Spoofed caller ID UK business complaints have become a daily reality for UK SMEs in 2026: customers ring back furious about a “scam call from your number”, staff field abuse from people who never spoke to you, and your reputation takes hits you didn’t cause. This guide explains why fraudsters spoof real UK business numbers, how to confirm yours is being used, the eight things to do today, and how UK regulators are tightening the rules over 2026 and 2027.
“CLI” is short for Calling Line Identification, the signalling data a network uses to display a caller’s number on the recipient’s phone. The fundamental design issue: the caller’s network is responsible for declaring the CLI, and the recipient’s network historically has no robust way to verify it.
That gap is what fraudsters exploit. On a modern VoIP or SIP trunk, the caller can usually set an arbitrary “presentation number” in the outgoing signalling, and that’s what shows up on the recipient’s handset. Honest businesses do this for legitimate reasons, presenting a single switchboard number across many outbound seats. Fraud rings use the same mechanism to dress up scam calls as if they came from a trusted UK SME, a high-street bank, an HMRC hotline or a local council switchboard.
Ofcom’s General Conditions of Entitlement, in particular GC C6, place hard obligations on UK terminating networks to identify and block obviously-invalid CLI: presentations that aren’t valid UK ranges, or that present UK geographic or mobile numbers from calls that clearly originated abroad. Enforcement has stepped up sharply since 2023.
Scammers don’t pick CLIs at random. They want a number with three properties: recognisable, reachable and harvestable. UK SME numbers tick all three boxes.
0207, 0161, 0121 or 0117 presentation is a trust signal. People answer local calls more often than international or unknown ones, especially during business hours.Local geographic numbers are particularly attractive because they pair with location-targeted social engineering. A “London council” scam dressed up as a 020 presentation works far better than the same script with a Caribbean dialling code.
Spoofing campaigns are usually obvious from the inbound side. Within hours of a campaign starting, an SME will see one or more of these patterns:
None of these mean your phone system has been hacked. They mean your CLI has been borrowed: the fraudster is operating from somewhere else, and your switchboard is just collecting the bounce-back. If you also see actual unauthorised outbound calls on your own bill, treat that as a separate PBX compromise and isolate your SIP credentials immediately.
Ofcom’s General Condition C6 requires UK communications providers to make reasonable efforts to identify invalid or non-allocated CLIs and to block them at the point of termination. Since 2023, Ofcom has been publishing increasingly specific guidance. From 2024, terminating networks must block calls presenting unallocated UK geographic numbers and unallocated UK mobile numbers. From 2025, they must also block calls that present a real UK mobile CLI when the call clearly originates outside the UK, with narrow exceptions for legitimate roamers using a UK SIM abroad.
In parallel, Ofcom has been pushing the UK industry’s traceback initiative, modelled on the United States STIR/SHAKEN framework. The aim is end-to-end caller authentication for VoIP-originated calls, so a terminating network can verify that the upstream chain authorised the displayed CLI. Full rollout is staged across 2026 and 2027 alongside PSTN switch-off.
This won’t eliminate spoofing overnight, particularly where the fraud originates outside Ofcom’s jurisdiction. It will make the abuse of a legitimate UK SME number progressively harder, which is the trend that matters.
The other side of the problem: if your own outbound calls don’t carry verifiable identity, even a real call from you can be filtered or rejected by a recipient’s spam-scoring system. UK SMEs should:
For SMEs running their own outbound campaigns, our team also reviews CLI integrity as part of every Cyber Essentials uplift, because lax outbound voice controls map directly to telephone-based fraud risk.
CLI spoofing is the delivery mechanism. The payload is usually vishing, voice phishing, where the caller impersonates a trusted party to extract money, credentials or remote access. The presented CLI is the prop that makes it believable.
If customers report calls “from your number” asking for one-time passwords, online-banking credentials, gift-card payments or remote-desktop installs, the campaign has moved from nuisance spoof to active financial fraud. Brief your customer-facing teams, log every incident, and read our companion guide on vishing attacks against UK SMEs for the broader playbook. For the common scripts in detail, see our guide on UK phone scams in 2026: 12 patterns to know.
You can short-circuit the entire problem by giving customers a deterministic way to verify any call that claims to be from you. Three steps work well together:
Our companion article on how to find out who called from an unknown UK number walks through the practical steps a customer should take in order.
Spoofing isn’t inherently illegal in the UK, because legitimate businesses spoof their own outbound calls to present a single switchboard number. What is illegal is using a CLI to facilitate fraud, harassment or other criminal activity. Ofcom’s General Condition C6 also requires UK telecoms providers to block calls presenting clearly invalid CLIs at the point of termination. Reports to Action Fraud and Ofcom are the right route when your number is being used in scam campaigns.
Usually not. Spoofing means the fraudster is presenting your number from somewhere else; your actual switchboard, lines and credentials are typically untouched. You can confirm by checking your own outbound call records: if there are no unauthorised outbound calls on your provider’s bill, your system itself is intact. If there are unauthorised outbound calls, treat it as a PBX compromise and rotate your SIP credentials immediately.
Most campaigns burn through a particular CLI within a few days to a few weeks, because as customer reports build, networks and analytics services start scoring the number as suspect and filtering it more aggressively. Sustained reputational damage tends to come from repeated campaigns reusing the same CLI months apart, rather than a single short burst.
Only as a last resort. Changing your number costs you marketing visibility, local SEO ranking and customer recognition that took years to build. The better playbook is usually to wait the campaign out while running the eight-step action plan. If the same CLI is being abused repeatedly, switching to a fresh number routed via a verified business-identity service can break the cycle.
Not directly. Ofcom enforces against the originating and terminating networks, not on behalf of an individual SME. Your provider may offer goodwill credits or call-screening upgrades, particularly for long-standing business customers. The faster route to recovery is proactive customer notification and Action Fraud reporting, which protect your reputation while the campaign burns out.
Full all-IP voice means every UK call will run over SIP rather than legacy time-division switching. That makes end-to-end caller authentication, the UK equivalent of STIR/SHAKEN, technically straightforward to roll out alongside switch-off. It will not stop foreign-originated spoofing entirely, but it should sharply reduce domestic abuse of UK SME CLIs.
Read one of our other resources to help you get the best telecoms and IT solutions for your business