TL;DR
- Number spoofing manipulates the Calling Line Identification (CLI) signal so a call appears to come from a number other than the one actually dialling you.
- Fraudsters use spoofing to impersonate banks, HMRC, police, and other trusted bodies; victims who call back or hand over details may suffer significant financial loss.
- Ofcom rules require operators to block calls with invalid or unallocated CLIs, and the industry is deploying STIR/SHAKEN caller authentication technology to tackle the problem further.
- Spoofed calls can be reported to Ofcom, Action Fraud, and the ICO depending on the nature of the call.
- Legitimate organisations, including banks and HMRC, will never ask you to transfer money or disclose PINs during an unsolicited call.
What number spoofing is and how it works technically
When you receive a phone call, the Calling Line Identification (CLI) signal accompanying the call is supposed to display the number of the party calling you. CLI is a feature defined in telecoms standards and passed between operators through interconnect agreements. The problem is that CLI was designed for a circuit-switched telephone world and carries no inherent cryptographic verification; it is possible, using Voice over IP (VoIP) equipment, to instruct the originating system to send any CLI value regardless of the actual source number. This is the technical basis of spoofing.
Legitimate uses of CLI manipulation do exist: call centres may present a single geographic number rather than the individual agent's extension; businesses may display their main switchboard number rather than a direct dial. Ofcom's rules permit presenting a number that the presenting party has a right to use. The illegal variant involves presenting a number that belongs to someone else — typically a well-known, trusted organisation — with the intent to deceive. UK legislation covers this through the Malicious Communications Act 1988, the Communications Act 2003, and the Fraud Act 2006, depending on the specific conduct.
How spoofing is used for fraud and nuisance calls
The most damaging use in the UK is impersonation fraud. A caller presents the on-screen number of a bank, an HMRC helpline, or a police fraud unit, then tells the recipient their account has been compromised and instructs them to transfer funds to a “safe account.” Because the displayed number matches the real organisation, recipients are significantly more likely to comply. UK Finance data consistently shows authorised push payment (APP) fraud — in which victims are tricked into authorising their own bank transfers — as among the highest-value fraud categories affecting UK consumers.
Spoofing is also used in nuisance and marketing calls to mask the true origin of the call, making it harder for the ICO (which enforces the Privacy and Electronic Communications Regulations 2003, or PECR) and the caller's own operator to trace and act against the source. By cycling through spoofed CLI values, call centres operating in breach of PECR can evade call-blocking tools that rely on number blacklists. Robocall campaigns sometimes spoof a number belonging to an ordinary member of the public, causing that person to receive a flood of callbacks from confused or angry recipients — a secondary harm that is distressing and difficult to resolve.
What Ofcom and operators are doing
Ofcom's General Conditions of Entitlement (GCE), updated in recent years, require operators to take reasonable steps to block calls that present invalid CLI values — that is, numbers that do not conform to valid UK number ranges or are known to be unallocated. Operators are also required to co-operate in tracing the source of harmful calls. Ofcom has investigated and taken enforcement action against operators who have facilitated high volumes of spoofed nuisance calls, including significant fines.
Beyond blocking invalid CLIs, the industry is working on STIR/SHAKEN — a suite of technical standards originating in North America and being adapted for UK and European networks. STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) use cryptographic attestation to verify that a call's CLI genuinely originates from the operator presenting it. When a call is attested, the terminating operator can display a “verified” indicator to the recipient. Calls without attestation can be flagged as potentially spoofed. Full deployment across UK networks is a medium-term project, with Ofcom monitoring progress.
| Protection step | How it reduces spoofing risk | Applies to |
|---|---|---|
| Never act on an unsolicited call asking for money or personal data, even if the number looks correct | Displayed number is not proof of identity; fraudsters rely on urgency to prevent victims thinking | All consumers |
| Hang up and call back using the number from the official website or your card | Breaks the fraudster's call; reconnects you with the genuine organisation | All consumers |
| Enable operator call-blocking or screening features | Blocks known spoofed or suspicious number ranges at network level | All consumers (ask your operator) |
| Register with the Telephone Preference Service (TPS) | Makes unsolicited marketing calls to your number unlawful under PECR; enables ICO action | All consumers |
| Report spoofed calls to Ofcom (03456 000 000 or online) and Action Fraud | Builds evidence for regulatory enforcement and police investigation | All consumers |
How to report spoofed calls
Where a spoofed call has been used to attempt fraud, the appropriate reporting route is Action Fraud, the UK's national fraud and cybercrime reporting service, operated by the City of London Police. Reports can be made online at actionfraud.police.uk or by calling 0300 123 2040. Providing the date and time of the call, the displayed number, and as much information as you can recall about what the caller said helps analysts identify patterns and escalate to police investigation where appropriate.
For nuisance and unsolicited marketing calls that may breach PECR — including those that spoof their CLI to evade detection — the reporting route is the ICO, which can be contacted via its online reporting tool at ico.org.uk. Ofcom can be contacted about complaints concerning operator conduct, including failures to block invalid CLIs. If the spoofed number belonged to a real business or organisation (for example, your bank's genuine number was used to impersonate them), notifying that organisation is also worthwhile, as they may be collating reports to share with law enforcement.
What this means in practice
Margaret, retired and living in Exeter, receives a call from a number that appears on screen to match her bank's main customer services line. The caller tells her there has been suspicious activity on her account and she must move her savings to a “protected account” immediately. He offers to stay on the line while she makes the transfer. Margaret remembers reading that her bank will never ask her to move money to a new account unprompted. She tells the caller she will call the bank back on the number on the back of her card, and hangs up. When she calls the genuine number, the bank confirms there is no unusual activity and that the call she received was a known impersonation attempt. Margaret reports the incident to Action Fraud with the spoofed number and the details of what was said. The bank logs it internally. Had she transferred the funds, recovery under the APP fraud reimbursement rules would not have been guaranteed, as payment services regulators consider whether the customer took reasonable care; she may have lost all or part of her savings.
Related Guides
How we verified this
This article draws on Ofcom's published General Conditions of Entitlement and guidance on CLI and nuisance calls; the Communications Act 2003 and Fraud Act 2006 on legislation.gov.uk; the ICO's published guidance on PECR and nuisance call enforcement; Action Fraud's guidance on impersonation fraud; and the GSMA's published documentation on STIR/SHAKEN and CLI authentication standards.
Disclaimer: Kaeltripton.com is an independent UK editorial publisher. We are not regulated by Ofcom or the FCA and we do not sell or arrange mobile services, insurance, or financial products. This content is for general information only and is not legal, financial, or technical advice. Rules, prices, and operator policies change. Verify the current position with Ofcom, GOV.UK, the ICO, or your provider before acting. ICO registered ZC135439. Last reviewed: 2026-06-05.
Frequently Asked Questions
What is mobile number spoofing?
Mobile number spoofing is the manipulation of the Calling Line Identification (CLI) signal so that the number displayed on a recipient's phone does not match the number actually making the call. It exploits the fact that CLI carries no built-in verification in traditional telephone networks. While some legitimate uses exist (such as businesses presenting a single main number), spoofing in the fraud context means presenting a number belonging to a trusted third party to deceive the recipient.
How can someone fake my phone number?
Using VoIP equipment and services — including readily available commercial VoIP platforms — a caller can instruct the originating system to send any CLI value. Some of these services are legitimate (used by businesses for call-centre functions), but the same capability is exploited by fraudsters and nuisance callers who set the CLI to a trusted number before dialling. The call then transits the telephone network carrying the false number as its presentation identity.
What are operators doing to stop spoofing?
UK operators are required under Ofcom's General Conditions to block calls presenting invalid or unallocated CLI values, and are deploying STIR/SHAKEN — cryptographic call-authentication standards that allow operators to attest that a call's displayed number genuinely originates from the network presenting it. Ofcom monitors deployment and has taken enforcement action against operators that have facilitated high volumes of spoofed harmful calls, including fines.
How do I report spoofed mobile calls?
If the spoofed call was a fraud attempt, report it to Action Fraud at actionfraud.police.uk or on 0300 123 2040. For nuisance or marketing calls breaching PECR, report to the ICO using the online reporting tool at ico.org.uk. You can also contact Ofcom about operator conduct. Provide the date, time, displayed number, and a description of what the caller said; this information is used to identify patterns and escalate enforcement action.
Can my operator block spoofed calls?
Operators can and must block calls with demonstrably invalid CLIs. For spoofed calls that use real, valid numbers (simply ones the caller has no right to use), blocking is harder because the number itself looks legitimate. STIR/SHAKEN attestation, once fully deployed, will allow operators to flag unattested calls as potentially suspicious. Some operators already offer voluntary call-screening features; you can ask your operator what tools are available on your account.
