Number Spoofing (Telephone Spoofing)
Deliberately falsifying the telephone number displayed to a call or SMS recipient to impersonate a trusted contact, bank, or government body.
Also known as: CLI spoofing, SMS spoofing, telephone number spoofing, phone ID spoofing
Last reviewed: 1 June 2026
Number spoofing is the technical foundation of many vishing, smishing, and caller-ID fraud attacks. VoIP services and telephony APIs allow the originating number of a call or text to be set to any value, so fraudsters display legitimate organisations' numbers — banks, HMRC, police, NHS — rather than their real numbers.
The practice is distinct from the broader term 'spoofing' in that it refers specifically to telephone-number manipulation. SMS spoofing exploits the fact that many mobile networks allow alphanumeric sender IDs or arbitrary numbers to be set, and some networks will even thread spoofed messages into an existing conversation chain with the impersonated contact.
Authentication frameworks like STIR/SHAKEN aim to cryptographically verify call origins on modern VoIP infrastructure, but coverage varies and the technology does not yet apply to all SMS or international call routes. Defence for individuals: always independently look up contact numbers; never call back using the number that just rang you.
Examples
- A text message arriving in the same thread as genuine messages from a bank instructs the recipient to log in via a spoofed link — the sender number was faked.
- A call showing an elderly person's GP surgery number asks them to provide payment details to 'confirm an appointment'.