It has been more than a year since the full implementation of STIR/SHAKEN, a framework to meet FCC goals to verify the digital signature of a call and prevent spoofing. June 30, 2023 was the deadline for carriers to comply with the rules.
Enough time has passed that we can now ask the question, “Is STIR/SHAKEN making a difference?”
For those of you who might be unfamiliar with this regulation, STIR/SHAKEN requires carriers to assign an attestation level to each incoming call.
“A” level (fully signed) means the carrier has verified the caller’s identity and the caller is authorized to use the phone number.
“B” indicates the carrier can identify the caller's location but can’t verify if the user is authorized to use the phone number.
“C” is given when the carrier can ascertain where the call was received but not the call’s origination. When none of those levels can be verified, the call will be “unsigned” by the carrier.
STIR/SHAKEN signals are helpful to analytics services such as Hiya, as they can help us identify and potentially block fraud calls.
Success in identifying unwanted calls from mobile lines
After analyzing a year-and-a-half of data, we can conclude that STIR/SHAKEN has been very helpful in identifying unwanted calls coming from mobile lines, but it is not very helpful in identifying unwanted calls from non-mobile lines. And that is significant because most unwanted calls come from non-mobile VoIP lines. The chart below illustrates the difference in spam calls coming from mobile vs. non-mobile lines.
STIR/SHAKEN is a useful signal for identifying unwanted calls from mobile lines, but not so for calls coming from non-mobile lines.
The axis numbers don’t represent calls or percentages, but in general a higher number reflects a greater chance of a call being unwanted.
First in column 1, spam in A-attested mobile calls (referred to as “fully attested”) remains extremely low. Partially signed calls (column 2) have extreme risk and are nearly always spoofing, and unsigned calls (column 3) are mixed because it includes roaming. The density of spam for non-A-attested calls vs. A-attested calls is the foundation of mobile spoof protection and the biggest win that analytics services have had from STIR/SHAKEN. So this must be defended.
On the other hand, looking at the right three columns, we see that attestation is largely irrelevant to the risk of the call being unwanted. Partial vs. unsigned is inconsequential, and while fully-signed calls are less likely to be spam, the rate is still extremely high.
STIR/SHAKEN as an enforcement tool
It’s worth mentioning that STIR/SHAKEN is also a valuable tool for enforcement of calling practices through legal action or “Know Your Customer” (KYC) policies. Regardless of attestation, any STIR/SHAKEN information makes it easier and faster to trace back to the source of a call. The Industry Traceback Group, established per requirement from the FCC, is using STIR/SHAKEN to bring faster enforcement of calling regulations — with good success.
The best way to fight back against unwanted calls
While STIR/SHAKEN has done a great job in helping analytics services like Hiya identify spam calls from mobile lines, obviously there it has been less than successful in identifying spam from non-mobile lines — the source of most spam calls. That’s where analytics can play an important role.
For example, Hiya’s call protection solution for mobile network carriers, Hiya Protect, uses Adaptive AI technology that analyzes past and present call patterns and responds to new threats as they emerge. It uses a proprietary multi-layer approach that analyzes the phone number, call characteristics, the call recipient, and even the calling enterprise’s history across all numbers used. It enables carriers to protect their subscribers by blocking fraud calls and labeling spam calls, and helping them discern wanted calls from unwanted calls. I encourage you to learn more about Hiya Protect.
