How confidential are your calls

Latest Articles

Phone scamming kingpin gets 13 years for running “iSpoof” service

Blog icon written by XCell Technologies
Calendar icon

Published 28 May 2023

In November 2022 Police runs a multi-country takedown against a Cybercrime-as-a-Service (CaaS) system known as iSpoof.

Although iSpoof advertised openly for business on a non-darkweb site, reachable with a regular browser via a non-onion domain name, and even though using its services might technically have been legal in your country (if you’re a lawyer, we’d love to hear your opinion on that issue once you’ve seen the historical website screenshots below)…

…a UK court had no doubt that the iSpoof system was implemented with life-ruining, money-draining malfeasance in mind.

The site’s kingpin, Tejay Fletcher, 35, of London, was given a prison sentence of well over a decade to reflect that fact.

Show any number you like

Until November 2022, when the domain was taken down after a seizure warrant was issued to US law enforcement, the site’s main page looked something like this:

A woman is talking on the phone in the background. A smartphone and a custom caller ID to protect your privacy is pictured.

You can show any number you wish on call display, essentially faking your caller ID.

And an explanatory section further down the page made it pretty clear that the service wasn’t merely there to enhance your own privacy, but to help you mislead the people you were calling:

An image of a smartphone and a text about what caller ID spoofing is
Get the ability to change what someone sees on their caller ID display when they receive a phone call from you. They’ll never know it was you! You can pick any number you want before you call. Your opposite will be thinking you’re someone else. It’s easy and works on every phone worldwide!

In case you were still in any doubt about how you could use iSpoof to help you rip off unsuspecting victims, here’s the site’s own marketing video, provided courtesy of the Metropolitan Police (better known as “the Met”) in London, UK:

As you will see below, iSpoof users weren’t actually anonymous at all.

More than 50,000 users of the service have been identified already, with close to 200 people already arrested and under investigation in the UK alone.

Pretended to be a bank...

Simply put, if you signed up for iSpoof’s service, no matter how technical or non-technical you were, you could immediately start placing calls that would show up on victims’ phones as if those calls were coming from a company that they already trusted.

As the Metropolitan Police put it:

Users of iSpoof, who had to pay to use its services, posed as representatives of banks including Barclays, Santander, HSBC, Lloyds and Halifax [well-known British banks], pretending to warn of suspicious activity on their accounts.

Scammers would encourage the unsuspecting members of the public to disclose security information such as one-time passcodes to obtain their money.

The total reported loss from those targeted via iSpoof is £48 million in the UK alone, with average loss believed to be £10,000. Because fraud is vastly under reported, the full amount is believed to be much higher.

In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof, with around 3.5 million of those made in the UK.

Interestingly, the Met says that about 10% of those UK calls (about 350,000 in all), made to 200,000 different potential victims, lasted more than a minute, suggesting a surprisingly high success rate for scammers who used the iSpoof service to give their bogus calls a fraudulent air of legitimacy.

When calls arrive from a number you’re inclined to trust – for example, a number you use sufficiently often that you’ve added it into your own contact list so it comes up with an identifier of your choice, such as Credit Card Company, rather than something generic-looking such as +44.121.496.0149…

…you’re unsurprisingly more likely to trust the caller implicitly before you hear what they’ve got to say.

After all, the system that transmits away the caller’s number to the recipient before the call is even answered is known in the jargon as Caller ID, or Calling Line Identification (CLI) outside North America.

It’s not any sort of ID

Those magic words ID and identification shouldn’t really be there, because a technically savvy caller (or a completely non-technical caller who was using the iSpoof service) could insert any number they liked when initiating the call.

In other words, Caller ID not only tells you nothing about the person using the phone that’s calling you, but also tells you nothing trustworthy about the number of the phone that’s calling you.

Caller ID “identifies” the caller and the calling number no more reliably that the return address that’s printed on the back of a snail-mail envelope, or the Reply-To address that’s in the headers of any emails you receive.

All those “identifications” can be chosen by the originator of the communication, and can say pretty much anything that the sender or caller chooses.

They should really be called What the Caller Wants you to Think, Which Could Be a Pack of Lies, rather than being referred to as an ID or an identification.

And there was an awful lot of lying going on, thanks to iSpoof, with the Met claiming:

Before it was shut down in November 2022, iSpoof was constantly growing. 700 new users were registering with the site every week and it was earning on average £80,000 per week. At the point of closure it had 59,000 registered users.

The website offered a number of packages for users who would buy, in Bitcoin, the number of minutes they wanted to use the software for to make calls.

The site raked in loads of profit, according to the Met:

iSpoof made just over £3 million with Fletcher profiting around £1.7-£1.9 million from running and enabling fraudsters to ruin victim’s lives. He lived an extravagant lifestyle, owning a Range Rover worth £60,000 and a Lamborghini Urus worth £230,000. He regularly went on holiday, with trips to Jamaica, Malta and Turkey in 2022 alone.

Earlier in 2023, Fletcher pleaded guilty to the offences of making or supplying articles for use in fraud, encouraging or assisting the commission of an offence, possessing criminal property and transferring criminal property.

Last week he was given a prison sentence of 13 years and 4 months; 169 other people in the UK “have now been arrested on suspicion of using iSpoof [and] remain under police investigation.”

What to do?

TIP 1. Treat Caller ID as nothing more than a hint.
The most important thing to remember (and to explain to any friends and family you think might be vulnerable to this sort of scam) is this: THE CALLER’S NUMBER THAT SHOWS UP ON YOUR PHONE BEFORE YOU ANSWER PROVES NOTHING.

TIP 2. Always initiate official calls yourself, using a number you can trust.
If you genuinely need to contact an organisation such as your bank by phone, make sure that you initiate the call, and use a number than you worked out for yourself.

For example, look at a recent official bank statement, check the back of your bank card, or even visit a branch and ask a staff member face-to-face for the official number that you should call in future emergencies.

TIP 3. Be there for vulnerable friends and family.
Make sure that friends and family whom you think could be vulnerable to being sweet-talked (or browbeaten, confused and intimidated) by scammers, no matter how they’re first contacted, know that they can and should turn to you for advice before agreeing to anything over the phone.

And if anyone asks them to do something that’s clearly an intrusion of their personal digital space, such as installing Teamviewer to let them onto the computer, reading out a secret access code off the screen, or telling them a personal identification number or password…

…make sure they know it’s OK simply to hang up without saying a single word further, and getting in touch with you to check the facts first.

Our advice

We have constantly refused users’ requests regarding Caller ID spoofing solutions just because the users can expose themselves to many security threats once the phone stepped out into the wild internet. Changing the phone number/Called ID requires a 3rd party server that can be reached over the phone data connection. This is because the phone number is not stored on the SIM card but at the core network level (network servers). The SIM card only contains the IMSI. No regular user can actually run a background check in order to see who is actually behind the server that provides Called ID spoofing services. Actually, this was pretty difficult even for Met. At any time such people can hide behind web servers that provide such “secure” services and there is nothing you can do.
The same precautions are needed when it comes to encrypted communications: no matter if they pretend that encryption is end-to-end, a good encryption service will always use a web server and phone’s data connection. Hence, there is no more privacy and no security but only risks. The above case is a perfect example.

And a last thing: cell phone surveillance is done based on IMEI (phone ID) and IMSI (SIM card ID). The phone number (MSISDN in terms of telco) is used only to calculate IMSI, but law enforcement and other home security agencies do not need the phone number since they are using a device called “IMSI catcher” that grabs the IMSI over the air. No matter to which server the phone is connected, no matter which phone number or Called ID is used: the IMSI Catcher will always grab the SIM card IMSI, for further call interception. If no SIM card is inserted on the phone (supposing that the phone is connected via WIFI to a hotspot in order to access the internet), then the IMSI Catcher will only grab the phone IMEI, which is just enough for the further interception, including data interception.

Let’s keep in touch!

We’d love to keep you updated with our latest news and offers

Further articles

ABC Limited exposed

Secure WIFI router scam

There will always be fraudsters who take advantage of the desire for security by overpricing normal products and claiming that these have “security features”. As in this case… Read more

A man using his cell phone and attacking an IMSI Catcher

X-ONE Stealth Phone

The first 4G stealth phone with an unprecedented feature: XTerminator which allow OTA attacks against IMSI Catchers. Read more