One day, your iPhone received an automated call from Apple (complete with Apple’s logo) warning that multiple servers containing Apple user IDs had been compromised and that you needed to call a 1300 number before doing anything else.
When you looked at your iPhone’s recent call list, you saw this:
That call looked legitimate right?
Unfortunately, if you call that 1300 number, you will be scammed.
As you know, if your iPhone’s Contacts app contains your friend’s number and photo, then whenever your friend calls you, her photo will appear. Also, remember that whenever you buy a new iPhone, its Contacts app will contain a default entry: Apple’s contact details (that contain its logo).
Therefore, if you did not delete Apple’s contact details in the Contacts app, Apple’s logo will appear when it calls you.
However, in this case, Apple did NOT call you. A hacker had spoofed the Caller ID. That is, he made his call seemed as if it originated from Apple’s phone number. So, when your iPhone saw the call from ‘Apple’, it automatically displayed Apple’s logo stored in your Contacts app. Your iPhone will also include that spoofed call in the recent call list within Apple’s contact details.
Make no mistake, this is not a fictitious story. It happened to someone who is the CEO of a security consulting company. Fortunately, she was not tricked. Upon receiving this spoofed call, she called Apple Support and verified that it was indeed a scam. Unfortunately, as shown in the screenshot above, her call history with Apple included the spoofed call, which made it very difficult to seperate it from the legitimate call.
Another thing to note. The spoofing of Caller ID is NOT due to a security weakness of iPhones. All phones suffer the same weakness. This is a security weakness in the global telecommunication infrastructure.
Now, here comes a disturbing thought. If Caller ID can be spoofed, that means you cannot really trust whether a phone call indeed comes from the phone number as displayed in the Caller ID. That means a scammer can pretend to be calling from any entity, including the police, corporations, government departments, and so on. That means when it comes to phone calls, you have to increase your level of paranoia and vigilance.
If you want to ensure that phone calls cannot be spoofed, then you need to use an encrypted VOIP app like Signal.