There’s a whole Wikipedia page about it. But here is the important bit:
In the past, caller ID spoofing required an advanced knowledge of telephony equipment that could be quite expensive. However, with open source software (such as Asterisk or FreeSWITCH, and almost any VoIP company), one can spoof calls with minimal costs and effort.
Some VoIP providers allow the user to configure their displayed number as part of the configuration page on the provider’s web interface. No additional software is required.
So it’s pretty trivial these days because the phone number coming from the phone network doesn’t help when the phone network lets you set whatever you like.
Unfortunately the calling party can show whatever they want for the caller number, there’s no validation that it’s true.
Doesn’t the phone number come from the phone network and not the caller?
There’s a whole Wikipedia page about it. But here is the important bit:
So it’s pretty trivial these days because the phone number coming from the phone network doesn’t help when the phone network lets you set whatever you like.
Phone number verification process: “Trust me, bro”.
Networks: “OK!”