Customer security report

What to know about protecting customers from caller ID spoofing

  • Janet Alexander
    Janet Alexander
  • Feb 28, 2020

Identity threats are on the rise. Through SHAKEN/STIR telecom protocols, you can better protect your customers.  

Adjust text size

Robocalls and spam have reached an inflection point. It was only until recently that consumers were practically defenseless against receiving calls from scammers. Caller ID spoofing, whereby a caller dupes a caller ID display to disguise their identity, is not illegal. And contrary to common belief, the National Do Not Call Registry only helps reduce the number of legal calls that people get from legal marketing firms. Bad actors exploit caller spoofing, most often in the form of neighbor spoofing, which displays incoming calls as though they’re coming from a local number. The net effect? Consumers have a general mistrust of the phone calls they receive, asking themselves, “Is this call actually coming from a real person?” 

Why are robocalls on the rise?

Phone spam exploded thanks to two things: One, Voice over Internet Protocol (VoIP) makes international calls, using services like Skype or Google Voice, virtually free, or close to it. Not to mention, open-source software can let a single computer hooked up to the web to make thousands of calls an hour. VoIP providers can set a unique Caller ID number for each call that passes through their gateway — even if all the calls are coming from one party. Second, spoofing a phone number now is easier than ever.

Thankfully, the call for consumer protection against robocalls was recently answered. 2019 saw the U.S. Federal Communications Commission (FCC) propose a rule allowing phone companies to block robocalls before consumers receive them. Secondly, the nation’s first federal anti-robocall law was passed, the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, which mandates all telecom carriers to add an authentication system to ensure an incoming call is real. 

Download The State of Customer Engagement report to explore more about the rise in robocalls.


Secure Handling of Asserted information using toKENs (SHAKEN) and Secure Telephone Identity Revisited (STIR) are telecom industry protocols that enable service providers to indicate when fraud is occurring. STIR refers to telephone identity standards that the phone industry follows, while SHAKEN refers to a token-based signature system -- more on that, below. SHAKEN/STIR implementation only just started in 2019, which is perhaps why it’s no surprise that, in the U.S. alone, 58 billion robocalls were placed in 2019?

How does SHAKEN/STIR work?

When a call is placed, the originating call provider, let’s say Verizon in this case, receives the call parameters (the from and to telephone numbers) and then uses a signing service to sign the call (for more information on Public Key Encryption check out this blog). The call is now signed with Verizon’s private key, meaning Verizon is standing behind the origin of this call and its parameters. On the receiving network’s side, in this example, AT&T, will fetch Verizon’s public key and verify that the call and associated parameters are valid through a certificate authority. SHAKEN/STIR introduces Secure Telephony Identity Policy Administrator (STI-PA). The STI-PA is responsible for selecting the certificate authorities and for providing a Service Provider Code token to service providers so they can acquire private keys for signing calls and public keys for verifying calls. Once AT&T has the public certificate from Verizon they can verify calls and assert that the owner of the phone number is the one placing the call through a visual display, such as a green checkmark on Comcast Xfinity VoIP phones or with “Caller Verified” as seen on Android.

What does SHAKEN/STIR mean for business?

Unchecked call spoofing is dually problematic for brands. If customers don’t trust who is calling, they won’t answer. Research shows three of every four calls go unanswered if the recipient doesn’t know who’s calling, and companies waste money and time if their calls are ignored. To ensure your company’s calls are getting through to customers, it’s important to understand what your carriers can offer. T-Mobile, AT&T, and Comcast are all rolling out implementations of SHAKEN/STIR, assuring customers with call authentication that the calls made and received across their networks aren't from a scammer spoofing a number. There’s now even technology that provides caller ID detailing not just exactly who is calling, but also why they’re calling.

State of Customer Engagement

Robocalls killing trust is just one of five trends covered in Twilio's State of Customer Engagement report.

Learn More
I want to see more about: 
  • Editions
  • Industry
  • Product
  • Region
  • Solution
  • Use case
Communication for good | Spring 2021
  • Communication for good | Spring 2021
  • COVID-19 and the new normal | Winter 2020
  • Digital trust | Summer 2021
  • Pre-SIGNAL special | Fall 2021
  • Retail in 2021 | Summer 2021
Let's go
Janet Alexander

Janet Alexander

Janet has a decade of professional writing experience. With a focus on B2B technology, she helps Twilio's subject matter experts, product managers, and customers share their expertise, knowledge, and unique points of view through thought leadership, storytelling, and customer resources.