/SHAKEN and Call Authentication
Work with your telecom provider to ensure STIR/SHAKEN attestation is active on your lines. While it won't stop every spoofing caller, it adds a layer of verification. Ask your provider specifically about attestation levels (A, B, or C) for your outbound calls and how inbound calls are scored.
4. Use a Zero Trust Approach for Phone Requests
Zero trust isn't just a network architecture principle. Apply it to communications. Never trust a caller's identity based solely on caller ID. Require verification through a second channel — a callback, an authenticated chat message, or in-person confirmation for high-risk requests.
5. Restrict Publicly Available Employee Information
Threat actors build call scripts from LinkedIn profiles, company websites, and data broker sites. Audit what your organization exposes publicly. Do you list direct phone numbers, reporting structures, and department names on your website? Every detail makes pretexting easier.
6. Enable and Enforce Multi-Factor Authentication Everywhere
MFA won't stop a spoofing caller from making the call, but it creates a second barrier if credentials are compromised. Use phishing-resistant MFA — hardware security keys or FIDO2-based authenticators — rather than SMS codes, which can be intercepted or socially engineered in real time during the call.
7. Establish a Reporting Culture, Not a Blame Culture
Employees who fall for a spoofing caller attack often don't report it because they fear punishment. That delay is devastating. By the time the incident surfaces, the attacker has moved laterally, exfiltrated data, or deployed ransomware. Build a culture where reporting suspicious calls is rewarded, not penalized. Fast reporting is your best shot at containment.
Can You Completely Block Spoofing Callers?
No. And anyone who tells you otherwise is selling something. The underlying phone infrastructure doesn't support full caller authentication yet. STIR/SHAKEN helps but isn't universal. Call-blocking apps reduce robocall volume but can't reliably distinguish a sophisticated spoofing caller from a legitimate call.
The real defense is human. Trained employees who instinctively verify before complying are worth more than any call-filtering technology. Technology raises the bar. Training closes the gap.
What the Federal Government Says About Caller ID Spoofing
The FCC has made caller ID spoofing with intent to defraud a violation of the Truth in Caller ID Act. Penalties can reach $10,000 per violation. But enforcement is difficult when calls originate overseas, which most do.
CISA's guidance on voice phishing — available at cisa.gov — specifically warns organizations to train staff against phone-based social engineering and to implement callback verification procedures. The FBI's Internet Crime Complaint Center at ic3.gov tracks these incidents and recommends reporting all spoofing-related fraud.
The Verizon DBIR, available at verizon.com, consistently ranks social engineering among the top attack patterns year over year. Phone-based pretexting is explicitly called out as a growing vector.
Your Next Move
A spoofing caller doesn't need to hack your firewall. They just need one employee who trusts a phone number on a screen. The attack surface isn't your network — it's your people's assumptions about how phone calls work.
Start by auditing your current training program. Does it cover vishing? Does it include phone-based simulations? Does your organization have a written callback verification policy? If the answer to any of these is no, you have a gap that threat actors are already exploiting.
Build your foundation with cybersecurity awareness training that goes beyond email phishing, and layer on dedicated phishing and vishing simulation training to test your team against the tactics actually being used against them. Because the next spoofing caller targeting your organization won't wait for you to catch up.