Stir/Shaken - Telecom Industry's First Line of Defence Against Caller ID Spoofing

Robocalling has been responsible for singlehandedly changing our telephone habits. And the change has not been good.

The FCC (The Federal Communications Commission), the body responsible for regulating the Telecommunications Industry, reports that there are approximately four billion robocalls per month, amounting to around 60% of all calls!

Things are so bad that most people now refuse to answer calls that they do not recognize. Alexander Bell would be mortified if he had known his wonderful invention would become so invasive.

To get more people to answer their calls, scammers manipulate technology so that their call appears to come from your neighbourhood or a source you would be unlikely to ignore, such as the IRS. Once you answer your phone, the scammers have an opportunity to extract information from you, and this is their goal.

Let’s look at what spoofing is, what you can do about it, what the FCC is doing about it and how you can protect yourself from scammers.

What is Caller ID Spoofing?

Caller ID spoofing occurs when the caller manipulates the telephone ID data, which precedes the call to reflect a location or caller ID, which is false. 

The goal is to entice the caller to answer the phone. Scammers often use robocalls to repeatedly call numbers until a call is answered, when you are transferred to a human scammer. 

This is the reason so many calls are made. Scammers work on a tiny percentage of calls being answered and then concentrate on these calls.

Why Would Anyone Want to Spoof Caller ID?

The goal of spoofing is to retrieve personal information from unsuspecting victims.

Once a scammer has a target on the line, they will often pose as someone this target might be likely to confirm personal information with. People such as IRS representatives or even bank employees.

This information can then be used to defraud the target. 

What can people possibly do with personal information, you might ask?

An identity thief can use your name and information to:

• Get their hands on your tax refund.
• Apply for and even be granted new credit cards.
• Obtain medical care.
• Buy things with your credit cards.
• Open a gas, phone or electricity account.
• Pretend to be you if they are arrested, which could land you in hot water.

The bottom line is that anyone should never give out information or confirm information to a caller. Ever. Never. Period.

Can I Prevent Myself from Being Spoofed?

Once you understand the risks, you can do a lot to prevent yourself from being spoofed. Know your enemy and their manipulative strategies, and you are halfway there.

The golden rule is to exercise extreme caution whenever anyone asks you for personal information over the phone. The moment you face such a situation, your hackles should stand up, and you should go into defence mode.

Since it is impossible to rely on the caller ID information, ensure you don’t assume that the caller is genuine and be aware that you might be on a spoof call. 

Here are a few pointers:

• Don’t answer calls from numbers unknown to you. If you do, immediately hang up.
• If you are requested to use your telephone keypad to select options by the caller, whether human or not, do not select anything and simply immediately hang up. 
• You might be asked to press a number should you wish to opt out of these kinds of calls. Do not respond by pressing a number. Hang up. This is a ploy to assess which people answer calls, and you will then be plagued by many more robocallers who have now targeted your number.
• You might be asked questions and required to say yes or no. Refuse and hang up.
• Under no circumstances should you give out any personal information such as bank account numbers, ID numbers, social security numbers or even information such as your mother’s maiden name.
• Often you will be put under some pressure to immediately give personal information. This is a sure sign you are being scammed. People often give out the info when pressed before they have time to process what is happening. Be aware and supremely cautious.
• If the caller claims to be calling on behalf of a bank or your local government agency, don’t answer questions. Instead, hang up and contact them on their official telephone number to confirm the request. The chances are that they never initiated the call. Even if they are calling you for money, they will typically only do so after trying in writing first.
• Make sure you have a password on any voicemail service you might use. This prevents spoof callers from pretending to call from your number and then accessing your private voice mails. 
• There are various apps which can go some way to preventing robocalls and spoof calls to some degree. In addition, the FCC does allow call companies to blacklist well-known robocall source numbers in certain circumstances. Check out this link to learn more about robocall blocking.

What are the Authorities Doing to Prevent Spoofing?

The FCC has an aggressive strategy against spoofers and robocalls. The single biggest complaint that the FCC receives is related to spoof calling and robocalling.

The FCC has launched a strategy calling for STIR/SHAKEN compliance by all telephone companies to significantly reduce robocalling and spoof ID calling to restore trust in the telecommunications industry and encourage widespread hassle-free communication by telephone.

Although beyond the scope of this article, the STIR/SHAKEN project requires telephone companies to roll out technical measures to identify and report on the source of all calls.

What are Telephone Companies Doing to Prevent Spoofing?

Telephone companies (telcos) are currently trying to meet deadlines imposed by the FCC on STIR/SHAKEN implementation on their networks.

Failure to implement by the deadlines will render the telcos subject to significant fines and to having calls rejected when they cannot supply the required caller ID. 

Since it can be costly to upgrade the networks, the FCC has given what it considers reasonable deadlines, some of which have been extended to meet telco objections and requests.

As recently as May 2022, the FCC has promulgated regulations to clamp down on international robocalls, which should prevent international robocallers from entering the American telephone network. 

Industry Traceback Group reports that 65% of the voice service providers identified as transmitting illegal robocalls were either foreign-based or gateway providers. This new regulation targets the gateway providers and calls for strict compliance with the STIR/SHAKEN rules.

Gateway providers are now required to participate in robocall mitigation and blocking efforts. In addition, they must take responsibility for illegal robocall campaigns on their networks, cooperate with FCC enforcement efforts, and respond swiftly to efforts to trace illegal robocalls to their source.  

Non-compliance by a gateway provider could result in removal from the Robocall Mitigation Database and mandatory blocking by other network participants, essentially ending its ability to operate.  

If you are a telco and need assistance with STIR/SHAKEN compliance, consider using our compliance consulting service. 

Conclusion

The battle has begun, but the war has not yet been won.

The FCC is doing what it can to curb robocalling and spoof id calling. 

In future, it will be much more difficult for scammers to spoof you and do their work anonymously.

In the meantime, ensure you do what you can to protect yourself from scammers and fraudsters.