Caller ID Spoofing Used for Voice Phising (Vishing) Attacks

Here is an article describing how caller ID spoofing is being used for voice phising (they call it vishing) attacks. The basic idea is the hacker sets up an automatic dialing operation (robo dialing) and calls 1000's of consumers, using a bank's caller ID. The caller ID to use isn't hard to figure out, an bank's contact center 1-800 number should do just fine. This is easily tested - make a call with this number to any phone you control and verify that it comes up correctly.

A sophisticated hacker may have a list of numbers they know use the bank they are spoofing. If this information isn't available (it probably isn't), the hacker can just call random numbers, sooner or later they will find a consumer who uses the bank whose caller ID they are spoofing and also one that will be fooled.

There are no details in the article, but I assume since it appears that the calls are automatically generated, that the hacker plays a message that attempts to trick the consumer into calling back a number they have set up, which a human answers, who in turn attempts to get personal information from the consumer. This could also be automated, but that is a little harder - you would have to build a mini-IVR, with legitimate sounding bank prompts and so on.

http://www.darkreading.com/smb-security/167901073/security/vulnerabilities/232700095/fake-caller-id-attacks-on-the-rise.html