June 30, 2023, marked the deadline for which nearly all types of carriers (large, small, gateway providers) must implement STIR/SHAKEN. This is the last major milestone in the rollout of STIR/SHAKEN. Large carriers have had to comply since 2021, and now nearly all carriers need to comply, with the exception of just a small subset of carriers that still have more time. Enough time has now passed since the STIR/SHAKEN rollout began to evaluate its effectiveness.
According to Hiya’s Director of Product Management Jonathan Nelson, STIR/SHAKEN has resulted in both successes and shortcomings in the fight against phone spam and fraud.
What is STIR/SHAKEN?
STIR/SHAKEN is a framework designed by the Federal Communications Commission (FCC) to verify the digital signature of the outbound call. Network carriers are required to label each call with a different attestation level:
- Full Attestation (A) – This is the highest level a call can receive. It means that the carrier has verified the caller’s identity and given authorization for the usage of the phone number.
- Partial Attestation (B) – “B” is given when the carrier can identify the location of the caller, but can not verify if the user has the authorization to use the phone number.
- Gateway Attestation (C) – Gateway Attestation, “C,” is given when the carrier can verify where the call was received, but can not pinpoint the call’s origination location.
The purpose of STIR/SHAKEN
According to Nelson, STIR/SHAKEN was never intended to stop all spam; rather, it was intended to be a tool to combat spoofing — where fraudsters illegally disguise their phone numbers to gain the recipient’s trust.
“STIR/SHAKEN was meant to give us the confidence that the phone number being shown to us on our phone when it's ringing is the phone number that's making the call,” said Nelson. “It says nothing about the intent of the caller: why they are calling.”
While STIR/SHAKEN may focus on fraud calls using the illegal tactic of spoofing, illegal phone calls are only part of the problem. Carriers need to protect their subscribers from both illegal fraud calls and aggressive nuisance calls, which may be legal but are still unwanted phone calls for the consumer. Voice security solutions like Hiya help carriers protect their subscribers from the entire range of unwanted spam and fraud calls. And for that, STIR/SHAKEN data is a valuable piece of information but not a complete solution.
Nelson adds that STIR/SHAKEN data is also valuable for law enforcement who can use the data to trace back illegal phone calls to their source.
STIR/SHAKEN success stories
One area where STIR/SHAKEN has proved extremely useful has been in identifying spam calls coming from mobile lines. Two-thirds of all call traffic comes from mobile lines, so this is significant. Currently 89% of mobile calls are fully signed (“A” attestation), while 2% have a “B” or “C” attestation, and 9% are unsigned.
Hiya looked at user complaints about phone calls, which is a direct measure of whether a recipient considers the call to be spam or not. Hiya found that calls that are fully signed are unlikely to be spam calls, while calls with “B” or “C” attestation are much more likely to be spam — even more so than calls that are completely unsigned, as you can see in the chart below.
The vast majority of mobile calls are fully signed (“A” attestation), and those calls are much more likely to be wanted by the call recipient.
“For mobile calls, we’ve seen real success from STIR/SHAKEN,” said Nelson. “While the data isn’t perfect, we do find that spam calls are much more common in the partially signed or unsigned calls than the fully signed ones, so it’s a valuable source of information.”
In short, STIR/SHAKEN — while not a complete solution — does provide valuable data when it comes to combating spam and fraud phone calls that originate from mobile numbers. This is because the attestation rating gives a good clue of whether the call may be wanted or unwanted by the recipient. This makes it a valuable signal for voice security solutions to consider when determining if a call may be spam or not.
STIR/SHAKEN less helpful for non-mobile calls
While STIR/SHAKEN has proven to be a useful data source to help separate wanted calls from spam on mobile lines, the same can’t be said for non-mobile lines. And the fact is, most spam calls (89%) originate from non-mobile lines — meaning STIR/SHAKEN is not a terribly useful signal for the vast majority of spam calls.
In the non-mobile space, it is still true that fully signed calls (“A” attestation) are less likely to be unwanted. But there is a catch. Attestation is simpler for mobile-originated phone calls, where a subscriber buys a phone and phone number from a mobile provider and uses the same mobile provider to make calls. It’s more complicated for non-mobile-originated phone calls. This makes STIR/SHAKEN data messier for non-mobile-originated calls, which makes it a less clear signal for determining whether the call is spam.
Hiya has observed that even when a non-mobile call has an “A” attestation, it’s much more likely to be an unwanted call than “A” level calls coming through mobile lines. While it may indicate that the phone number has not been spoofed, Hiya’s data shows that 19% — nearly one in five — of fully signed calls were identified by recipients as unwanted spam. STIR/SHAKEN is indicating these calls aren’t using spoofing, but that doesn’t mean these calls are wanted.
Nearly 1 in 5 fully signed calls (“A” attestation) from non-mobile lines were identified by recipients as unwanted spam.
“The takeaway is that STIR/SHAKEN on its own isn’t going to stop unwanted calls,” said Nelson. “But STIR/SHAKEN, when combined with good spam analytics — delivered by voice security providers like Hiya — will help subscribers identify which calls are likely to be wanted, and which are likely to be unwanted.”
How carriers can protect subscribers
Hiya Protect enables mobile network carriers to protect their subscribers by blocking fraud calls and labeling spam calls — and includes built-in protections from spoofing.
Hiya Protect uses Adaptive AI, the industry’s only self-learning spam protection system that adjusts to the latest fraud and nuisance calls. Unlike other solutions, it uses a multi-layer approach to analyze every aspect of a phone call, from the phone number to the call recipient, the enterprise making the call, and the characteristics of the call itself.