Home

PRIVACY LAW/IDENTITY FRAUD

Don’t Believe Your Eyes: Spoofing
By Corrie Sirkin, Esq.

Your phone rings, the caller ID shows “867-5309.”  You are surprised that someone is calling you from that famous number from the 1982 Tommy Tutone hit.  Don’t believe your eyes.   It could be a “spoof.”

“Spoofing” refers to the practice of making a message or call appear as though it originated from a certain phone number, party or email address when it was in fact sent from another source.   Most people are familiar with “spam” emails which try to deceive recipients into revealing sensitive financial information by appearing to come from large banks or other familiar companies.  Now, individuals using applications or easily discoverable information on the Internet can initiate emails or phone calls which display return addresses, identities or phone numbers different from their own. [1]

There are innumerable reasons for persons to disguise information: these range from simple prank calls to threats and harassment.   In addition to changing your number to prevent identification, many companies feature voice changing (even male to female) and call recording features.  These seemingly innocuous telephone pranks may be used for far more nefarious reasons.   In fact, fake caller IDs of ambulance companies and hospitals were used in the recent elections in Missouri to get potential voters to answer the phone. [2]   In 2009, a vindictive Brooklyn wife spoofed the doctor’s office of her husband’s lover in an attempt to trick the other woman into taking medication which would make her miscarry.[3]

On December 22, 2010, President Obama signed into law the “Truth in Caller ID Act of 2009” which makes such spoofing illegal.[4]  The legislation states that "It shall be unlawful for any person within the United States, in connection with any telecommunications service or IP-enabled voice service, to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information, with the intent to defraud, cause harm, or wrongfully obtain anything of value.”   Forfeiture penalties or criminal fines of up to $10,000 per violation (not to exceed $1,000,000) could be imposed.   The bill specifically does not prohibit the blocking of caller ID information.

Although this bill makes spoofing illegal, attorneys must be aware that phone calls and emails may still be faked through spoofing technology since only knowing transmission with the intent to defraud, cause harm or wrongfully obtain value are illegal.  The bill does not make the spoofing technology itself illegal.  

Attorneys need to be aware of the ability of the other party (or your client) to perpetrate these frauds on the court.  No attorney wishes to inadvertently run afoul of the rules of professional conduct.   In a domestic violence context for example, a plaintiff seeking a temporary or final restraining order for harassment [5] could send threatening communications which appear to be from the defendant.  In other contexts, emails could be “spoofed” regarding bills of sale, goods contracts, partnership agreements, business valuation, testator intent or even child abuse.   The rules of evidence help prevent these kinds of frauds through certification, authentication and reliability objections.  However, attorneys should be cognizant of the possibility that seemingly reliable evidence may in fact be “spoofed.”

When a client or adversary denies phone calls, it is imperative to get business-certified phone records to confirm phone calls and text messages that appear to be from your client.   If your client can show their own records demonstrating that their service provider has no record of these alleged phone calls or text messages, the credibility of the accuser will be denigrated.  Moreover, the judge could hold the person in contempt or in some cases they may be liable for fraud or obstruction.

Unfortunately, disproving emails is a more difficult proposition.   Most emails use SMTP, the Simple Mail Transfer Protocol, which lacks authentication and makes email addresses easily spoofed.  However, it is much more difficult to spoof or hide the IP address.  The IP address is a 32 or 128 bit numerical label assigned to each device participating in a network and originates through the network provider making it more difficult to spoof or hide. 

Lawyers should argue for identification through IP, Internet Protocol, addresses and seek the advice of trained professionals whenever possible.  

Spoofing is yet another reminder that attorneys need to keep abreast of the latest technology and be willing to consult experts when these types of issues arise.  The next time the phone rings and caller ID shows a name and number, you will be just a little more skeptical.

Corrie Sirkin earned her J.D. from the University of Virginia School of Law in 2010.  She is a member of the New York and New Jersey bars.  She currently practices family law in legal services through the University of Virginia Law School Post-Graduate Fellowship.