The important thing to know is that telephony systems are nearly all digital now (the specific protocol is called signaling system 7 (SS7). The only part of the system that's analog is the part between the handset in your house and the nearest central switch, where the A-D and D-A conversion happens—and not even then if we're talking cellular telephony,. The way that caller-id works on analog phones is that the originating switch sends the caller's phone number (and potentially a name) in the SS7 setup message to the terminating switch, and the receiving switch encodes that information in the silent inter-ring interval where it's decoded by the callee's phone and displayed to the callee. The situation is basically similar with cell phones except that the connection between the cell phone and the switch isn't analog.
One of the basic assumptions of SS7 is that any device which gets to connect to the telephony network and speak SS7 is trusted. In particular:
- The originating switch can put any information in the setup message it wants, including advertising random numbers that aren't actually connected to the switch.
- Caller-id blocking (when the caller doesn't want their id propagated), is implemented by having a bit in the setup message that tells the receiving switch not to encode the caller-id information onto the callee's line.
The first point implies that you can't really trust anything you see on caller-id. If you can get a digital connection to the phone network, such as in a call center, a PBX or a home ISDN line, you can generally put any information you want in your messages [Technical note: this protocol is Q.931, not SS7, but you can think of it as SS7 for now], including false caller ID information. Since it's not at all hard to get this kind of access, caller-id from the telephone network is basically unreliable. The second point implies that caller-id blocking isn't that trustworthy either. If you have a digital connection to the network, there is a reasonable chance that you will get the caller-id information for any caller even if they have turned on blocking—you may see the bit that tells your phone not to show you, but nothing makes it obey that. In principle the receiving switch could suppress this information in the Q.931 but my understanding is that generally switches don't.
As far as I can tell TrapCall uses some combination of these features. You arrange to forward blocked calls to TrapCall, which acts as if it were your voicemail provider (I imagine that if someone really leaves a voicemail they just proxy it to your real voicemail box) which then reads the caller-id information and calls you back with spoofed caller-id matching the caller's (blocked) caller-id.
Acknowledgment: Jon Peterson filled in some of the details here. All mistakes are mine, etc...]