Beyond the Mandate: Next Steps in the Fight to Combat Robocalls and Spoofing
Robocalling is no small problem. These nuisance calls are the major source of consumer complaints, with some estimates suggesting that more than 22 billion robocalls have been made in 2021 alone – and we’re only halfway through the year.
June 30 marked the deadline for voice service providers to file documentation informing the Federal Communications Commission (FCC) of their robocall mitigation efforts. The FCC’s mandate requires that all voice service providers respond to traceback requests, take steps to mitigate known illegal traffic, and take affirmative, effective measures to prevent originating illegal calls. In the June 30 filing, providers had to certify that they had implemented STIR/SHAKEN or another robocall mitigation program in the FCC Robocall Mitigation Database.
While the industry had since March 2020 to prepare and file their plans, there are likely stragglers who missed the deadline. Smaller providers, for example, have until June 2023 to implement STIR/SHAKEN, but still needed to document efforts to reduce robocalls that originate on their networks.
The consequences of non-compliance are significant. Providers who remain non-compliant will be unable to send traffic to other operators starting September 28. Those who remain non-compliant may also be subject to appropriate enforcement action, making it imperative to implement and file plans immediately.
For voice providers who haven't filed – and for those looking to take their robocall mitigation to the next level – here are key questions and considerations to bear in mind as they quickly build a compliant and effective plan.
The first step to any problem is understanding the key steps to solve the challenge. STIR/SHAKEN provides a mechanism for service providers to verify that the originator of a call is highly likely to be valid and not a spoofed or fraudulent calling party. The goal is to make it more difficult for bad actors to spoof the identity of a call for malicious purposes, such as defrauding a person, coaxing them to provide information they usually would not have provided or causing harm. Specific examples of such activities include spoofing voice messaging or credit card validation services to get access to the victim’s voice messages or financial information. It can also include masquerading as legitimate enterprises looking for information or cash (e.g., banks for personal identification or the IRS for scamming).
What information do I need to gather to determine whether a call is legitimate?
While STIR-SHAKEN provides the best available information to make it easier for voice providers to decide what calls they want to allow or block, this is not the only option for determining the legitimacy of a call.
When ascertaining call authenticity, there are three pieces of information that should be taken into consideration: the identity of the caller, their reputation and the trust context. With this information, service providers can better establish if a call is from a legitimate person, for a legitimate purpose and without malicious intent.
How can I assure a caller’s identity?
Identity is the information that tells service providers who is making the call. There are several resources service providers can draw on to determine the identity of a caller. These include:
- Known subscriber numbers, which the originating network operator identifies
- Do Not Originate lists, which are known numbers that will never originate calls
- Un-assigned numbers that can be taken from industry databases and individual network operator databases
- Invalid calling numbers that can be screened out in call processing based on national/international telephone numbering plans
- Known fraud and spam numbers that can be found from third-party databases and individual network operator databases
How do I determine the likelihood that a call is illegitimate based on historical call patterns?
Because legitimate numbers can be compromised to originate calls, advanced call analytics can be a huge assistance in detecting changes in calling patterns. These analytics establish a well-defined baseline of what is categorized as “normal” traffic based on when and where a call originates.
Some solutions also provide reputation scores to decide whether a call is illegitimate or not. Much like FICO scores, which measures consumer credit risk, a reputation score measures caller intent and the likelihood of whether the calls are fraudulent, telemarketing or nuisance calls. The higher the score, the more reputable the call is likely to be and the more likely it will be allowed to proceed.
However, many calls may have reputation scores between these two outcomes and should be given special call validation treatment options. For these calls, service providers have a few different call validation treatment options to consider:
- Route to an announcement indicating the call cannot be completed at this time
- Divert to a voice mail system
- Route to a "CAPTCHA" system that will play an announcement asking the calling party to respond to instructions (i.e. entering a specific set of digits) if they want the call to proceed
- Alter the Calling Name display to "Potential SPAM" to give the terminating party enough information to decide whether to answer or not answer a call
What’s the importance of trust context?
Trust context measures the match between the call origination information and how the call enters the terminating service provider’s network. To understand trust context, providers need to know about the originator’s location, where the call enters the network, and other information they already have about the originating caller.
For example, if the call is coming from a known subscriber on a local network interface, the calls should always be verified as trusted. On the other hand, if that same call came in from another carrier, it has likely been spoofed.
Following these guidelines will ensure that providers who are still finalizing their plans, as well as those who are looking to improve their existing plans, will meet the requirements for the FCC’s mandate. However, the industry’s collective efforts to restore trust in the network should not stop there. While STIR-SHAKEN standards, call analytics, and reputation scoring will go a long way in helping combat robocalling, there’s still much to do to decrease fraudulent calling. It’s on the communications industry as a whole to continue to share ideas on how to work together to resolve one of the biggest problems facing our market today.