(888) 815-0802What Is STIR/SHAKEN?
STIR/SHAKEN is a caller authentication framework designed to combat caller ID spoofing and reduce fraudulent robocalls. It enables telephone service providers to verify that a call originates from the phone number displayed on the recipient’s device.
The framework works by attaching a digital certificate to outbound calls. This certificate confirms whether the originating provider can attest that the caller is authorized to use the displayed number. When the call reaches the terminating carrier, the certificate is validated to determine the call’s trust level.
STIR stands for Secure Telephone Identity Revisited, while SHAKEN stands for Signature-based Handling of Asserted Information Using toKENs. Together, they create a standardized system that helps carriers assess call authenticity across IP-based networks.
STIR/SHAKEN does not prevent unwanted calls on its own. Instead, it provides authentication signals that carriers use to determine whether a call should be delivered normally, labeled as spam risk, or blocked.
In modern VoIP and cloud telephony environments, STIR/SHAKEN has become a foundational requirement for maintaining call deliverability, protecting brand reputation, and reducing the impact of spoofed or fraudulent calls.
How Does a Scammer Spoof a Caller ID?
Caller ID spoofing works because the traditional telephone system was not originally designed with authentication in mind. When a call is placed over the public telephone network, the originating party transmits a number as the caller ID — and historically, the network simply accepted and displayed whatever number was sent without verifying that the caller actually owned it.
Scammers exploit this design gap using readily available tools. VoIP technology makes spoofing particularly easy because VoIP systems allow callers to configure outbound caller ID settings without the same carrier-level controls that govern traditional landlines. Software-based calling platforms, auto-dialers, and SIP trunking services can often be configured to display any number the caller chooses, including numbers belonging to legitimate businesses, government agencies, or local area codes.
Some common spoofing techniques include neighbor spoofing, where scammers display a phone number with the same area code and prefix as the recipient’s number to make the call appear local and increase the likelihood of it being answered. Other scammers impersonate well-known organizations — banks, the IRS, healthcare providers — by displaying those organizations’ actual phone numbers as the caller ID, creating a false impression of legitimacy.
In more sophisticated operations, spoofing is automated at scale. Robocalling platforms can place thousands of calls per hour, rotating through spoofed numbers to avoid detection and evade call-blocking systems.
This is precisely the problem STIR/SHAKEN was designed to address. By requiring originating carriers to digitally sign calls and attest to the caller’s right to use the displayed number, the framework makes spoofing significantly more difficult across IP-based networks — though it does not eliminate it entirely, particularly on legacy infrastructure.
Is It Illegal for Telemarketers to Spoof Phone Numbers?
Yes. Spoofing phone numbers with the intent to defraud, cause harm, or wrongfully obtain anything of value is illegal under U.S. federal law.
The Truth in Caller ID Act, enacted in 2009 and enforced by the Federal Communications Commission (FCC), prohibits the transmission of misleading or inaccurate caller ID information with fraudulent or harmful intent. Violations can result in civil penalties of up to $10,000 per violation, and the FCC actively investigates and pursues enforcement actions against illegal spoofing operations.
The FTC also pursues spoofing cases that involve telemarketing fraud, particularly when combined with Do Not Call Registry violations or deceptive sales practices under the Telemarketing Sales Rule.
It is important to note that not all caller ID customization is illegal. Businesses that display a main office number or a toll-free number rather than an individual agent’s direct line are not spoofing in the legal sense — they are presenting an accurate representation of their organization using a number they legitimately control. A business can also display a number on behalf of a client if the client has authorized the use of that number. What is prohibited is displaying a number the caller has no right to use with the intent to deceive.
For telemarketers specifically, displaying a number that does not belong to them — particularly to impersonate a government agency, financial institution, or other entity — crosses into criminal territory and can result in both civil and criminal prosecution.
Note: This is general informational guidance and not legal advice. Organizations should consult legal counsel regarding specific compliance obligations.
Can I Stop My Phone Number from Being Spoofed?
Unfortunately, completely preventing your phone number from being spoofed by someone else is difficult because the spoofing happens on the caller’s end, not yours. A scammer can display your number as their caller ID without accessing your phone, your account, or your carrier relationship. Your number is simply being used as a disguise.
That said, there are steps both individuals and businesses can take to reduce exposure and manage the impact.
For Businesses and Outbound Calling Teams
The most effective protection for legitimate businesses is ensuring their own numbers are properly authenticated through STIR/SHAKEN. When your numbers carry full attestation (A-level) signatures, recipients and carriers can verify that calls displaying your number actually originate from you. This does not stop a scammer from spoofing your number, but it means your legitimate calls are clearly distinguishable from spoofed ones in networks that support STIR/SHAKEN verification.
Registering numbers with CNAM databases so that your business name appears on caller ID also helps — recipients are more likely to recognize and answer legitimate calls, and more likely to report calls that display your name but behave suspiciously, which can help surface spoofing activity more quickly.
If you discover your number is being spoofed — typically because you start receiving large volumes of callbacks from confused or angry people who say they received a call from your number — report it to the FCC through their consumer complaint center at consumercomplaints.fcc.gov. The FCC tracks spoofing complaints and uses the data to prioritize enforcement investigations.
For Individuals
If your personal phone number is being spoofed, the options are more limited. You cannot prevent a scammer from displaying your number to others, but you can take a few practical steps. Contact your carrier to report the issue and ask whether they have tools to flag or monitor suspicious use of your number. Some carriers can place notes on your account or escalate reports to fraud teams.
You can also consider changing your phone number if the spoofing is persistent and causing significant disruption, though this is a last resort.
In the meantime, if you are receiving unusual callbacks from people who claim you called them, a brief explanation that your number may have been spoofed helps those recipients understand they were targeted by a scam rather than by you.
How STIR/SHAKEN Works Technically
STIR/SHAKEN operates through a digital certificate framework embedded in IP-based call signaling.
When a call is placed, the originating service provider evaluates whether the caller is authorized to use the phone number being displayed. If verified, the provider attaches a digital signature to the call using Secure Telephone Identity (STIR) standards.
This signature contains the calling number, a timestamp, an attestation level, and a cryptographic certificate.
As the call travels through the network, the terminating carrier validates the certificate using SHAKEN protocols. If the signature is valid, the carrier confirms that the number has not been spoofed.
The verification result is then used by the terminating carrier to determine how the call should be handled, including normal delivery, displaying a verification indicator, applying spam risk labeling, or blocking the call entirely.
STIR/SHAKEN functions only across IP-based networks. It does not fully apply to legacy TDM infrastructure, which is why industry migration to IP telephony has been critical for implementation.
STIR/SHAKEN Attestation Levels Explained
Not all calls receive the same level of authentication. STIR/SHAKEN uses three attestation levels to indicate the degree of trust the originating provider can assign to a call.
Full Attestation (A-Level)
The provider confirms that it has a direct relationship with the caller and that the caller is authorized to use the phone number. This is the highest trust level and provides the strongest signal to terminating carriers.
Partial Attestation (B-Level)
The provider confirms it knows the customer placing the call but cannot fully verify the caller’s right to use the displayed number.
Gateway Attestation (C-Level)
The provider is simply acting as a gateway for the call and cannot verify the caller’s identity or number ownership.
Higher attestation levels generally reduce the likelihood of spam labeling, though they do not guarantee deliverability.
STIR/SHAKEN vs CNAM
CNAM and STIR/SHAKEN address different aspects of call identity. STIR/SHAKEN verifies that the phone number has not been spoofed. CNAM displays the business name associated with that number.
| Feature | STIR/SHAKEN | CNAM |
|---|---|---|
| Prevents spoofing | Yes | No |
| Displays caller name | No | Yes |
| Uses digital certificates | Yes | No |
| Uses database lookup | No | Yes |
| Impacts spam labeling | Yes | Indirectly |
For optimal call trust, organizations should align both systems. Authentication establishes legitimacy, while CNAM reinforces brand recognition.
Why STIR/SHAKEN Matters for Revenue Teams
Outbound sales organizations are directly affected by carrier trust frameworks. Without proper authentication, even legitimate calls may be labeled as spam risk or blocked.
STIR/SHAKEN helps revenue teams protect caller ID integrity, reduce spoofing exposure, improve call deliverability, strengthen brand trust, and maintain compliance with federal regulations.
In the United States, the FCC requires voice service providers to implement STIR/SHAKEN to combat illegal robocalling. As a result, authentication is no longer optional for modern telephony providers. For revenue teams operating at scale, authentication should be viewed as foundational infrastructure rather than a technical afterthought.
Limitations of STIR/SHAKEN
Although powerful, STIR/SHAKEN does not eliminate spam or unwanted calls.
It does not block calls automatically, prevent high-volume dialing from being flagged, guarantee improved answer rates, or display brand names. Carriers still rely on analytics models that incorporate complaint data, call frequency patterns, and reputation signals.
STIR/SHAKEN verifies identity. It does not validate intent.
Protect Your Caller Identity with RingDNA
STIR/SHAKEN authentication is essential for call deliverability. The RingDNA Communications Hub by Revenue.io helps revenue teams maintain caller authentication, manage number reputation, and protect outbound performance at scale.
