STIR/SHAKEN Call Authentication Reduces Risk and Promotes Trust
In 2021, nearly 228 million robocalls were made every day — more than 1.6 billion calls a week. While not all of them were fraudulent, many of them as per Enterprise Apps Today reports that 40% of all incoming calls were scams.
Unfortunately, one of the reasons these scams pose significant cybersecurity threats is that cybercriminals are increasingly spoofing phone numbers to make them appear legitimate. Scammers use local area codes and spoof phone numbers of companies to increase the odds someone will pick up their call or fall victim to their schemes.
With internet protocol (IP) technology, even a single computer can make thousands of calls an hour, so the sheer number of robocalls, spam calls, and spoofed calls has risen dramatically over the past few years. That prompted the Federal Communication Commission (FCC) to enact STIR/SHAKEN.
STIR/SHAKEN Call Authentication
The STIR/SHAKEN framework is designed to reduce the impact of spoofed calls. STIR/SHAKEN is an acronym for Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using toKENs (SHAKEN) standards.
It provides a set of caller ID authentication standards to verify calls made over IP networks. Voice service providers employing these standards can analyze calls being placed on their networks and digitally sign them as legitimate. As these calls move through different systems or carriers, the digital signature is validated before reaching the call recipient.
STIR/SHAKEN validates each handoff as calls pass through an often-complex web of networks so that you can trust the call you’re seeing actually came from the number being displayed on the Caller ID. To comply, calls must be confirmed as legitimate numbers by the originating carrier and validated by any other carrier as calls move through networks.
Providers that comply with the regulation can attach trust indicators or warnings, such as “called ID confirmed” or “potential scam call.”
STIR/SHAKEN went into effect in June 2021 for major carriers. Smaller providers, such as facilities-based service providers, are required to implement the framework by June of 2023. Many of these spoofed calls originate overseas (but use local numbers). So-called gateway providers, which are the entry point for foreign calls into the US, must also deploy STIR/SHAKEN by June 2023.
The FCC also requires service providers that use older tech to upgrade their networks to IP or develop an alternate form of caller ID authentication that complies with the intention of the STIR/SHAKEN framework.
If you are interested in seeing a list of the providers that have certified compliance with STIR/SHAKEN and have taken proactive measures to mitigate illegal robocalls from originating on their systems, you can check out the FCC’s Robocall Mitigation Database. Simplicity VoIP is pleased to have launched STIR/SHAKEN in October 2021. STIR/SHAKEN Blog
What Are Cybersecurity Threats from Spoofed or Scam Calls?
Cyber security threats go far beyond just falling for a scam to talk you into purchasing a fake extended warranty for your car or paying someone to get your fake lottery winnings. Phone scammers can do significant damage to businesses.
When numbers are spoofed, they appear to come from legitimate organizations. This can make your employees less concerned about the legitimacy of the calls and give out sensitive information. For example, scammers might ask someone to verify payment information or bank passcodes. They might try to trick you into verifying fake orders and then bill you for goods that never show up.
Social engineering as a result of scam calls can be even more devastating. As cybercriminals use various methods to trick people into revealing sensitive information, such as login credentials, to gain access to networks. One popular scam is a caller pretending to be from Microsoft or another large software provider — spoofing the company’s number — and telling employees they need remote access to patch an urgent security flaw in their software. Once they gain remote access, they plant malicious software or ransomware that can cause chaos.
More than $39 billion was lost to phone scams in the past year, according to March 2022 research done by The Harris Poll. That number only includes those scams that resulted in a financial loss and were reported. Many scams go unreported.
How to Protect Against Cybersecurity Threats from Fraudulent Calls
STIR/SHAKEN is a solid approach to helping reduce and eliminate spoofed calls and spam calls, but it’s not foolproof or universally adopted yet. Businesses can help protect their organization, employees, and customers by taking a few proactive steps.
Enable Call Blocking
Employee cell phones should enable call blocking. Both Apple iOS and Android users can deploy apps built into the operating system to block nuisance calls. There are also free or low-cost apps in the App Store that can help provide additional protection against spam and scam calls.
Also, most cell carriers have free or paid services that also block suspected malicious calls. Some are more effective than others since they generally rely on reports that go beyond STIR/SHAKEN. Since scam callers are constantly changing numbers, it’s like a game of whack-a-mole.
Users can also block individual numbers on their phones from their recent call list, but scammers can easily just spoof different numbers.
For business phone system phone users, Simplicity VoIP supports the blocking of specific phone numbers by simply submitting a request to our Client Services Team.
Do Not Call Registry
While the national Do Not Call Registry does not apply to business phones, you can still register cell phones. This can reduce some unwanted calls, but only from those companies that abide by the FCC’s rules about not calling people on the Registry. Scammers don’t usually follow the rules.
Report Scam Calls
When calls do bypass all of the safeguards and get to your employees, you can still do something about it by reporting it to the FCC’s complaint center.
Scammers throw a wide net when calling. They only need to catch one unsuspecting person in your business to do significant damage. Companies should include potential phone scams in their training routine, including how to spot cybersecurity threats from phone scams.
IT teams also need to deploy robust security on their networks and educate users on the need for strong passwords, two-factor authentication, and extra precautions when accessing networks remotely using mobile devices.
Use Third-Party Solutions
For business phones, some third-party providers offer additional protection. This can help detect and reduce the number of spoofed calls, spam calls, and robocalls.
For example, some providers will detect calls from auto-dialers and block them from ringing through. Other systems can deploy a prompt when a robocall is detected, requiring interaction from a real person before allowing calls to be completed.
You may also consider using an interactive voice response (IVR) system for calls to your business so that all callers are greeted with an automated voice message requiring human input before connecting.
STIR/SHAKEN Helps Establish Cybersecurity For VoIP Systems, But Doesn’t Solve the Problem
STIR/SHAKEN has helped consumers and businesses reduce the number of robocalls and spoofed calls, but it hasn’t eliminated the problem. Threat actors are continually evolving their tactics and finding new ways to bypass security measures, even after people establish cybersecurity for VoIP systems.
IT teams need to stay vigilant and remain up-to-date on the latest threats to keep employees, customers, and organizations safe.