The Spam Call That Came From My Own Number: How Scammers Learn Which Numbers You Trust
On July 2nd, a little after 2pm, my phone got a call from my own number. And I don't mean a lookalike with two digits swapped, the kind everyone gets. My actual second number, one I keep for testing and rarely give out, was sitting there on the caller ID, calling my everyday cell, while I was holding the phone and very much not calling myself.
As it happens, I build a call screening service, so this particular spammer managed to pick the one victim who could pull the records afterward. The call never rang my phone. It hit the screening that answers unknown callers on my line, spent thirteen seconds against a challenge that asks the caller to repeat a short phrase, and hung up without ever saying a word, and it didn't try again. Whatever was on the other end was software, dialing through a list, gone the moment a prompt asked it to behave like a person.
The interesting part came after. I checked the account behind my second number and found nothing: no outbound call in its history at that time, or at any time that day. Nothing was hacked, because nothing needed to be. The number was forged on the network, the way a return address gets forged on an envelope, and displaying a number they don't own has cost spammers roughly nothing for years.
But forging the number is the boring half of this story. Out of billions of possible pairings, something out there knew that this specific number would mean something to my specific phone. Those two numbers have no public connection. They've never appeared together on a website, a form, or a business card. So the question that actually matters is: how did a list-dialing operation know these two numbers belong together?
Who already knows which numbers call you
The uncomfortable answer is that "this number calls that number" is one of the most widely copied facts about you, and it leaks from places you'd never think to check.
Start with the phone in your hand. The spam label on your incoming calls works by checking numbers against a cloud reputation service in real time, and that's true whether the label comes from your phone's own dialer (Samsung's Smart Call, for instance, is powered by Hiya) or gets stamped on by your carrier before the call ever reaches you, the way Verizon's Call Filter, T-Mobile's Scam Shield, and AT&T's ActiveArmor do, built on analytics partners like First Orion and TNS. For that label to appear at all, somebody's servers have to be told your number and the caller's number, together, at the moment of the call. That's not a flaw; it's the feature working as designed. It also means companies you never consciously chose have been accumulating a call-by-call log of who reaches you.
Caller-ID apps go a step further. Truecaller, the biggest of them, identifies unknown callers by matching against a database of billions of numbers, assembled over a decade from crowdsourced tagging, commercial data partners, and, in its earlier years, address books uploaded wholesale from users' phones. So if a friend who saved your number installed one of these apps under its older terms, your name and number entered a database you've never seen, linked to everyone else that phone knew. Regulators in several countries have been circling these practices for years, but the databases they're circling already exist.
Then there are the carriers, who hold the complete record by definition, and who lose it. In 2024, AT&T disclosed that call and text metadata for roughly 110 million customers had been stolen from a third-party cloud workspace: which numbers contacted which, how often, and for how long, across a six-month window in 2022. The company was careful to note that no call contents and no names were taken, and I believe that's meant to be reassuring. But a spammer never wanted the contents.
The pairing alone, the fact that your cell regularly exchanges calls with five particular numbers, is a map of exactly which caller IDs will make you pick up.
That map walked out the door 110 million times.
And underneath all of it runs the ordinary data-broker economy, where identity profiles bundle together your current number, your previous numbers, your secondary lines, and your household's numbers, gathered from public records, app permissions, loyalty programs, and webforms with consent language nobody has ever read. Lead generators buy and resell these profiles legally. The federal rule that would have tightened the consent loophole never got the chance: adopted in late 2023, it was struck down by a federal appeals court in January 2025, days before it took effect. The pipeline it was aimed at is still flowing.
So my mystery resolved into something duller and worse than a hack. A profile connecting my two numbers is an ordinary commodity, assembled from ordinary sources, sold at an ordinary price. The spoofed call was just that profile being put to work by software that does the same to thousands of people an hour, because sending a call costs a fraction of a cent, and the occasional person who answers pays for the million calls that didn't.
And it's fair to turn the question on us, because VoxGuard answers phone calls for a living. So, plainly: we see the unknown calls we screen for you, because that's the job you hired us for, and that's where it ends. There is no reputation database on our side of the call. We don't look your callers up in one, we don't feed them into one, and there's no shared pool of numbers sitting on our servers for the next broker to buy. The app reads the phone numbers of your saved contacts, and nothing else about them, for exactly one purpose: letting the people you know ring straight through. What happens on your line stays between you and your callers.
The number on the screen was never the thing to trust
The ending of my July 2nd story is the whole point. The caller ID on that call said, in effect, "a number you trust." The screening ignored the claim entirely, answered the call, and asked the one question a forged caller ID can't answer: is there a person here who can respond? Thirteen seconds later, the software on the other end had answered honestly, by hanging up, and my phone sat silent through the entire exchange.
That's the general lesson wrapped inside the specific incident. Spam defense built on reputation asks what the caller ID says and whether that number is on a list, and both halves of the question are now broken at once. The pairing data that tells spammers which numbers to fake has already leaked, permanently, from carriers and apps and brokers. And the numbers they dial from are used once and thrown away, faster than any list can catch them. A defense that makes its decision from the caller ID is reasoning from the one piece of information the caller completely controls.
The one thing the leaked databases cannot sell is the ability to hold up your end of a conversation.
The alternative is to stop asking what the caller claims to be and start asking what the caller can do. For every number outside your saved contacts, VoxGuard answers first and asks the caller to repeat a spoken phrase, then to say who they are and why they're calling, in their own voice. You get the recording and the transcript before your phone rings, and you make the call, so to speak. People in your contacts ring through untouched, every time. And the recorded dialers, the one-and-done list callers, and whatever called me on July 2nd never make it past the first question, because the ability to hold up your end of a conversation is the one thing the leaked databases cannot sell.
The pairing data is out there for good; no ruling and no regulation un-leaks a database. What you can still change is whether knowing your numbers is enough to reach you. Here's how the screening works, end to end.
Sources
- Cybersecurity Dive. Massive Snowflake-linked attack exposes data on nearly 110M AT&T customers. July 2024.
- Wikipedia. Snowflake data breach.
- Goodwin. Eleventh Circuit Deals Fatal Blow to the TCPA's One-to-One Consent Rule. January 2025.
- Akerman. Eleventh Circuit Vacates FCC's One-to-One Consent Rule Days Before Effective Date.
- Hiya. Samsung Smart Call: Caller ID & Spam Protection.
- FCC. Call Blocking Tools and Resources.
- Wikipedia. Truecaller.
- Beebom. Worried About Privacy in Truecaller? Here's How The Caller ID App Really Works.
- Nomorobo. Area-code spoofing surges 2025.
- Identity Guard. Getting calls from my contacts, but it's not them.
- FCC. Stop Unwanted Robocalls and Texts.
- U.S. PIRG Education Fund. Ringing in Our Fears 2025.
- VoxGuard network data: incident record, July 2, 2026 (screened out in 13 seconds).