Basically: there’s nothing in the phone system to make sure caller ID is not lying. It’s just data that gets sent with the call and nothing in the network validates that the reported number is correct. There’s not even *a way to validate*.

It’s like the return address on a mailed letter. You can put anyone’s address there. While the letter is in your personal mailbox is the only time someone might notice something’s wrong. Once the letter’s in a bin with 100 other letters there’s no longer a way to prove it came from your house.

So if criminals buy the kind of phone equipment offices use, it’s really easy to make it lie about caller ID. This is even easier with “voice over IP” because that lets anyone with a computer access hardware that lets them spoof a number. There are legitimate uses for this which is why it exists, but when the decisions were made the equipment was so expensive only businesses could buy it, so there wasn’t any concern about security. Now individuals can afford it, and VOIP companies make it accessible to anyone.

It’s pretty bad but the powers that be don’t see it as worth the money or trouble to update things. Cases like yours are rare to them, and the only time the public cares is 30 minutes of “someone should’ve done something” after a tragedy occurs. Your best option is to constantly report it to police and hope that you annoy them enough that they start constantly bothering the people who can investigate. The odds aren’t great. 🙁

The way the telephone operating software (called SS7) works, the phone system making the call sends the call router the number and text to be displayed in calling number ID. This is a “feature” in that calls from a big company can say “Company Name” in the caller ID and give the company’s switchboard number rather than the line being used; which was a big deal for companies with more phones than numbers. Many companies now use direct inward dialing, where each phone has a phone number, but that’s more expensive.

Since the feature is there, VOIP systems must emulate it. That means the VOIP software must get it from the user, and users can type any old thing. As a result, calling number ID isn’t very effective.

A new, more secure, option has been developed, called STIR/SHAKEN, but most phone companies haven’t implemented it. They don’t want calls from some company to stop working because the company hasn’t upgraded its phone system with STIR/SHAKEN.

For a cell phone, you might be able to get your phone company to turn it on for your line, I think the AT&T Security app for your phone can enable it, but you will lose some calls and texts from real people.

It is a failure of US government to regulate powerful telecom companies. Elsewhere telcos are responsible for making sure that the Caller ID sent via SS7 is correct. It isn’t too hard to refuse a call or SMS that has a Verizon’s Caller ID if it unexpectedly comes from a Nigerian VoIP operator. But it costs money and telcos tend not to spend a dime unless required by law and big fines are a risk.

Despite all of the advances in technology since then, the current phone system still inherits a lot of properties of some of the earliest phone systems, and those phone systems prioritized reliability over security.

A lot of the ‘rules’ for how the phone networks were put together attempted to keep it all as simple as possible in order to make it all interact reliably, and as newer features like caller ID and whatnot were piled on top of it, they often had to be implemented in fairly simplistic and insecure ways in order to not break compatibility with existing older parts of the overall phone system.

The end result of all of this is that basically when someone makes a phone call, they can report whatever they want as their phone number, and the system doesn’t have any way of verifying it.

The solution to this is government regulation requiring all of the phone companies to upgrade everything to more secure systems, but that would cost the phone companies a lot of money and effort, so they’ve lobbied pretty hard to avoid such regulations from passing.

Other people have given great answers but here’s an application of it – back in the day, you could spoof a number and then call it on some carriers, that carrier would interpret that as that number trying to check its voicemail; if they didn’t have a PIN on their mailbox, it could be accessed.