STIR/SHAKEN–A Framework to Help Combat Illegal Robocalls

Most of us despise robocalls. Although we often don’t answer them, they’re a persistent annoyance that causes our phones to ring needlessly throughout the day.

Most unlawful robocalls involve illegal caller ID spoofing, which is when the caller deliberately transmits inaccurate caller ID information to disguise their identity and attempt to defraud the called party. Scammers often use what’s known as neighbor spoofing, which is when it appears that the call is coming from a local number to increase the likelihood it will be answered.

Neighbor spoofing truly hit home for me one day when I received a call that showed my own phone number on the caller ID display. It was both surreal and infuriating. Within minutes, I got a barrage of voice messages from nearby residents who also received a call from what appeared to be my number.

Some understood that it was a spoofed call and just wanted to make me aware that my number was being misused. Then there were those who believed the call was coming from my number and the messages they left for me were not very neighborly.

FCC’s Efforts to Combat Robocalls

Not surprisingly, unwanted calls, including illegally spoofed robocalls, are the Federal Communication Commission (FCC)’s top consumer complaint, and combatting them is their top consumer protection priority.

FCC Acting Chairwoman Jessica Rosenworcel stated in March 2021 that “unwanted robocalls are not only a nuisance, but they also pose a serious risk to consumers who can inadvertently share sensitive, personal information in response to bad actors’ malicious schemes.” 

Particularly troublesome has been international con artists who use illegal spoofing to target American consumers with COVID-19 pandemic-related scam robocalls.

Since 2017, the FCC has aggressively pursued a multipart strategy for combatting illegally spoofed robocalls.

This has included:

  • Issuing hundreds of millions of dollars in fines against robocallers for violations of the Truth in Caller ID rules
  • Expanding those rules to foreign calls and text messages
  • Enabling voice service providers to block certain clearly unlawful calls
  • Clarifying that voice providers may block by default unwanted calls based on reasonable call analytics
  • Designating a consortium for coordinating industry-led efforts to trace back unlawful spoofed robocalls to their original sources, which is a vital resource for the FCC in uncovering the companies that facilitate large-scale robocall campaigns

In addition to the above efforts, there is also voice service providers’ required implementation of a caller ID authentication framework known as STIR/SHAKEN, as well as a robocall mitigation program and certification, which are explored below in more detail.

STIR/SHAKEN Framework

One key part of the FCC’s efforts to thwart illegally spoofed robocalls has been to encourage voice service providers to implement a caller ID authentication framework known as STIR/SHAKEN. This stands for Secure Telephone Identity Revisited (STIR) and Signature-based Handling of Asserted Information Using Tokens (SHAKEN) standards.

The STIR/SHAKEN framework enables voice providers to verify that the caller ID information transmitted with a particular call matches the caller’s number and to identify calls with illegally spoofed caller ID information before those calls reach their subscribers.

Benefits of STIR/SHAKEN

Although there isn’t a silver bullet when it comes to eradicating illegal robocalls, once STIR/SHAKEN is universally implemented by voice service providers, it could yield numerous and substantial benefits. The framework could:

  1. When paired with call analytics, protect consumers from fraudulent robocall schemes that cost Americans approximately $10 billion annually
  2. Restore trust in caller ID information and encourage consumers to answer the phone, which will benefit businesses, health care providers, and not-for-profits
  3. Reduce spoofed robocalls to health care and emergency communications systems
  4. Reduce costs for voice providers by eliminating unwanted network congestion and decreasing the number of customer complaints about robocalls

STIR/SHAKEN Implementation Deadline

In 2019, Congress passed the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, which required the FCC to take numerous steps to promote and mandate the implementation of the STIR/SHAKEN framework. Consistent with the TRACED Act, the FCC now requires large voice service providers to implement STIR/SHAKEN in the Internet protocol (IP) portions of their networks by June 30, 2021.

However, small voice service providers with 100,000 or fewer voice subscriber lines have been granted a two-year extension of this deadline, giving them until June 30, 2023, to complete their implementation.

Limitations of STIR/SHAKEN

The STIR/SHAKEN framework only operates on the IP portions of a voice service provider’s network that support the transmission of calls using Session Initiation Protocol (SIP).


Not surprisingly, unwanted calls, including illegally spoofed robocalls, are the Federal Communication Commission (FCC)’s top consumer complaint, and combatting them is their top consumer protection priority.

Consequently, the FCC has granted an ongoing extension of the STIR/SHAKEN implementation deadline for those portions of a voice provider’s network that don’t use SIP technology. This non-IP extension will end once a caller ID authentication protocol has been developed for calls delivered over non-IP networks and is reasonably available.

Robocall Mitigation Program and Certification

In accordance with the TRACED Act, the FCC is requiring voice service providers that have been granted an extension of the STIR/SHAKEN deadline to implement a robocall mitigation program to prevent unlawful robocalls from originating on their networks. Voice providers are afforded the flexibility to decide the specific practices of an effective robocall mitigation program that best suit the needs of their networks and customers.   The FCC has, however, articulated general standards for the mitigation programs to guide providers in preparing them. The FCC will prescribe more specific robocall mitigation obligations for any voice provider it finds has implemented a deficient program.

Voice service providers are required to document the specific practices they have adopted as part of their robocall mitigation program in a certification that must be filed with the FCC no later than June 30, 2021.  Voice providers that have submitted certifications will be listed in a publicly available Robocall Mitigation Database. If the FCC finds that a voice provider’s certification is deficient in some way, it may take enforcement action as appropriate.

We’re Here to Help

Contact your Moss Adams professional if you have questions or need assistance with the FCC’s requirements for combatting robocalls, including the robocall mitigation certification.