Under the Stir/Shaken protocol, carriers are required to certify, with varying confidence levels, that calls really are coming from the numbers displayed on caller ID. The deadline for most big carriers to implement the standards was Wednesday and the major carriers have all said they’ve signed on.
The idea is this: When your wireless carrier processes an inbound call that doesn’t have a certification letting it know the number is legitimate, the carrier will be able to block it before your phone ever starts ringing.
“While there is no silver bullet in the endless fight against scammers, Stir/Shaken will turbo-charge many of the tools we use in our fight against robocalls,” FCC acting chairwoman Jessica Rosenworcel said in a statement Wednesday.
For one thing, carriers won’t actually start blocking calls based on the Stir/Shaken verification information until September 28. In the meantime, they’ll gather information about which calls are and aren’t certified in an effort to avoid blocking calls that someone actually wanted to receive, according to Ed Fox, chief technology officer at network services firm MetTel. For example, carriers want to avoid accidentally blocking an automated message from your hairstylist reminding you of an upcoming appointment.
Until then, consumers of some carriers may see an indicator that number has been verified (or not) when receiving a call, so they can decide whether to pick up.
Carriers have “had to come up with a mitigation plan that hopefully prevents blocking legitimate calls,” Fox said. “There will be a lot of challenges, but toward the end of October, we’ll see significant drops in some of that robocalling.”
While major carriers have implemented Stir/Shaken, the FCC granted carriers with 100,000 or fewer subscribers a two-year extension to adopt the standards, meaning bad actors could rely on those carriers to continue doing call spoofing in the meantime. Some small carriers have other robocall mitigation plans to prevent outgoing scam calls from their network, but they may not work as well as adopting the new standards, said Alex Quilici, CEO of YouMail, a company that tracks robocalls and offers a call blocking app for consumers.
Another potential challenge: Bad actors could simply purchase legitimate phone lines that will show up as “verified” by carriers and make robocalls from those. While this would require bad actors to take extra steps — and therefore will likely be used less often than existing “spoofing” methods — it could make for more dangerous robocalls, said Quilici.
For example, if someone receives a call that shows up as verified, and a scammer on the other end says they’re a representative of a bank or big retailer, the recipient may be more likely to believe them and give up personal information.
“I think people are going to be really disappointed to find out that really what’s happened here is a speed bump, not a wall” for bad actors, Quilici said.