Spoofed Caller IDs — Why Your Business Number Is Being Used for Fraud (and What to Do)

Spoofed caller ID UK business complaints have become a daily reality for UK SMEs in 2026: customers ring back furious…

Spoofed caller ID UK business complaints have become a daily reality for UK SMEs in 2026: customers ring back furious about a “scam call from your number”, staff field abuse from people who never spoke to you, and your reputation takes hits you didn’t cause. This guide explains why fraudsters spoof real UK business numbers, how to confirm yours is being used, the eight things to do today, and how UK regulators are tightening the rules over 2026 and 2027.

What CLI spoofing is and how it works

“CLI” is short for Calling Line Identification, the signalling data a network uses to display a caller’s number on the recipient’s phone. The fundamental design issue: the caller’s network is responsible for declaring the CLI, and the recipient’s network historically has no robust way to verify it.

That gap is what fraudsters exploit. On a modern VoIP or SIP trunk, the caller can usually set an arbitrary “presentation number” in the outgoing signalling, and that’s what shows up on the recipient’s handset. Honest businesses do this for legitimate reasons, presenting a single switchboard number across many outbound seats. Fraud rings use the same mechanism to dress up scam calls as if they came from a trusted UK SME, a high-street bank, an HMRC hotline or a local council switchboard.

Ofcom’s General Conditions of Entitlement, in particular GC C6, place hard obligations on UK terminating networks to identify and block obviously-invalid CLI: presentations that aren’t valid UK ranges, or that present UK geographic or mobile numbers from calls that clearly originated abroad. Enforcement has stepped up sharply since 2023.

Why your business number specifically might be spoofed

Scammers don’t pick CLIs at random. They want a number with three properties: recognisable, reachable and harvestable. UK SME numbers tick all three boxes.

  • Recognisable: A local 0207, 0161, 0121 or 0117 presentation is a trust signal. People answer local calls more often than international or unknown ones, especially during business hours.
  • Reachable: A real UK business number routes to a real switchboard. That makes the CLI look “warm” to call analytics tools some networks use to score traffic. Spoofing a dead number gets flagged faster than spoofing one that picks up.
  • Harvestable: Your number is almost certainly published on Companies House, your Google Business Profile, your website footer, LinkedIn, your invoice template and aggregator directories. A scraper finds it in seconds.

Local geographic numbers are particularly attractive because they pair with location-targeted social engineering. A “London council” scam dressed up as a 020 presentation works far better than the same script with a Caribbean dialling code.

How to tell if your number is being spoofed

Spoofing campaigns are usually obvious from the inbound side. Within hours of a campaign starting, an SME will see one or more of these patterns:

  • A sudden spike in inbound calls from strangers asking “who is this?”, “why did you call me?”, or “stop calling me.”
  • Angry voicemails referring to scripts you’ve never run, such as bank-fraud warnings, HMRC tax-arrest threats, or parcel-delivery upsells.
  • Customer support tickets and social-media messages reporting attempted scams “from your number”.
  • Calls from your own area code, or from competing local SMEs, flagging the issue directly.
  • Higher inbound call volume from postcodes and regions you don’t normally serve.

None of these mean your phone system has been hacked. They mean your CLI has been borrowed: the fraudster is operating from somewhere else, and your switchboard is just collecting the bounce-back. If you also see actual unauthorised outbound calls on your own bill, treat that as a separate PBX compromise and isolate your SIP credentials immediately.

What to do today: an 8-step action plan

  1. Record an outgoing voicemail message. A short script along the lines of: “This number is the main line for [business]. We never cold-call about [topic]. If you have received a scam call appearing to come from this number, please report it to Action Fraud on 0300 123 2040.”
  2. Notify customers proactively. A short paragraph on your homepage, a pinned post on social media and an email to your customer list. Honest and dated: “Between [date] and [date] our number is being used by scammers without our involvement. Here is what we will never ask for.”
  3. Report to Action Fraud. File the incident at actionfraud.police.uk (or 101 in Scotland) with as many examples as you can document. Include callback logs and screenshots of customer reports.
  4. Report to Ofcom and your telecoms provider. Ofcom’s CLI guidance is enforced via the terminating provider, but your originating provider also wants to know, to support traceback investigations and apply terminating-side blocks where they can.
  5. Add a website notice. A single line in your footer: “We never call you to ask for passwords, one-time codes or remote access. Verify any call by ringing us back on [main number].” This sets a consistent expectation for customers across every page.
  6. Log the callbacks. A simple spreadsheet of date, time, caller’s number, what the scam pretended to be about and how you signposted the person. The pattern is invaluable evidence for Ofcom and for your provider’s traceback team.
  7. Consider a temporary published-number change. If the campaign is sustained and customer trust is taking real damage, you can switch your publicly advertised CLI to a new geographic or 03 number while the original “burns out”. It is disruptive, and not always practical, but it is a tool of last resort.
  8. Brief your staff. Anyone answering the phone needs a 30-second script: acknowledge the caller’s frustration, confirm the call wasn’t from you, point them to Action Fraud and log the contact. Angry callbacks left unanswered turn into one-star reviews.

How UK regulators are tackling CLI spoofing in 2026

Ofcom’s General Condition C6 requires UK communications providers to make reasonable efforts to identify invalid or non-allocated CLIs and to block them at the point of termination. Since 2023, Ofcom has been publishing increasingly specific guidance. From 2024, terminating networks must block calls presenting unallocated UK geographic numbers and unallocated UK mobile numbers. From 2025, they must also block calls that present a real UK mobile CLI when the call clearly originates outside the UK, with narrow exceptions for legitimate roamers using a UK SIM abroad.

In parallel, Ofcom has been pushing the UK industry’s traceback initiative, modelled on the United States STIR/SHAKEN framework. The aim is end-to-end caller authentication for VoIP-originated calls, so a terminating network can verify that the upstream chain authorised the displayed CLI. Full rollout is staged across 2026 and 2027 alongside PSTN switch-off.

This won’t eliminate spoofing overnight, particularly where the fraud originates outside Ofcom’s jurisdiction. It will make the abuse of a legitimate UK SME number progressively harder, which is the trend that matters.

Protecting outbound business calls from being mistaken for spoofs

The other side of the problem: if your own outbound calls don’t carry verifiable identity, even a real call from you can be filtered or rejected by a recipient’s spam-scoring system. UK SMEs should:

  • Use a verified business CLI. Present a single, registered geographic or 03 number that maps to your business in your provider’s records, not random outbound seat numbers.
  • Register with your provider’s authentication scheme. Most enterprise SIP and mobile providers now offer a “verified outbound” or business-identity package that signs the outgoing CLI so terminating networks treat it as trusted.
  • Consider branded calling. Vodafone Business “Verified by”, BT business identity services and the equivalent on EE and Virgin Media O2 let your business name and logo appear on supported handsets.
  • Don’t share CLIs across unrelated dialler campaigns. If a third-party agency uses your CLI for marketing without your knowledge, you will be blamed for it. Insist on contractual CLI controls in any outsourced calling agreement.

For SMEs running their own outbound campaigns, our team also reviews CLI integrity as part of every Cyber Essentials uplift, because lax outbound voice controls map directly to telephone-based fraud risk.

When CLI spoofing escalates to vishing

CLI spoofing is the delivery mechanism. The payload is usually vishing, voice phishing, where the caller impersonates a trusted party to extract money, credentials or remote access. The presented CLI is the prop that makes it believable.

If customers report calls “from your number” asking for one-time passwords, online-banking credentials, gift-card payments or remote-desktop installs, the campaign has moved from nuisance spoof to active financial fraud. Brief your customer-facing teams, log every incident, and read our companion guide on vishing attacks against UK SMEs for the broader playbook. For the common scripts in detail, see our guide on UK phone scams in 2026: 12 patterns to know.

How customers can verify a call really came from your business

You can short-circuit the entire problem by giving customers a deterministic way to verify any call that claims to be from you. Three steps work well together:

  • Publish your real CLI clearly. Put your main inbound number in the website header or footer, on Google Business Profile, and at the top of every email signature. Inconsistency is what scammers feed on.
  • Tell customers what you’ll never ask for. “We never ask for passwords or one-time codes by phone” is the single most useful sentence on a business website in 2026.
  • Tell customers how to look you up. Direct customers to The Business Hub’s free UK number lookup so they can confirm an inbound number against Ofcom’s allocation records before sharing anything. They can drill into the major UK ranges directly via 020 London, 0161 Manchester or 0121 Birmingham, depending on where you advertise.

Our companion article on how to find out who called from an unknown UK number walks through the practical steps a customer should take in order.

Frequently asked questions

Is it illegal to spoof a UK business caller ID?

Spoofing isn’t inherently illegal in the UK, because legitimate businesses spoof their own outbound calls to present a single switchboard number. What is illegal is using a CLI to facilitate fraud, harassment or other criminal activity. Ofcom’s General Condition C6 also requires UK telecoms providers to block calls presenting clearly invalid CLIs at the point of termination. Reports to Action Fraud and Ofcom are the right route when your number is being used in scam campaigns.

Has my phone system been hacked if my number is being spoofed?

Usually not. Spoofing means the fraudster is presenting your number from somewhere else; your actual switchboard, lines and credentials are typically untouched. You can confirm by checking your own outbound call records: if there are no unauthorised outbound calls on your provider’s bill, your system itself is intact. If there are unauthorised outbound calls, treat it as a PBX compromise and rotate your SIP credentials immediately.

How long does a spoofing campaign usually last?

Most campaigns burn through a particular CLI within a few days to a few weeks, because as customer reports build, networks and analytics services start scoring the number as suspect and filtering it more aggressively. Sustained reputational damage tends to come from repeated campaigns reusing the same CLI months apart, rather than a single short burst.

Should I change my business number to escape spoofing?

Only as a last resort. Changing your number costs you marketing visibility, local SEO ranking and customer recognition that took years to build. The better playbook is usually to wait the campaign out while running the eight-step action plan. If the same CLI is being abused repeatedly, switching to a fresh number routed via a verified business-identity service can break the cycle.

Will Ofcom or my provider compensate me for reputational damage?

Not directly. Ofcom enforces against the originating and terminating networks, not on behalf of an individual SME. Your provider may offer goodwill credits or call-screening upgrades, particularly for long-standing business customers. The faster route to recovery is proactive customer notification and Action Fraud reporting, which protect your reputation while the campaign burns out.

How will full PSTN switch-off in 2027 affect spoofing?

Full all-IP voice means every UK call will run over SIP rather than legacy time-division switching. That makes end-to-end caller authentication, the UK equivalent of STIR/SHAKEN, technically straightforward to roll out alongside switch-off. It will not stop foreign-originated spoofing entirely, but it should sharply reduce domestic abuse of UK SME CLIs.

Resources & Articles

You Might Also Like

Read one of our other resources to help you get the best telecoms and IT solutions for your business