It’s no secret for anyone reading carefully most of today’s PBXs documentation (having owned one before) that CallerID information can be faked.
Update: also picked up by Slashdot
This article at Security Focus explains one of the many ways, although there are much simpler methods.
I used to rely on CallerID for identification purposes when customers called for passwords and other detailed information on their services.
I ultimately ended up combining a series of elements to determine the level of trust I deemed necessary to obtain such information – at the risk of being considered too paranoid.
Isn’t paranoia good for business ? 😉