By Judy L. Thomas
McClatchy Newspapers (MCT)
KANSAS CITY, Mo. — The phone calls came in the middle of the night. Three women, each receiving an eerie message from the man on the line:
He was in their house and watching them.
And according to caller ID, the calls were coming from their home phones.
The terrified women found out later that the caller was not in their homes, but playing a frightening prank on them.
It's called spoofing. Sometimes it's a practical joke, but law enforcement officials are becoming increasingly alarmed by more harmful uses.
"There's definitely a potential for abuse, no doubt about it," said Jeff Lanza, a retired FBI agent in Kansas City who conducts seminars on identity theft and Internet safety.
Spoofing makes use of services that allow callers to disguise the number they are calling from.
It works like this: Users register with a spoofing service. When they call the service, they enter the caller ID number they want displayed on the recipient's phone, followed by the number they want to call.
Users can choose a male or female voice so that even when they speak normally, their voice is altered. The calls also can be recorded by the caller.
Some have used the technology to harass and terrorize others. Scam artists have used it to masquerade as someone in an official capacity, then persuade unsuspecting victims to give them personal or financial information. Others have called in fake police reports, causing entire neighborhoods to be shut down as emergency crews respond.
The service is legal, and spoofing companies point out that even law enforcement agencies use it as an investigative tool.
But it also can be dangerous, security experts say. Indeed, some states have attempted to address the dangers.
For now, Lanza says, the message for the public is simple and perhaps surprising:
"Don't believe caller ID."
It's easy to conceal caller IDs and almost impossible to detect when it happens, but police and others often are able to trace abuses.
For example, the Pennsylvania man who called the women in their homes during the night did jail time last year after pleading guilty to harassment, as did the woman who put him up to it.
In July, a judge awarded $7.3 million in damages to a former Kansas City man who sued a Leawood, Kan., woman, claiming she sent "profane and defamatory" text messages and made calls to his friends and family members through an Internet service that concealed her real telephone number.
Last year, several men were sentenced to five years in federal prison for reporting fake hostage crisis situations to police in more than 60 cities across the country. Their calls appeared to come from the residences where the "crisis" was occurring, and they pretended to be inside the homes, saying they had killed people and taken hostages.
The bogus reports, called "swatting" because they prompted responses by SWAT teams, involved more than 250 victims and resulted in up to $250,000 in losses and two injuries.
In late 2007, a person posing as a police officer called people in Ohio and asked for their credit card information. The caller told the victims that they had outstanding tickets and could pay them over the phone by credit card. The caller, who was not caught, used a spoofing service to show that the call was coming from Columbus police headquarters.
The problem, Lanza said, is that caller ID has given people a false sense of security.
Scam artists can make it appear as though the call was coming from a bank, a doctor's office, or any organization that requires personal information, Lanza said.
Numerous companies specialize in spoofing and market it over the Internet. The biggest is SpoofCard, a subsidiary of TelTech Systems, which sells the service for $9.95 for 60 minutes of phone time. The company says it has more than 3 million customers and in July announced it was going international.
Prankplace.com, which sells SpoofCard, bills it as "the ultimate prank call!"
"Does your friend have a crush on the hot guy at school?" it says on its Web site. "Use SpoofCard to call her disguised as the hot guy and ask her out on a date!"
SpoofCard customers rave about the service on its Web site and Facebook pages.
"I spoofed a friend into thinking he won a million dollars," one customer wrote on the Web site, adding that the friend then went out and bought a $600 bottle of champagne to celebrate.
Meir Cohen, president of TelTech Systems in Toms River, N.J., said SpoofCard has been in business for more than 5 years.
"It's not a secret that it can be a controversial product," he said. "But we have millions and millions of customers and the vast, vast majority are using our product for totally legal purposes."
Many customers use it to protect their privacy, he said.
"Doctors love our product, because if they're on call and they get a page at home and have to call the patient back, they don't want to call from their house phone or cell phone because they don't want to give that number out," he said.
Law enforcement agencies also use it for undercover operations, he said.
Cohen said people may expect caller ID to be 100 percent reliable, but it shouldn't be used to verify the caller.
"A lot of people, their first reaction when they see this service, is, 'Oh, this is terrible,'" he said. "It's because with caller ID, we've gotten used to something that was really a false level of security that people felt."
SpoofCard is not traceable, Cohen said, unless authorities subpoena the records.
"If anybody does use the product illegally, we take a very proactive approach to help law enforcement," he said.
He said his company also has been working to stop "swatting."
"We don't allow you to call 911," he said, adding that the service is collecting more police numbers to block from its system.
But critics say the spoofing services give criminals another tool to use on their victims.
"As if people aren't harassed enough, now comes a company that profits by making deception even easier," said David Clohessy, a victim advocate and executive director of the Survivors Network of those Abused by Priests. "Sexual predators and other criminals have plenty of advantages and opportunities already."
Attempts have been made in Congress to restrict spoofing, but they have not been successful.
In June 2007, the U.S. House of Representatives passed a "Truth in Caller ID Act," making it illegal to transmit false caller ID information with the intent to "defraud or harm." The measure did not pass the Senate. Similar bills have been introduced as well but have gone nowhere.
But some states are cracking down on spoofing. This year, Louisiana passed a law banning the use of spoofing services to "mislead, defraud or deceive" the recipients of the calls, and a similar law has passed the state Senate in New York.
In Missouri, Democratic Rep. Paul LeVota co-sponsored a similar bill this year, but it never got a hearing.
Missouri Attorney General Chris Koster said spoofing is a major concern.
"We are seeing increased levels of spoofing across the board, and we deal with it increasingly in our efforts to try and enforce Missouri's no-call list," he said. "It's hard to imagine any productive uses. There are far more opportunities for illicit uses than for productive ones."
When Florida passed a broader "Anti-Spoofing Act" last year, TelTech and others sued the state in U.S. District Court, arguing that the law was unconstitutional because there were legitimate purposes for using "spoofed" phone numbers.
In July, the federal court agreed and struck down the state law.
Dan Curry, an associate at the Kansas City law firm of Randles, Mata & Brown, which represented the plaintiff in the lawsuit against the Leawood woman, said he had never heard of spoofing until he worked on the case.
"I was going through her phone records and found where this toll-free access number kept getting called in the early morning hours," he said. "So I Googled it and found SpoofCard. I had no idea this was even a possibility. We subpoenaed SpoofCard records, and lo and behold, they had accounts for her."
According to the lawsuit, the man started working in the woman's home as a baby sitter when he was 13 years old and living in Kansas City. The harassment started when he went to college, according to the lawsuit.
The woman called and sent text messages to the man and his friends, using SpoofCard to disguise where the calls were coming from.
According to the lawsuit, the woman placed more than 400 phone calls to the man and more than 100 calls to his former girlfriend.
The woman denied making the calls and sending text messages. She has filed a motion requesting a new trial and asking the judge to vacate his order.
"SpoofCard sounds like just practical jokes," Curry said, "but it really was terrifying for him. He had no control over what any of his friends were hearing about him; he had no privacy."
Clohessy said he did see "a potential silver lining" amid his concerns about spoofing.
"Hopefully, the lesson folks will learn is that if you misuse this 'service,' you'll get caught and the consequences will be harsh," he said.
(c) 2009, The Kansas City Star.
Visit The Star Web edition on the World Wide Web at http://www.kansascity.com.
Distributed by McClatchy-Tribune Information Services.