From fake social security calls to scammers impersonating Apple or Amazon, anyone with a cellphone or landline is no stranger to robocalls.
For decades, robocall scammers have graced phones and voicemails across the nation. Between June 2020 and 2021 these scams affected more than 59 million people who lost a combined $29.8 billion, according to phone number identification app Trucaller. Some robocallers look to sell legal products like a car warranty or new roof through illegal means, while others will steal your social security number or credit card.
In an effort to curb this longstanding problem, the Federal Communications Commission is requiring voice service providers to implement caller ID authentication standards via a set of industry rules known as STIR/SHAKEN. The FCC required large carriers like AT&T, Verizon and T-Mobile to implement the standards by June 30, though smaller carriers, with under 100,000 customers, have an extension.
Simultaneously, voice service providers must submit a plan highlighting their robocall mitigation efforts in a recently launched database. If the plan isn’t in the database beginning Sept. 28, carriers will have to stop accepting calls from those providers.
STIR/SHAKEN is a good start to ending this ever-evolving issue of robocalls, and, while the updates will slow scammers down, experts say they won’t disappear.
“It’s a game of Whac-A-Mole,” said Paul Schmitt, a research computer scientist at the University of Southern California’s Information Sciences Institute. “Robocallers will find other ways to do what they want to do.”
What is STIR/SHAKEN?
STIR/SHAKEN refers to the set of industry rules requiring voice providers to authenticate that the call people receive is from the number displayed.
Attestation is the framework used for determining the legitimacy of the caller. It acts as a virtual signature indicating how confident a provider is that a caller is allowed to use a specific phone number. It’s broken down into three levels based on how much information the providers know about the caller, with the lowest level meaning the provider can verify where the call came from, but not the caller ID.
STIR/SHAKEN puts pressure on domestic carriers to increase their protected technology, create a database and will likely push illegal domestic robocalls out of the country, said Scott White, director of George Washington University’s cybersecurity program and cyber academy.
While it makes it harder to spoof or use false caller ID information to scam you, it’s not foolproof. The technology verifies that the original number is what shows up for the consumer, but scammers can falsify the number from the get-go. The system does not work on landlines.
When signing a call, some providers use the highest attestation without proper due diligence, said Josh Bercu, vice president of policy and advocacy at USTelecom, a trade group representing telecom companies. If the industry gets evidence of that, the provider could lose their ability to sign or attest.
“The industry hates these calls,” said Bercu. “We want to protect our subscribers, we’re doing everything we can and the impact is starting to really show itself.”
Fighting evolving robocalls
While STIR/SHAKEN can help crack down at home, the FCC has little jurisdiction abroad where many calls originate. The agency can work with international partners to catch scammers, but some countries won’t cooperate. Robocalls reel in billions of dollars in profits every year and many have found ways to use artificial intelligence or data to create targeted lists for scamming.
Some overseas scammers will purchase a block of numbers to make calls and disappear. Domestic scammers may use recent changes as an opportunity to move operations abroad where there’s less oversight, White added. Gateway carriers serve as the main form of entry into the U.S. for foreign calls but many operate outside the U.S.
The biggest issue is that robocalls are evolving faster than legislation can keep up, said White.
Next steps to ending robocalls
Robocalls are decreasing. In August, Americans received roughly 4.1 billion robocalls, down 4.4% from July, which decreased 4.8% from June, according to data from YouMail, a company that creates robocall blocking software.
YouMail is one of several third-party companies like Truecaller, RoboKiller and Hiya that offer spam-blocking software. YouMail’s CEO Alex Quilici, said the company can match audio to find repeat offenders, but only when they leave a voicemail.
Large telecom companies offer customers their own robocall blocking apps, with features like caller ID identification, personal blocklists and a number change. Some of these features cost customers an additional fee depending on their plan and provider.
A Verizon spokesperson said the company recently launched a social media campaign with a tech influencer to help consumers spot robocalls. Efforts to mitigate robocalls have led to 500 million fewer calls per month, they added. An AT&T spokesperson said the company labels 1 billion robocalls a month. T-Mobile verifies more than 300 million calls every weekday, a spokesperson said.
Bercu, the USTelecom VP, is working with both providers and the government on tracing back suspicious calls to shut down scammers. Another step is getting other countries to sign onto STIR/SHAKEN, said Eric Burger, a research professor of computer science at Georgetown University.
Despite concerns about its effectiveness, STIR/SHAKEN is not worthless legislation, said White. The process can help companies and the government do better analytics and gather information to use for the next attack.
“The people complained, and the government responded,” he said. “That’s what you want to see in a democracy.”