This is made possible by out of date technology with no authentication for the end user (all the authentication in the system is designed to benefit the network operators only). 

 The caller number was not his mom's, no need to hack that? (wouldn't make sense in the context of the scam)