The scam call came from my bank's real number. How do they even spoof caller ID?
Scams we met · started May 6, 2026 · 5 replies · 430 views
#1tomd52(Joined Jun 2025 · 15 posts)May 6, 2026, 10:12 am
After the trailer business last year I considered myself a graduate of this stuff. Then Friday happened.
Phone rings, screen says my bank's name, and when I checked afterwards it was the SAME number printed on the back of my card. Man on the line knows my full name and quotes a real card payment I made on Tuesday, then tells me there's fraud in progress and they need to move my balance to a "holding account" while they investigate. The words "holding account" are the only reason alarm bells rang, because I've read this site. Hung up, called the bank through the app: no call was made, account fine, please report it.
So I passed the test but I'm rattled by the exam. If the number on the screen can be the bank's actual number, what's left to trust? And how is that even possible, did the bank get hacked? Did I?
#2Grace H(Joined Mar 2025 · 31 posts)May 6, 2026, 3:48 pm
Nobody got hacked, Tom, that's the horrible elegance of it. The number on your screen is decoration. I think of the phone as showing me the envelope, not the letter: anyone can write any return address on an envelope, and it proves exactly as much.
The text version happened to me last month, and it's worse in a way: a fake "security alert" slotted itself into the SAME conversation thread as years of genuine messages from my bank, because the phone files messages by the sender name they claim, not by who actually sent them. Same rule saves you from both: the screen tells you nothing, only a callback you dial yourself does.
#3Priya V(Joined Apr 2026 · 4 posts)May 7, 2026, 8:19 pm
This thread is what finally landed with my dad, of tax office fame. All my explaining did less than me showing him one article about how the display can say anything at all. New house rule there: nothing gets agreed, paid or installed on an incoming call, full stop. He now hangs up on ME sometimes, which I'm counting as a win.
#4quilterjean(Joined Sep 2025 · 22 posts)May 9, 2026, 9:36 am
Same rule survived contact with reality here too, since my November adventure: nothing moves the same day someone asks, no matter who they claim to be.
But Tom, the bit of your story that would have got me is him knowing your Tuesday payment. A number on a screen is one thing, but a stranger reading my own shopping back to me? Dana, where does that come from, if the bank wasn't hacked?
#5Dana WhitakerFraud examiner(Joined Feb 2025 · 89 posts)May 10, 2026, 11:27 am
tomd52 said:
If the number on the screen can be the bank's actual number, what's left to trust?
Short answer: nothing on the incoming side, and once you accept that, the defence gets simple. First the mechanics, because Tom asked how it's possible.
Caller ID is a label the originating phone system asserts, and for decades most networks have simply passed it along without verifying it. Internet calling services let the caller present whatever number they type into a box, so displaying your bank's genuine number requires no access to you, no access to the bank, and costs effectively nothing. Grace's text version is the same weakness wearing different clothes: phones group messages by the claimed sender ID, so a forged ID lands inside the genuine thread, borrowing years of real history as costume. Some networks have started marking calls they can't verify, but the absence of a warning is not verification, and it never will be. Treat the display as carrying no evidence in either direction.
Jean's question, where the Tuesday payment came from: usually assembled, not stolen from the bank. Data breaches, earlier phishing, and recycled card data get stitched together so a cold call feels like an inside line. It's engineered to feel like proof precisely because it isn't.
Since the display proves nothing, identity has to come from the direction of the call, and that gives you two anchors. One: there are things a real bank will never ask on a call it made to you: to move money to a safe, holding or secure account, to read out a one-time passcode, to install remote-access software, or to keep the matter quiet. Any one of those ends the conversation, on its own. Two: the callback, done properly. Hang up. Wait a few minutes or use a different phone, because on some lines a scammer can hold the call open and play a fake dial tone. Then dial a number you found yourself: the back of your card, a statement, the official app. Never redial the incoming number and never use a number the caller offers you, however helpful that sounds. The site's guide on bank impersonation and safe account scams has the whole script laid out, including what to do in the ugly case where money already moved.
For the record, Tom ran the full correct drill: recognised the phrase, hung up, verified through a channel he controlled, reported it. Graduate status affirmed.
#6tomd52(Joined Jun 2025 · 15 posts)June 2, 2026, 6:23 pm
Closing this out. Bank took the report seriously and logged the number, for whatever good that does against a number that was never real. The callback rule is now official policy for the whole family, including my brother who thought he was too clever to need it, and Grace's envelope line has been repeated at the pub so many times I owe her royalties.
More from Scams we met
- The "your antivirus renewed" call, and how close I came 4 replies · 520 views · last by quilterjean, Nov 16, 2025