I don't remember how they do it, but they just spoof the number on your caller ID.

It may not even have to be a real number-- just look like one to you. If it turns out to be a real number, they don't care.

Somehow, not sure exactly how, they fake the number they're calling from. Most of the scam calls I'm getting are local cell phone numbers.

Just like there's no automatic validation of either of those two pieces of data built into either (email or phone) protocols, a disreputable, or lazy, phone network exchange, won't ensure that the number you are calling from is the same number you set as the outgoing caller ID.

In fact, sometimes it should be different, like when a customer service rep calls you from a large business, or a nurse from a hospital, they usually set the outgoing caller ID to that of the business's or hospital's main phone number, not the exchange that the person called from (even if it has it's own externally allocated phone number). Calling out from a Centrex group would be another example of when this is needed.

Most phone network providers require that you own the phone number you set as caller ID, just as most email servers require some sort of authentication now, but it's not a built-in thing.

When telephones were hard wired to the telephone companies and national PTT facilities, the caller ID was generated by the local telephone exchange based on the physical line initiating the call. This ID was then propagated through the tone based long distance network which had by then replaced the human operators.

When cell phones entered the scene, their phone numbers were mostly controlled by the equipment suppliers. All of this broke down with the arrival of things like PBX (private branch exchange) and VOIP (voice over Internet). I can set most of my phones to any caller ID I want. It is now just a trust-me system.