My understanding is that US carriers don't support Sender ID at all, so having the caller ID/sender ID spoofed is not common (and maybe not possible?) on major US carriers.
Whenever I get phishing SMS they always come from a random 10-digit phone number so it's pretty clear they're scams. Reputable companies send these types of messages with short-codes, which are a 5 or 6-digit numbers that is very expensive and require thorough vetting by the carriers.
They're not _that_ expensive (usually $500-$1k/mo) and I wouldn't really characterize the vetting as "thorough".
Don't get me wrong, carriers have been making strides to lower the amount of spam that's sent through the air (A2P requirements, toll-free number verification requirements, etc), but a determined scammer can still exploit SMS/MMS pretty easily.
I've provisioned several shortcodes. There's a 12-week approval process (every carrier has to independently review & approve) and if you get flagged/reported for spam they will come after you for it. IMO this makes it prohibitively difficult & time-consuming for a bad actor to use effectively.
I think the processes are getting better each day, but it was only a couple of years ago that you could share a shortcode. My main point is that even with all of the safeguards it's still a ridiculously easy system to exploit.
Most people will trust a toll-free number just as much as a shortcode, and since tons of legitimate companies use toll-free numbers for messaging it just blurs the line of what a "reputable" number looks like.
Even SendGrid, which is owned by Twilio, uses toll-free numbers for their 2FA messages instead of shortcodes.
It also makes it difficult and time-consuming for a good actor to use effectively.
As far as I could tell (although I retired in 2019, so might be out of date), you can't use one short code through multiple aggregators, so if you want the benefits of multiple routes, you've got to have multiple shortcodes or live with sending from regular phone numbers.
Regarding caller ID, stir/shaken is being used in some situations and I know AT&T supports it within their own network (call history will have a checkmark to indicate it was verified).
> Whenever I get phishing SMS they always come from a random 10-digit phone number so it's pretty clear they're scams
Sadly, Novant Health (a hospital system) uses a regular 10-digit number for their patient portal 2FA. When I was in college, accessing sensitive info like your SSN and W2s in Banner also had 2FA via a 10-digit number. (This was an entirely separate system from the login 2FA provider, Duo, which uses shortcodes in addition to U2F tokens and their app.)
Whenever I get phishing SMS they always come from a random 10-digit phone number so it's pretty clear they're scams. Reputable companies send these types of messages with short-codes, which are a 5 or 6-digit numbers that is very expensive and require thorough vetting by the carriers.