Skype for Business, Security, Caller ID spoofing

Security information from Technology Services Privacy and Information Security team.

Caller ID spoofing - A tough, and as-of-right-now, un-fixable problem


You get a call. You look at your phone and it reports that the incoming call is coming from on-campus. If you're on a university-owned computer, your phone or computer might even helpfully look up and display the caller's name from the directory. But when you answer, your sixth sense rings out as a fraudster lays into you with their agenda"Take our survey" or, "This is the FBI, Western Union us some money or we'll arrest you!" or, "Your dear relative has been in an accident overseas, send I-tunes gift cards, stat!" or, "Wire us money and we'll make you rich!", etc.

You're confused! Why would our colleague take such a sleazy path, you may think. Alternatively, you may think that person has been hacked. In reality, it is not that person. In fact, whomever has just rung you is extremely unlikely to be anywhere near the university. The reason is simply that while digital telephony is the way of the future, it's not capable of enabling end users to detect fraud in this way yet.

Caller-ID spoofing is possible, systemic, untraceable, and not fixable at our level.

  • As always, be vigilant when answering unexpected calls, especially when the caller suddenly asks you to wire money, gift cards, bitcoin, or anything of value.
  • Do NOT assume that when a call shows as "local" that you should trust it.
  • Report all fraudulent phone calls to the FTC. (
  • Never send anything of value based on an unverified incoming call.
  • Never divulge any valuable, sensitive, or identifying information to the caller on an unverified incoming call.

SIP spoofing with Asterisk:

*The AGs have had it