Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Whitelisting/blacklisting doesn't do anything to stop these calls because its based on caller ID which is often faked. I've been called by robo/scammers with my *own* phone number as the caller ID. There is no reason that at the absolute very least the carriers cannot weed out most if not all of these by checking against their own pool of phone numbers against the caller ID before the transfer is even made.

This happens with my landline too.
 
And I had spoofers call me last year too claiming they were Molly from Apple Support from the Grand Central Station store. Both times I went to that store last year I was barraged by spoof calls (about 10 over 8 hours) on Sundays - days after I visited the store. I reported these to Apple after the second batch of calls.

Again, I always initiate calls to Apple.
 
Question is, how does the scammer know the number they are calling is an iPhone?
I don't think they know or care. After all, how many of the folks who got a call from "Windows Technical Support" had a Mac, or no computer at all?
 
it is both shocking and concerning that Apple devices are unable to tell the difference between a legitimate call from Apple and someone attempting to spoof Apple.

I don't think it's that Apple can't tell the difference, it's that the cellular networks are inherently insecure. The entire telephone system is an example of "it's insecure, but we can't fix it without breaking compatibility."

It's trivial for hackers and scammers to spoof caller ID information. There are even services out there on the Internet that will call anyone you want and provide caller ID info you specify. It is the same tactic that lets scammers appear to be "local" by copying your area code and prefix. It's a 1 in 10,000 chance within a prefix, but I once got a call that showed up as a friend's number, but was a scammer.

There is a way I could conceive that Apple could actually authenticate their own calls, however. Suppose Apple was making a legit call to you. They could use their existing secure data channel (the one that feeds push notifications) -- NOT SMS! -- to send your phone a secure message which would indicate to the phone "A legitimate call from Apple is going to arrive in the next 30 seconds." The phone doesn't have to display anything in reaction to this, but then when the call does come in, some sort of visual indicator could be used to show that indeed this call was "authorized". In fact, this scheme could be useful for any entity trying to legitimately call someone. Of course Apple would charge a fee for this service to outside entities, but I'm wondering if it's going to come to a point where a system like this is all but necessary.

In theory, the phone system could be reworked to be secure. I think one of the main reasons it isn't being done is because there have been some seriously scary incidents in the past where entire regions of the US were without basic landline phone service for hours or days due to simple misconfigurations or bugs. Since telephone service is regulated, failure to provide service can result in some severe penalties. IIRC, if you were dying and 911 failed to work - especially on a landline - you or your family could sue and likely win. Due to both the fact that it has happened before, and the fact that if it does happen the fines can be astronomical, many entities are afraid to even look at the CO switches the wrong way.
 
Incorporating built-in call spoofing protection and the ability to block unknown callers would go a long way to help.

Getting rid of SS7 as the back end and going end-to-end encrypted and verified will be the long term solution to stopping this. That would have the added benefit of preventing all kinds of espionage and eavesdropping on everyone's phone calls.
Perhaps Apple needs to start spending some of that war chest and start up it's own carrier so that they can avoid these sorts of issues.
 
How is it even possible to spoof a caller ID? These are issued by the network, they're not like text messages or emails where your device gives a "reply to" address. The network literally tells the receiving phone what number the call is coming from. How is it possible to interfere with that?
 
Spoofing calls is only allowed because the phone company makes a ton of money from the scammers and marketeers.

One quick programming changed and the phone company could provide only the real phone number. The phone company knows which number to bill the call to and therefore they know which number to show on a person's phone. They just choose not to. It will never change because there is too much money involved for the phone company. Apple has no say, they just use the API given.
 
  • Like
Reactions: tooloud10 and IG88
This is very common, unfortunately. I repeatedly get phishing scam calls from my bank, insurance company. The phone number seems legit, it's always the correct 1-800 number. They are asking for the last 4 digits of the social security number for "verification" purposes. If the real bank is calling, they never ask for such thing. They don't need to verify your SSN, mother's name, digits of your cards, and so on. They may verify your address, and that's it. I would hang up immediately, and call the official number myself. Never provide any information to incoming callers!!!
At the very least, if you get a legitimate call from your bank, they would greet you by your full name and would provide some specifics as to their inquiry. A scammer has no idea who's on the other end of the line so that they would try to get you to tell them your name, what account(s) and/or credit card(s) you have as well as verification info such as SSN, address, mother's name, etc. And yes, you are spot on for not discussing any of that on incoming calls and instead to call back the bank's number listed on the back of the card, statements, official website, etc. When I get these fraud warning calls from my bank, I never pick those calls up, but the message that they leave usually has some detailed information to verify their legitimacy. For example: "Hello, this message is for Joseph Schmoe. Mr. Schmoe, this is John Smith from Security Team at Chase, we are calling you regarding your Chase Freedom Visa card ending with 1234. We have spotted several transactions that we need to review with you. Please call us at your earliest convenience at 800-555-1234 and reference message ABC1234567. Thank you and we are hoping to speak to you soon. Have a great day!"

P.S. And if your credit card was really flagged for major fraud, it would get locked immediately, which would prompt you to call your bank ASAP.
 
I don't think it's that Apple can't tell the difference, it's that the cellular networks are inherently insecure. The entire telephone system is an example of "it's insecure, but we can't fix it without breaking compatibility."

It's trivial for hackers and scammers to spoof caller ID information. There are even services out there on the Internet that will call anyone you want and provide caller ID info you specify. It is the same tactic that lets scammers appear to be "local" by copying your area code and prefix. It's a 1 in 10,000 chance within a prefix, but I once got a call that showed up as a friend's number, but was a scammer.

There is a way I could conceive that Apple could actually authenticate their own calls, however. Suppose Apple was making a legit call to you. They could use their existing secure data channel (the one that feeds push notifications) -- NOT SMS! -- to send your phone a secure message which would indicate to the phone "A legitimate call from Apple is going to arrive in the next 30 seconds." The phone doesn't have to display anything in reaction to this, but then when the call does come in, some sort of visual indicator could be used to show that indeed this call was "authorized". In fact, this scheme could be useful for any entity trying to legitimately call someone. Of course Apple would charge a fee for this service to outside entities, but I'm wondering if it's going to come to a point where a system like this is all but necessary.

In theory, the phone system could be reworked to be secure. I think one of the main reasons it isn't being done is because there have been some seriously scary incidents in the past where entire regions of the US were without basic landline phone service for hours or days due to simple misconfigurations or bugs. Since telephone service is regulated, failure to provide service can result in some severe penalties. IIRC, if you were dying and 911 failed to work - especially on a landline - you or your family could sue and likely win. Due to both the fact that it has happened before, and the fact that if it does happen the fines can be astronomical, many entities are afraid to even look at the CO switches the wrong way.
I agree, although it isn't just the US that has this problem, but a global one We have exactly the same issue in the UK too. A lot of these calls that show up with a UK number actually originate from outside the UK (e.g. generally India), so I would have thought it would be easy for British Telecom to just block any calls with a UK caller ID, which originate from outside the UK, but I guess it isn't. It probably needs a global solution from all the telcos, which probably isn't going to happen until landlines are got rid of and everyone goes to VOIP.
 
You could really mess with phishers by saying, "I'm kinda busy, so lemme call you back in a little while. I'll just look up the Apple support number online… unless there's some reason I can't just use Apple's official site to contact you."

OR you could say to them "This number is about to be disconnected but please phone me on my new number which is xxx xxxx " Make sure that the new phone number is a premium rate phone number that earns you a few dollars per hour. Then when they phone it they get a recorded message pretending to be real. Sort of like this.

Sounds of people arguing in the background
You - "Hello...hello...can you hang on a moment please. OI YOU LOT, SHUT THE **** UP WILL YA, I'M ON THE PHONE!. Sorry about that, yes you were saying." The message pauses for a few seconds to give them a moment to talk then " Oh for god's sake, sorry can you hold on a moment, IF YOU LOT DON'T SHUT THE ***** HELL UP THEN I WILL SWING FOR YOU" Then the message pauses for a few more seconds and then you come back "Yes........ok.......ah-ha.....Hang on a bit" The message plays the sounds of a phone ringing and you answering it and talking for a minute. Then you keep this charade up for at least 10 minutes. This way you get to earn money without having to speak to them and if they cotton then they are less likely to bother you again. If they hang on long enough you could play at the end of the message something along the lines of "Thank you for listening to this message, as a result I have earned $X, so thank you for your stupidity"

The only potential problem is if US legislations force you to tell the caller of call costs etc. A lot of these scammers are not from the US or country of the person they target. They often come from Africa etc.
[doublepost=1546643695][/doublepost]
Question is, how does the scammer know the number they are calling is an iPhone?

I think they either phone and hope for the best or they get lists bought/stolen from websites that might contain such data.
 
OR you could say to them "This number is about to be disconnected but please phone me on my new number which is xxx xxxx " Make sure that the new phone number is a premium rate phone number that earns you a few dollars per hour. Then when they phone it they get a recorded message pretending to be real. Sort of like this.

Sounds of people arguing in the background
You - "Hello...hello...can you hang on a moment please. OI YOU LOT, SHUT THE **** UP WILL YA, I'M ON THE PHONE!. Sorry about that, yes you were saying." The message pauses for a few seconds to give them a moment to talk then " Oh for god's sake, sorry can you hold on a moment, IF YOU LOT DON'T SHUT THE ***** HELL UP THEN I WILL SWING FOR YOU" Then the message pauses for a few more seconds and then you come back "Yes........ok.......ah-ha.....Hang on a bit" The message plays the sounds of a phone ringing and you answering it and talking for a minute. Then you keep this charade up for at least 10 minutes. This way you get to earn money without having to speak to them and if they cotton then they are less likely to bother you again. If they hang on long enough you could play at the end of the message something along the lines of "Thank you for listening to this message, as a result I have earned $X, so thank you for your stupidity"

The only potential problem is if US legislations force you to tell the caller of call costs etc. A lot of these scammers are not from the US or country of the person they target. They often come from Africa etc.
[doublepost=1546643695][/doublepost]

I think they either phone and hope for the best or they get lists bought/stolen from websites that might contain such data.
I wonder if they still have lines with (900) are code. Most likely not, they probably did away with those the same time they did away with long distance fees here in the US.

But back in the day when they had those, operators of these lines did indeed have to advertise the cost of calls ahead of time. Most of these lines were for phone sex, which became obsolete with advent of internet porn.

There were, however, con artists that would go around and trick call these numbers. For example, they would show up at some store and claim to have a delivery for them that no one inside had any idea about. After going back and forth several times, they would ask if it's OK to use their phone to call their boss to see if there's been a mistake. The victim would have no problem with that and the trickster would then call the (900) number, pretend to talk to someone for several minutes, then apologize profusely saying there's indeed been a mistake and leave. At the end of the month, the poor victim would get a phone bill that's several hundred dollars higher than usual and in most cases, had no choice but to pay up as disputing was next to impossible.
 
Unless you deleted it manually, the 1-800-MYAPPLE number used here is already in your contacts. It's in mine, anyway, and I never added it.

I wonder if Apple started adding this to contacts for new iPhone users after a certain date. I've used iPhone since 2007 and it's not in my contacts.
 
A lot of these calls that show up with a UK number actually originate from outside the UK (e.g. generally India), so I would have thought it would be easy for British Telecom to just block any calls with a UK caller ID, which originate from outside the UK, but I guess it isn't.

The vast majority of major corps have long since outsourced their calling centers to India, so both scammers and legit calls originate from India.

Also, major corps all use spoofing too. When you do get a legit call from Apple, they aren't using THE ONE AND ONLY Apple phone to call you. No, they are using one of the 10,000 phone lines that spoof that number.

As someone else said, this is ancient tech. Fixing this requires breaking backwards compatibility, which would affect a wide range of things.
 
Why would an apple device be more advanced than any device in the history of the world. The number is spoofed it will look just like the real number to your phone. The only people who can fix this is the telcos
 
It is worldwide, but I think US is more targeted as there are more people living there and as such the chance of success is higher. There is also a language thing. I lived in India some years ago and it was endemic, but the callers only spoke in hindi, which I don't speak so I di not understand what was said.

*Nope, how can you tell? Have you been to all countries in the world? FUD, we (where I live) don't have these problems.

* Nope= There's no number spoofing here.
 
Last edited:
How is it even possible to spoof a caller ID? These are issued by the network, they're not like text messages or emails where your device gives a "reply to" address. The network literally tells the receiving phone what number the call is coming from. How is it possible to interfere with that?
Unfortunately it's ridiculously easy to spoof a Caller ID number. Changing one string in my Cisco Call Manager I could set it to whatever number I want...
 
These fake/spoofed caller ID calls and robo calls would end tomorrow if they would fine the carriers; AT&T, Verizon, Sprint, et all for facilitating the transfer. The day after that gets announced, you'll see how fast those guys fix and end this garbage once and for all.
Too rational. Those big company paid big bucks to the elected officials in the government.
I would love to see this getting implemented right away to fix this crap.
 
How is it even possible to spoof a caller ID?
There are commercial providers who do it for you, an example; https://www.spoofcard.com/
The reason why it generally allowed is that police, doctors, support personnel, and others should have the possibility to call you with their personal devices without be required to show their own numbers, but rather the one to their exchange or office.
The Caller ID is a digital to analog signaling system which is sent during call setup and because calls can be routed through various networks it is not extremely hard, for mobile phones it is usually provided by the network, but you can suppress it.
 
Settings -> Do Not Disturb -> Allow Calls From -> {Everyone, No One, Favorites, All Contacts, ...}
This is all well and good. But just before Xmas I received a call from an unidentified mobile. I often ignore these calls but I answered. It was an Amazon delivery driver who had my street address but no number for some reason. I was able to give him my house number and went out to meet him. It was a vital delivery for my wife's Xmas. Not always a good idea to block /ignore unknown callers :)
 
*Nope, how can you tell? Have you been to all countries in the world? FUD, we (where I live) don't have these problems.

* Nope= There's no number spoofing here.
Famous last words? If you live in a country where you can't receive international calls and calls from another network or phone exchanges, or/and can't use VoIP services I will believe you. It may not be rampant or a problem, but it does not mean it does not exist. Of course scammers do usually some ROI analysis and if you live in a country where few uses for example credit cards they will not likely attempt at credit card scams, or if few have mobile phones or pc or whatever.
 
Settings -> Do Not Disturb -> Allow Calls From -> {Everyone, No One, Favorites, All Contacts, ...}

Thanks. Have tried. Total kludge.

Whitelisting/blacklisting doesn't do anything to stop these calls because its based on caller ID which is often faked. I've been called by robo/scammers with my *own* phone number as the caller ID. There is no reason that at the absolute very least the carriers cannot weed out most if not all of these by checking against their own pool of phone numbers against the caller ID before the transfer is even made.

Who cares if the number is spoofed? It’s unlikely to be in my list of contacts. The simple heuristic is, handled entirely on the phone, since the carriers don’t seem to care.
1. Deny blocked calls;
2. Check numbers against a hash table of numbers in my phone book, deny any that don’t match;
3. Allow all.

Question is, how does the scammer know the number they are calling is an iPhone?

They don’t. They are just guessing. There. was a great series of episodes on the Reply All podcast where the hosts tracked down phishers who were using a similar line (your Apple ID has been hacked...). I’m sure we’ve all gotten similar ones about “your windows computer has been hacked...”.

Unless you deleted it manually, the 1-800-MYAPPLE number used here is already in your contacts. It's in mine, anyway, and I never added it.

Deleted long ago.
 
Famous last words? If you live in a country where you can't receive international calls and calls from another network or phone exchanges, or/and can't use VoIP services I will believe you. It may not be rampant or a problem, but it does not mean it does not exist. Of course scammers do usually some ROI analysis and if you live in a country where few uses for example credit cards they will not likely attempt at credit card scams, or if few have mobile phones or pc or whatever.

Fact, we don't have phone number spoofing here, I don't know why not but I never heard of it, we do have "number unknown" or "number withheld"...no spoofing.

Might be our providers are less corrupt.;) Or really do care about their customers.
 
There are commercial providers who do it for you, an example; https://www.spoofcard.com/
The reason why it generally allowed is that police, doctors, support personnel, and others should have the possibility to call you with their personal devices without be required to show their own numbers, but rather the one to their exchange or office.
The Caller ID is a digital to analog signaling system which is sent during call setup and because calls can be routed through various networks it is not extremely hard, for mobile phones it is usually provided by the network, but you can suppress it.
But that's the whole problem with the system. IMO, spoofing should be limited to number(s) you have active service on, not just any random number as you please. Again, there are legitimate uses for spoofing. When you would like to call on work-related matters from personal phone number, your work needs to have a way to dial into the work exchange, then place an outbound call from it, that way customer or whoever you are calling will see the work number on their Caller ID as originally intended. Or if you work at a call center and would like to spoof the main number that customers use to call in, it should not be a problem as the company is legally paying for service on that number. Telcos need to set up verification that makes sure that the number that's being shown on Caller ID is the number that this caller has legal rights to, not just anything they enter into their dialing software, which is probably what's happening with all these robocalls.
 
Why is it surprising that a phone can't tell the difference between caller id information that's fake and caller id information that's legitimate? It's indeed troubling that caller ID spoofing is so common, but this is common to all phones the display caller ID information and is something the carriers need to resolve.
It’s not the phone, it’s the carriers/telecoms that should be catching it. They own the equipment that the callS originate and pass through.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.