Skip to main content

Call Authentication Solution for Branded Calling

Promote your business while protecting your customers

identity proof

Call spoofing, scams and illegal robocalls are growing nuisance, and the phone is a popular communications channel for bad actors commit fraud. The rising surge in robocalls is due to the accessibility of tools that enable fraudsters to spoof outbound dialing numbers and effortlessly generate millions of calls. This has led consumers to lose trust in phone calls and not answer the phone.

When it comes to branded calling for businesses, call authentication is a critical component to ensuring the call can really be trusted. The worst possible scenario would be one where unauthenticated calls show fancy logos and provide consumers all the information to make them believe those calls are coming from a particular bank, healthcare or government institution they know and trust. But instead, it’s from a fraudster who can then access their account information. Call authentication information generated with STIR/SHAKEN must be closely coupled with the rich call content consumers want to see — including name, number, logo, and reason for the call — for it to be truly trustworthy.

STIR/SHAKEN are industry-developed protocols designed to combat illegal call spoofing by verifying caller identity. The U.S. Federal TRACED Act and an order from the Federal Communications Commission (FCC) mandated communications service providers (CSPs) implement STIR/SHAKEN call authentication, or a robocall mitigation solution, by June 30, 2021.

What is call authentication?

Call authentication is a method by which the origin of calls is verified so only legitimate calls are delivered to consumers, helping reduce call spoofing. STIR/SHAKEN call authentication has been implemented by all the major communications service providers in the US, and many of the smaller providers, along with robocall mitigation solutions.

 

STIR/SHAKEN are technology standards that use certificates to digitally sign phone calls, which verify caller identity and prevent spoofing.

  • STIR  Secure Telephony Identity Revisited 

  • SHAKEN Secure Handing of Asserted Information Using toKENS

     

STIR/SHAKEN is the most viable way to provide a measure of trust in the displayed caller name and number by authenticating the calling number with the identity of the caller.

STIR/SHAKEN brings together the cryptography that enables safe ecommerce with telephone security by providing a caller ID authentication mechanism to ensure a caller has permission to use a given telephone number. This best practice uses a digital certificate to create a secure chain between the caller and recipient.

No signature = No authentication = No call completion

With STIR/SHAKEN, digital certificates are issued to carriers or other entities that own or are assigned dedicated phone numbers. The private key associated with each digital certificate is used to sign Voice over IP (VoIP) calls to indicate the calling party number (from your enterprise) has been properly identified.

Numbers that can’t be verified are more likely to have been spoofed, which means the call may not go through to consumers.

The terminating service provider (TSP) uses the public key to unlock the message and ensures the message has not been compromised. The contents of the message are used by the TSP to determine call treatment and alerts to the subscriber.

How do you authenticate a call?

To verify the authenticity of the call or the authenticity of the caller using STIR/SHAKEN which uses vital information about the originating caller to assign an attestation rating of A, B, or C to each call — here’s how it works:

1. SIP INVITE received by the originating telephone service provider (OSP).

 

2. OSP checks call source and number to identify attestation level. These “ratings” indicate how certain they are the outgoing call is made by the owner of the number, and the OSP has authenticated the right of the caller to use the phone number. There are three options:

  • Full Attestation (A)

  • Partial Attestation (B)

  • Gateway Attestation (C)

 

3. OSP uses STIR/SHAKEN to create SIP Identity header which includes:

  • Calling number

  • Called number(s)

  • Current timestamp

  • Attestation level

  • Origination identifier

 

4. SIP INVITE with header is sent to terminating telephone service provider (TSP). TSP uses a decryption key and the attestation rating to validate the caller’s number and help identify spoofed calls.

 

5. SIP INVITE with Identity header is passed to the verification service.

 

6. Verification service obtains digital certificate of OSP provider from public certificate repository and begins a multistep verification process. If all verification steps are successful, the calling number has not been spoofed.

 

7. Verification service returns results to TSP.

 

8. Call is completed. Depending on the call treatment algorithm used by your service provider, customers will be notified with a symbol, verification keyword or alert indicating the incoming call has been validated. If the call cannot be verified, the carrier may block the call and/or alert the call recipient to a potential scam call.

With STIR/SHAKEN, attestation ratings are incorporated into carrier analytics as a data element in blocking algorithms — which also include complaints, calling patterns, duration, etc. Then, that’s coupled with rich call content which provides more context to the call recipient, ensuring consumers don’t miss important legitimate calls. 

Attestation Levels Explained

SHAKEN attestation is the “trust” or “proof” that a call is not spoofed based on the originating servie provider’s relatioship to the telephone number. There are three different levels of attestation.

 

A. FULL

B. PARTIAL

C. GATEWAY

Service Provider A to B:

“This is my customer. I gave them this telephone number. This call originated on my network.”

Service Provider A to B:

“This is my customer. This call orginated on my network. However, I did not given them this telephone number.”

Service Provider A to B:

“This is my customer. This call orginated on my network. However, I did not given them this telephone number.”

 

The signing provider:

Is reponsible for the origination of the call onto the IP-based service provider network

Has a direct authenticated relationship with the customer and can identify the customer

Has established a verified association with the telephone number used for the call

 

The signing provider:

Is responsible for the orgination of the call onto the IP-based service provider network

Has a direct authenticated relationship with the customer and can identify the customer

Has NOT established a verified association with the telephone number used for the call

 

The signing provider:

Has NO relationship with the initiator of the call (e.g., international gateways).

 

 

Until recently, the terminating service provider could not tell if a phone number had been spoofed, enabling bad actors to pose as the IRS, banks, healthcare providers or others. But now, TransUnion offers Spoofed Call Protection (SCP), a solution that enables TSPs to block calls that have been spoofed so they never reach the consumer.

To learn about call authentication best practices, view this document by the FCC’s NANC Call Authentication Trust Anchor Working Group.

Is STIR/SHAKEN having an impact?

When we interviewed TransUnion Fellow and VP Jon Peterson on this topic, here’s what he said: “In the nearly three years since the STIR/SHAKEN mandate went effect in the United States, we've seen a tremendous upswing in the signing of calls, which is phenomenal because what this creates is a non-refutable token we can use to determine who lets traffic onto the PSTN in the first place. But that isn't the last step in getting this to work.”

STIR/SHAKEN has always been a foundational technology; something that enables us to build services on top of it. And it's crucial we do more verification and analysis of STIR/SHAKEN workings than what was possible in the early, incremental steps toward implementation.

That said, even what we've done so far has clearly shown it’s helping. For one, it’s promoting enforcement actions because when you can tell who’s introducing harmful, abusive, fraudulent traffic onto the PSTN, you can address it.”

Watch the full video series of Jon Peterson's interview here.

Can my phone number be spoofed?

Yes! Everyone’s number can be spoofed, and in fact, it’s possible it already has been. In fact, spoof calling is on the rise. Sometimes robocallers use “neighbor spoofing” which displays a phone number similar to your actual number, so your customers are more likely to answer. In addition, if a consumer’s phone display says a number is blocked or labeled as a "potential scam" or "spam" on the caller ID, it may be a spoofed call

According to the Federal Trade Commission (FTC), consumers lost over $10 billion in fraud in 2023. Imposter scams — which grew 71% from 2021–2023 — were the number one way consumers were defrauded in 2023.  

Imposter scams have quickly become the fastest growing fraud in the US — and consumers and businesses need to be aware of this rising trend. Imposter scams involve a fraudster pretending to be someone they’re not to steal money or information.

With advances in artificial intelligence (AI) and large language models, these scams have grown more complex, convincing and costly, going from $196 million in losses in 2020 to a whopping $660 million just two years later. And if you think you’re too savvy to be tricked, think again.

According to our recent survey, as a result of robocalls and call spoofing, consumers are not answering the phone.

Forty-eight percent of consumers we surveyed said they rarely or never answer the phone when they’re unsure of who’s calling. We asked consumers WHY they don’t answer calls, and here’s what they said:

 

 

And, when customers don’t answer legitimate phone calls, everyone suffers. Enterprises experience poor right-party contact rates, negative customer experiences, decreased efficiencies, reduced revenue and potential damage to their brands — just to name a few. 

How is caller ID spoofing done?

Caller ID spoofing, or imposter scams, often involve a host of deceptive tricks. One of the most convincing is the spoofed call in which a fraudster places a call that fakes a company’s caller ID — often an organization their victim knows and trusts. It could be a well-known software company, their bank, a government agency, charity or even their own workplace.

Historically, these scams have primarily targeted consumers who are tricked through various means into wiring money from their bank accounts and 401ks. The funds are then typically quickly split into a web of offshore money laundering accounts and bitcoin purchases, never to be seen again. But scammers have discovered ways to tap into even deeper pockets. Now, small businesses and large enterprises are being targeted as well. With new advancements in technology happening at a record pace, these imposter scams are getting more brazen, sophisticated and harder to spot by the day.

If their targets are rich enough, fraudsters will spend months doing their homework and creating the perfect personalized ‘script.’ And with just a little scrolling on LinkedIn® or a company website, they can quickly spot their victim — someone who likely has the right access to sensitive company or employee information or the authority to wire money. For this reason, fraudsters often target employees in HR, IT, finance or on the executive team.

Mitigating this type of fraud requires a robust, multipronged approach. And since spoofed calls are often a first step in these imposter scams, stopping them should be at the top of every business leader’s to-do list.

 

Here’s an example of how caller ID spoofing is done:

  1. Fraudster obtains name, phone number and address through social engineering or data breach. Consumer receives SMS or email:  “Did you make this payment?”

  2. When consumer replies, fraudster spoofs a call from bank to consumer. “This is the fraud department. We see unusual activity. Did you make that transfer? We can reverse it.”

  3. Fraudster requests username to ‘verify’ the account, uses that to reset the password.

  4. Bank sends OTP code. Fraudster pretends the code comes from them. “I will send verification code; Read it back to me so I can verify your identity.”

  5. Fraudster uses the code to then access the account.

What is a STIR verification code?

STIR/SHAKEN verification means calls that have been authenticated will display a checkmark on most mobile displays at the time of the call or in the call log. This confirms the Caller ID has been vetted and confirmed so consumers can trust the call has not been spoofed.

The good news is consumers really want a branded calling solution like Branded Call Display (BCD) that can provide more context around who’s calling and verify the call hasn’t been spoofed.

 

While consumers have the option of using free apps to try to protect themselves from unwanted calls, these are limited in their scope and effectiveness. Truly protecting consumers from robocalls, scams and call spoofing hinges on steps taken by legislators and CSPs, along with the use of customer contact solutions and branded calling by enterprises.

 

Consumers may wonder, “Is caller ID authentication free?” For consumers, it is free; however, enterprises must partner with branded calling experts like TransUnion and purchase solutions.

 

Many enterprises have implemented such solutions, but we went straight to the source and asked consumers if they’d answer calls if they could be more confident about who’s really calling.

 

Here’s what they said about branded calling and top features: 

Caller id authentication is an evolving process

Previously, businesses could not sign their own calls and had to rely on their service provider(s) to do that. As noted, calls signed by the enterprise’s service provider may not always receive the highest level of attestation. With the approval and implementation of delegate certificates by the STI-PA and STI-GA in October 2021, enterprises were empowered to sign their calls.

Enterprises that get their phone numbers and voice services from a single carrier are likely to receive an “A” attestation because the originating carrier is certain of their identities and the source of the numbers, and can originate the calls on their network. However, organizations with more complex architectures that use multiple carriers may have issues getting full attestation.

STIR/SHAKEN caller id authentication utilizes a combination of technical, legal and behavioral solutions; it’s an evolving process that continues to be refined in order to address the dynamic needs of the marketplace. Expected upcoming improvements include the support of non-IP networks, enterprise multi-carrier implementation, and standardizing how attestation is displayed on devices.

As co-author of STIR, co-contributor to SHAKEN, exclusive host of the ATIS Robocalling Testbed, and approved STI-certificate authority, we play an integral role in the governance structure for the Calling Number Verification Service to mitigate illegal robocalling and call spoofing — and is a leading STIR/SHAKEN solution provider.

Learn more about Branded Call Display and Spoofed Call Protection.

 

NOTE: TruContact™ Communications and Contact Center Solutions are powered by Neustar™, a TransUnion company.