The Calls Nobody Wants: Latest on Phone Spam, STIR/SHAKEN & “Bad Reputations”

Michael Tindall

Multiple Problems

Anyone with a phone knows how bad the level of spamming and downright fraudulent calls has become. When we talk about unwanted, annoying calls, a lot of people just think of telemarketing and robodialing – the use of an automated dialing system by marketing / sales folks to reach as many potential customers as possible. But Caller ID “spoofers” are far worse, and typically used in combination with robodialing to increase the volume. 

You know the ones. A local number pops up and you think, “It’s not in my list of contacts but it could be the kid’s school. I’d better answer it”; then you get someone in the Philippines selling…well…just about anything. In many cases, the Caller ID might claim to be someone else, such as the FBI or IRS.

Unfortunately, since it’s hard to find the illegitimate callers, the burden has fallen to everyone else to prove that they’re legitimate – in other words, finding the bad guys by process of elimination. For legitimate businesses, it’s been a source of worry and hassle to ensure they’re compliant with regulations and their calls go through and get answered.

STIR/SHAKEN to the Rescue?

As consumers, we’d love to see illegal robocalls and Caller ID spoofing go away, but as businesses, we’re weary. STIR/SHAKEN legislation was designed by the Federal Communications Commission (FCC) to crack down on spam calls by having providers attach little “certifications of authenticity” – aka, “attestations” – to each call. The goal of these certifications is to basically say who the provider is, that they know something about the caller, the number is really theirs, and carriers can trust them; it’s okay to send their call on through. Businesses have had to figure out what level of attestation they’ve been assigned and how they can move up if necessary – particularly tricky if they have multiple providers. 

For a lot of providers/carriers, STIR/SHAKEN has also required network upgrades to enable the new protocols. STIR/SHAKEN is not fully implemented as yet; it is still a work in progress and deadlines continue to evolve. Here’s the current progress report.

The Timeline

  • 2018 – Legislation was passed requiring the implementation of STIR/SHAKEN protocols to reduce or eliminate spam calls, including the following timeline. (The Canadian version of the FTC has essentially the same plan with slightly later dates.)
  • June 28, 2021 – Providers with 100K+ subscriber lines such as Commio were required to certify their STIR/SHAKEN compliance and be registered in the FCC Robocall Mitigation Database.
  • September 28, 2021 – The large voice service providers should be done registering, confirming they’re following STIR/SHAKEN, and rectifying any network issues that could cause issues. As such, intermediate and terminating voice providers should stop accepting traffic from any providers who weren’t fully registered. 
  • June 30, 2023 2022 – The FCC pushed up the deadline for non-facilities-based small voice providers to implement STIR/SHAKEN caller ID authentication by a year, after determining that they generate a high proportion of the illegal robocall traffic. This is a full year earlier than the previous FCC requirement for voice service providers with 100,000 or fewer subscriber lines. Non-facilities-based providers are those that don’t have their own physical lines, instead serving end users via connections to another provider’s service.
  • June 30, 2023 – All the other small voice service providers – i.e., those that are facilities based – must be compliant.

Note: All of the carriers on the thinQ io platform that have confirmed their STIR/SHAKEN compliance will have a blue checkmark to the right of their listing (approximately three-fourths of the carriers). 

Anyone who isn’t sure if their business qualifies as a provider should contact a regulatory attorney ASAP. For additional information, visit the Code of Federal Regulations around robocall mitigation and certification and the FCC Mitigation Database.

Attestation Levels in Detail

As noted above, each business has been assigned an “attestation level” by their voice provider:

  • “Full attestation,” designated as an “A” – indicates that the provider knows the caller, recognizes the entire phone number as being registered to that caller, and can confirm where the call originated from. You’re good to go!
  • “Partial attestation,” or “B” – indicates that the call originated with a known customer but the provider can’t verify the entire number – i.e., “this is our client but the extension number is not registered with us.” Some providers, such as Commio, require the number to be based in North America (i.e., from a North American Numbering Plan Area / “NANPA”) for a “B.”
  • “Gateway Attestation,” or level “C” – indicates only that “the call can be verified as coming from a known gateway, but we don’t know the caller or the number.” Quite often, these are international calls.

Scam CallsIt’s probably clear that an “A” is considered to be better than a “C,” but what about the “B’s” – how much better or worse are they? Is anyone actually getting blocked? How does one move up a level? Are there any alternatives?

The Current State of Calling

To summarize, some carriers and providers are STIR/SHAKEN compliant while others are not; smaller providers still have more than a year to go. This means that some businesses are an “A,” some are a “B,” some are a “C”… and some have no attestation at all yet. Nonetheless, carriers have started authenticating Caller IDs and blocking calls. Verizon alone said it had already blocked over ten billion calls way back in March of 2021 – before any of the deadlines had passed! 

So what’s a legitimate business to do? First and foremost, we recommend moving all of your numbers and traffic to a single provider. At Commio, we get to know each of our customers and validate who they are; it’s the easiest way to ensure an “A” attestation.

It should also be noted that there are no guarantees an “A” is actually better than a “B” is better than a “C” is better than unattested. It’s a great start, but it really depends on the quality of the provider. (In fact, new “eavesdropping scam” calls are coming primarily from “B’s” and “C’s” rather than unattested sources.)  

Because of this – and because customers are more fed up than ever with scam calls – carriers are putting additional controls in place. For example, a number with a negative calling history and a lot of complaints against it might be blocked regardless of attestation level (i.e., numbers with a bad history / “reputation”). If an algorithm detects unusual activity, such as a sudden spurt of calling from a single number, those calls could be blocked as well.

In turn, this is spawning some new products to help businesses confirm their legitimacy, as well as the legitimacy of their numbers. One such product works to validate your company and your number. Number branding is another option, delivering rich call data (RCD) content such as a logo, company name, and the reason for the call. To find out more about these offerings, hear what Numeracle has to say in Commio’s next couple Industry Briefings.

* * * * * 

Let’s be honest: crime pays; that’s why it’s so prevalent. As soon as new calling controls like STIR/SHAKEN are rolled out, the bad guys are looking for holes in it. We expect STIR/SHAKEN to be helpful, but providers and businesses still need to be vigilant. For our part, Commio tries to avoid fraudulent customers, assign attestations accurately, and support our legitimate customers to the greatest extent possible. Some things you can do as a business include:

  • Know your level of attestation
  • Choose a provider with strong support and consolidate as much of your traffic and your numbers as you can
  • Monitor your call completion levels, especially when using new numbers
  • Consider other technologies such as those described above

At the end of the day, we all just want happy customers who answer our calls. While we can’t control the spammers, we can follow the rules, partner with the right providers, and stay up-to-date on the latest options to get us most of the way.

Date posted: May 10, 2022

Topic: Outbound Voice   Software as a Service (SaaS)  

Tags: STIR SHAKEN  

Michael Tindall

Michael Tindall leads Commio's product development and engineering teams. While attending Clemson University, Michael co-founded Tsoft Solutions, purchased by ClearSky Networks. Next he built and ran support for US Networks. Michael then worked for Bandwidth till he was approached by Aaron Leon to build a cloud-based routing system. The rest is history. Michael is a “40 under 40” winner, and one of only 18 OpenSIPS Certified professionals worldwide. When not coding the future of telecom, you’ll find him enjoying movies, cars, entertaining, and exercising.

Recent posts from Michael Tindall

Get the latest from Commio

We’ll send you one email a month featuring our latest blog content.