Phone Call Compliance, and Shaking Up STIR/SHAKEN

Michael Tindall

Is there anything worse? The phone number looks like it is just down the street—maybe your coworker or the kids’ school?—but as soon as you answer there is the all-too-familiar faint click and pause at the other end of the line. Then before you can disconnect, the persistent salesperson who won’t hang up till you hang up on them.

Many people would rank illegal robocalls right up there with fire, floods, and the apocalypse. 

Robocalling isn’t illegal per se; however, it quickly crosses the line when the caller uses spoofing (i.e., someone else’s name or number), or dials people who haven’t opted in and/or are on the Do Not Call list. Although there is far more email and text messaging spam than spam calls, robocalling continues to be the number one complaint received by the Federal Communications Commission (FCC), perhaps because the immediacy of having to pick up a call and then fight someone off is a bigger distraction. And, it feels more personal.

A lot of it is fraudulent. Per the Federal Trade Commission, 20% of fraud reported to it in 2022 started with a simple phone call. And, consumers reported a loss of $800M due to fraudulent calling, for an average of $1,400 per case. That’s a lot more than pocket change!

For all of these reasons, whether in the media, with the FCC or the carriers, the focus has been first and foremost on those who abuse the robocall system. 

STIR/SHAKEN is Just the First Step

The FCC fired the first salvo with legislation passed in 2018 called “Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN),” or STIR/SHAKEN for short. Specifically, providers were asked to “attest” to the identity of their callers, with an “A” attestation for customers and phone numbers they know; a “B” for customers they know, using a number they don’t know; or a “C” for calls that through a known gateway but the customer and number are unknown (this includes international calls).

The FCC states, “The STIR/SHAKEN framework, an industry-standard caller ID authentication technology, is a set of technical standards and protocols that allow for the authentication and verification of caller ID information for calls carried over Internet Protocol (IP) networks. As implementation continues to progress, it will give Americans more confidence that the caller ID information they receive is accurate and will allow voice service providers to provide helpful information to their consumers about which calls to answer.”

After a phased implementation, all carriers and providers are now required to participate in STIR/SHAKEN and certify their efforts in the Robocall Mitigation Database (RMDB) managed by the FCC (you can see Commio’s here, under “thinQ”).

As it often goes, however, the onus has actually been on legitimate callers and voice providers to prove they’re behaving (illegal callers have already proven they don’t care about the rules!). Providers like Commio have assigned attestation levels to all of their customers and filed their certification in the database, while many businesses have worked to up their “grade” to an A. As a result, while there are still plenty of robocalls going out, Forbes Magazine says the total numbers are down by a third, spoofing has been reduced, and the FCC has levied some large fines based on being able to track the callers now. But is that enough?

“Stop Spamming Me!”

In 2019 the FCC also ruled that “phone companies may block unwanted robocalls by default, based on reasonable analytics, and offer consumers more advanced tools that can block calls not on their contact lists or allow calls only from so-called “white lists” of approved contacts.” ( This has given mobile consumers the option to block and/or report any caller with a simple click. 

Call blocking stops a recipient from receiving all direct calls from a given number and is a great way to cut down on unwanted calls. It does not stop the caller from reaching the recipient via WhatsApp, Snapchat, or other applications, or from calling again with a different number. 

Additionally, blocking does not differentiate between illegal calls, someone spoofing a number, unwanted calls, and someone the recipient is just mad at right this moment—meaning a dentist’s scheduling service, an ex boyfriend or girlfriend, and the car warranty people could all be treated the same way. (If you’re from the dentist’s office, you’re just out of luck trying to reach that person until they unblock you!)

More importantly, what else is a mobile provider doing with that blocking data—are they now labeling all of your calls as spam? Could they potentially block you from reaching anyone? 

The short answer is, quite possibly.

The Rise of the Algorithm

The major mobile providers have partnered with data analytics companies to look at any and all the data they have available about a given caller, including (but not limited to!) your STIR/SHAKEN attestation, your calling patterns, how often you’re being blocked, and even the reputation of your provider based on how often (other people’s) fraudulent calls are slipping through their network…

Oh my.

The really ugly part is that the analytics companies that have the power to label your calls as spam, are the same companies you’ll have to pay to get your numbers cleaned up! If that seems like a conflict of interest to you, you wouldn’t be the first to think so. But this is where things stand right now.

Keep Your Calls Flowing

So what’s a call or contact center to do to protect their numbers and keep their calls flowing? Fortunately, there are a few options:

  • Make sure you use a provider who is vetting their customers, working to provide them with the correct attestation, and vigilant about stopping fraudulent activity on their network.
  • When purchasing new numbers, make sure you buy only numbers that have been rested for a while, or don’t put them into rotation right away. 
  • Get your identity validated by a reputation management company such as Numeracle, so that no one else can use your numbers. You can also get your number(s) branded.
  • Use dialing best practices! It won’t just help you keep your numbers clean, it’s also being courteous to your customers.
  • If a number you’re using comes up as spam, take it out of rotation immediately and use fresh numbers.
  • Go through number remediation with the analytics companies (we’ll explain how here); or, engage with a reputation management company that specializes in remediation.

If you’re a provider, it’s very important to Know Your Customer (KYC)! We’ll talk about that in the next blog post, as well as ways to be proactive about monitoring your network traffic and demonstrate that you’re working to minimize fraud.

* * * * *

Cloud communications technology is a vast improvement over its predecessor, but  managing your phone numbers and keeping them clean (or, if you’re a provider, monitoring your customers and your network more closely) is more time and money than it used to be. The FCC and the carriers will continue to work to clamp down on fraudulent calling, meaning new laws and new rules. If legitimate callers make sure to use best practices and providers use increasingly sophisticated mechanisms to identify fraud, we can make a significant difference in the volume of fraud so that more calls get answered.

Essential Guide for Cloud Communications Compliance & Cybersecurity:

Download the full eBook


Part 1: Compliant Calling in the Cloud – Call Compliance, STIR/SHAKEN | Dialing Strategies | Dealing with SPAM Labels

Part 2: Text Messaging Compliance – Getting Started with Messaging Campaigns | Different Messaging Types, Compliance | Long Code Compliance Checklist | 7 Traits of a Good Provider

Part 3: Securing Your Voice & Messaging Business – Empowering Your Team | The Human Element | Cybersecurity 101 | Know Your Customer! | The Robocall Mitigation Database | Toll Fraud

Date posted: August 24, 2023

Topic: Outbound Voice   Uncategorized   Voice API  

Tags: Compliance   Spam   STIR SHAKEN   VoIP   VoIP Fraud  

Michael Tindall

Michael Tindall leads Commio's product development and engineering teams. While attending Clemson University, Michael co-founded Tsoft Solutions, purchased by ClearSky Networks. Next he built and ran support for US Networks. Michael then worked for Bandwidth till he was approached by Aaron Leon to build a cloud-based routing system. The rest is history. Michael is a “40 under 40” winner, and one of only 18 OpenSIPS Certified professionals worldwide. When not coding the future of telecom, you’ll find him enjoying movies, cars, entertaining, and exercising.

Recent posts from Michael Tindall

Get the latest from Commio

We’ll send you one email a month featuring our latest blog content.