STIR/SHAKEN Promises vs. Reality: The Robocalling Crisis

Introduction & About the Series

Researched and authored by Brett Nemeroff, Numeracle’s VP of Engineering – Voice, this eight-part investigative series exposes the systematic failure of telecommunications caller authentication approaches through historical accountability analysis and comprehensive technical evaluation.  

Using primary sources including the 2017 ATIS standards body vision vs 2025 measurable outcomes, the series documents how industry-wide promises about STIR/SHAKEN and other solutions created false confidence while fraud losses increased 36-fold. Through systematic framework analysis, the series reveals why all current approaches fail and provides a roadmap for solutions that could work. All research and references are listed at the bottom of this article for further reading.

Abstract

Widespread confusion persists across the telecommunications industry about what STIR/SHAKEN can and cannot accomplish, with even industry experts and regulators overestimating its ability to prevent call spoofing, fraud and unwanted calls. Despite massive investment and mandatory implementation of these call authentication protocols, the robocalling crisis has reached catastrophic proportions, with consumers losing hundreds of millions to phone-based fraud in 2024 alone while legitimate businesses struggle to reach customers through blocked calls.

This disconnect between expectations and reality stems from a fundamental misunderstanding of STIR/SHAKEN's limitations. The telecommunications industry's response has focused on analytics and reputation scoring, which treats symptoms rather than addressing the root cause: the telephone system's fundamental anonymity, where anyone can use any caller ID without verification.

Understanding what STIR/SHAKEN does, versus what many believe it does, is essential for evaluating whether existing call authentication frameworks can ever deliver truly trusted communications or if entirely new solutions are needed.

Phone-Based Fraud: The Scale of the Problem

According to the Federal Trade Commission's Consumer Sentinel Network’s 2024 Data Book, in 2024 alone, phone calls accounted for 284,659 fraud reports resulting in $948 million in documented losses with a median loss of $1,500 per victim. But these numbers only capture reported fraud losses, not the broader impact of illegal caller ID spoofing.  

The fundamental problem isn't unwanted calls, as many robocalls are perfectly legal. Instead, it's the telecommunications system's inability to verify that callers are who they claim to be. This verification gap enables fraud and undermines trust in all telephone communications.

‍

ID Without Verification: The System Enabling the Fraud

Imagine if your local bank operated like the telephone system. Anyone could walk in, claim to be you, and conduct business using just your account number, without ID verification, no signature matching, no security questions. The bank would simply trust that whoever presented your account number was actually you. That's essentially how caller ID works: anyone can present any phone number, and the system trusts the assertion without verification.

The scale of criminal adaptation demonstrates the infrastructure problem: fraudsters have learned to exploit this fundamental verification gap systematically, creating billion-dollar criminal enterprises built entirely on the telecommunications system's inability to verify caller identity.

The $1,500 median loss per phone-based fraud victim represents more than just money. For many consumers, it's destroyed their trust in telephone communications entirely.  According to research done by Hiya, 46% of unidentified calls go unanswered, even when the calls are legitimate. This highlights the continued struggle legitimate businesses continue to have while trying to reach their customers.  

On the other hand, Transunion reported that less than 48% of respondents in a survey directed at healthcare facilities were satisfied with their organization’s ability to prevent their calls from being labeled as Spam or Blocked. This constant mislabeling, especially with legitimate businesses, has caused consumers to simply not trust anything on their phones. For many of us, the phone ringing is a disturbance and an eye roll.

‍

The Verification Gap: Why Phones Lack the Security of Every Other Digital System

To understand how we got here, we need to examine what makes telephone communications fundamentally different from other forms of digital communication. When you visit a website, your browser performs multiple verification steps—checking SSL certificates, validating domain ownership, and displaying trust indicators. When you receive an email, spam filters analyze sender reputation, authentication records, and content patterns.

But when your phone rings, what verification occurs? Essentially none.  

The caller ID system was designed in an era when telephone networks were closed systems operated by regulated monopolies. The assumption was that carriers would know and vouch for their customers. That assumption became obsolete decades ago.

Here's a critical point that many people don't understand: telephone numbers were never designed to be identity. They are an address, or a way to route a call to a destination. Think of them like IP addresses or postal addresses. You wouldn't use your home address as proof of your identity at the bank, would you? Yet that's essentially what we've asked phone numbers to do.

‍

Perverse Economics: When Crime Pays and Legitimate Business Suffers

The robocalling epidemic exists because the economics strongly favor bad actors. The advent of Voice over IP technology (VoIP) paired with deregulation and competition has driven the cost of voice communications down, making thousands of calls cost pennies. If even 0.1% of recipients respond to a scam, the operation is profitable.  

In an article posted by the National Consumer Law Center, Chris Frascella states,

“Until it becomes more costly to assist criminal fraud than to stop it, scammers will continue to find providers willing to accept payment for passing these dangerous and illegal calls to our phones.”  

Meanwhile, legitimate businesses absorb the costs through blocked calls and compliance burdens, consumers lose access to important communications, and carriers invest billions in infrastructure that treats symptoms rather than causes.

This creates what economists call a "negative externality." The people causing the harm don't bear its costs, so they have no economic incentive to stop. In fact, as traditional advertising becomes more expensive and regulated, robocalling becomes relatively more attractive to fraudsters.
‍

Analytics and Reputation Scoring: When the Cure Becomes Part of the Disease

Faced with this crisis, the telecommunications industry's initial response focused on analytics and reputation scoring. The logic seemed sound: if we can't verify caller identity, at least we can track caller behavior and warn consumers about suspicious patterns. This methodology was broken from the start because it used analytics to flag the calls as Spam or Fraud, however, they had no call metadata to be able to discern the legitimate from illegitimate.  

As you would expect, this approach created new problems. Legitimate businesses found their calls being flagged as "Potential Spam" or blocked entirely. In a survey conducted by First Orion in 2022, “9 out of 10 people said that they want a call from their doctor, pharmacy, or other healthcare provider.” However, “76% say that they’ve ignored a call from a health care provider because they didn’t know who was calling.”  Additionally, they say that “80% would consider rating their healthcare provider poorly for making unidentified calls.” In short, healthcare providers couldn't reach patients for important calls. The cure was becoming part of the disease.

Numeracle, as a trusted intermediary between legal callers, telecom governance, and the carriers, first pointed out to the industry in 2017 the challenges that carrier analytics caused for enterprises.  

These analytics systems treat phone numbers as if they have persistent reputations, but phone numbers are bought, sold, and reassigned constantly. A number used for scams today might be assigned to a legitimate business tomorrow.

‍

The Enterprise Identity Crisis: When Even Legitimate Businesses Lost Control of Their Communications

This led to what we might call the "enterprise identity crisis." Legitimate businesses realized they had no way to manage their communications identity. A hospital might spend millions on brand building and patient trust, only to have its appointment reminder calls blocked because an algorithm flagged them as suspicious.

Unlike email, where organizations can implement SPF, DKIM, and DMARC records to authenticate their communications, the telephone system offered no equivalent. Businesses were entirely dependent on third-party analytics companies and carriers to determine whether their calls would reach customers.

This created a perfect storm: legitimate businesses desperately needed a way to authenticate their communications, regulators faced mounting political pressure to "do something" about robocalls, and the telecommunications industry needed a solution that wouldn't require rebuilding the entire phone system.

‍

STIR/SHAKEN: The Promised Solution

In 2018, the Internet Engineering Task Force (IETF) published its first draft of the STIR/SHAKEN specifications that would eventually become RFC-8588. It was a framework designed to bring cryptographic authentication to telephone communications. The promise was compelling: carriers would digitally sign calls, creating an unbreakable chain of authentication that would finally solve the spoofing problem.

The marketing was even more compelling. Government and industry leaders made sweeping promises about caller identity verification:

“With this caller authentication system in place, carriers can know that callers really are who they say they are and stop spoofing at the source,” declared then-Acting FCC Chairwoman Jessica Rosenworcel in 2021.

The technical specifications themselves seemed to support these claims. RFC 8224, the core STIR/SHAKEN standard, explicitly states that “Authentication services confirm the identity of the originator of a call.” RFC 8225 describes the system as one that "cryptographically verifies an originating identity.”

Major carriers amplified these promises in their consumer marketing. AT&T promoted STIR/SHAKEN as “new caller authentication technology to help confirm that calls are not bad guys ‘spoofing’ numbers to get you to answer.” Verizon launched consumer-facing “Verified Caller” checkmarks based on STIR/SHAKEN authentication. T-Mobile announced they were launching STIR/SHAKEN “to fight number spoofing and further protect customers from scammers and unwanted robocalls.” Even the FCC's official consumer education materials described a comprehensive “caller ID authentication” framework that would fundamentally change how Americans could trust incoming calls.  

In 2020, the FCC Issued a Report and Order and Further Notice of Proposed Rulemaking that stated the expected costs and benefits of STIR/SHAKEN. In this report, the following is stated of the costs:

• “Operating costs of between roughly $39 million and $780 million annually.”
• “Estimated up-front costs, which may be in the tens of millions of dollars for the largest voice service Providers”.
• “It is implausible that total implementation costs will come close to the expected benefits of our Actions.”

It summarized the benefits as follows:  

• “We estimated benefits of at least $3 billion from eliminating illegal scam robocalls. That estimate assumed a benefit of ten cents per call and multiplied it across a figure of 30 billion illegal scam robocalls per year.”
• “While STIR/SHAKEN will not itself stop a malicious party from using the voice network to commit fraud, it will inform a call recipient that the caller has used deceptive caller ID information to try to convince the called party to answer the phone.”
• “We expect this will significantly reduce the effectiveness of spoofing fraud that costs Americans billions of dollars each year.”

The overselling continues. Even with our FCC.  

By 2021, STIR/SHAKEN implementation became mandatory for major carriers. While there is no public official record as to the exact industry cost to implement and/or operate STIR/SHAKEN, the numbers listed above are likely reasonable assumptions. If you consider that there are well over 3,000 service providers; all of which have a legal obligation to implement and support STIR/SHAKEN, you can see that the total industry investment in this solution is likely in the hundreds of millions of dollars.  

Despite this extraordinary investment, fraud remains rampant. The Federal Trade Commission (FTC) still received more than 2 million complaints about unwanted calls in fiscal year 2024. The financial impact remains staggering with phone-based fraud alone accounting for $948 million in documented losses.

The news isn’t all bad, however. In August 2025, the FCC removed over 1,200 voice service providers from telephone networks for failing to comply with anti-robocall regulations. While this enforcement may sound like a win, it was not directly related to the implementation or use of STIR/SHAKEN.  

But even the enforcement mechanisms reveal fundamental implementation challenges. While removing 1,200 providers from the Robocall Mitigation Database (RMDB) sounds decisive, the practical reality is quite complex. Individual service providers must somehow identify and block these removed entities. However, the RMDB lacks mechanical (API-based) access, and also until recently didn’t even have Operating Company Numbers (OCNs). This has forced carriers to make blocking decisions based on often-ambiguous business names that can change, be spoofed, or operate under multiple identities.

The result is another layer of complexity for legitimate service providers trying to comply, while bad actors continue to adapt. Even as the database improves with more carriers adding their OCNs, each change creates new implementation burdens for an industry already struggling with STIR/SHAKEN deployment costs and technical complexity.

Consumer complaints have indeed declined from peak levels. Success story, right?

Not quite.

‍

A Litmus Test: The Three Pillars of Trusted Communications

As we'll explore throughout this series, truly trusted communications require three fundamental pillars:

1. Establishing Identity: Performing proper know-your-customer (KYC) verification to establish who is actually making the call.

2. Protecting Identity: Transmitting that verified identity in a tamper-proof way that can't be spoofed or manipulated.

3. Conveying Identity: Reliably delivering that authenticated identity information to the recipient in an actionable format.

While STIR/SHAKEN addresses elements of pillars 2 and 3, it completely sidesteps pillar 1—and as we'll see, that's where the biggest problems lie.

‍

What's Coming in This Series

Over the next seven posts, we'll dissect what STIR/SHAKEN actually does versus what it was marketed to do. We'll examine why criminals have adapted faster than the system can evolve, forcing regulators to remove over 1,200 providers from the RMDB in 2025 alone while robocalls persist. We'll explore the tens to hundreds of millions of dollars in technology investment and question whether they've delivered proportional consumer benefits.  

Most importantly, we'll look toward solutions that address all three pillars of trusted communications, because until we do, we'll continue treating symptoms while the underlying disease spreads.

The robocalling crisis didn't happen overnight, and it won't be solved by technical band-aids that ignore the fundamental economics and identity challenges. But understanding where we went wrong is the first step toward getting it right.

About the Author: Brett Nemeroff

Brett Nemeroff is Numeracle’s VP of Engineering – Voice, with over 25 years of experience building telecommunications networks from the ground up. A seasoned telecom engineer and programmer, Brett specializes in architecting cost-effective solutions for voice, video, and high-speed data delivery. His expertise spans TCP/IP networking, fiber optics, integrated billing systems, and high-volume custom VoIP software development. Passionate about pairing technology with business needs, Brett has developed CPaaS platforms, custom telephony applications, and high-volume routing systems. Active in the open-source community, he contributes to projects like Asterisk, FreeSWITCH, OpenSIPs, and Kamailio.  

Research & References

1. Federal Trade Commission, “Consumer Sentinel Network Data Book 2024,” March 2025, https://ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf, 12

2. Hiya, “State of the Call 2024,” https://www.hiya.com/state-of-the-call

3. Transunion, “How Can Healthcare Providers Fight Blocked Calls and Call Spoofing?,”  https://www.transunion.com/blog/how-can-healthcare-providers-fight-blocked-calls-and-call-spoofi

4. National Consumer Law Center, “New Report Warns Scam Robocalls Will Continue As Long As Telephone Providers Can Rake in the Profits,” https://www.nclc.org/new-report-warns-scam-robocalls-will-continue-as-long-as-telephone-providers-can-rake-in-the-profits/

5. FCC, “Industry Robocall Strike Force Report,” https://www.fcc.gov/file/12311/download

6. First Orion, “PRESCRIBED COMMUNICATION, 2022 Healthcare Cnsumer Communication Report,” https://view.highspot.com/viewer/6332f968ca0d65a6de65819e#1

7. Numeracle, Comments to the FCC Filed July 26, 2018, https://www.numeracle.com/fcc-filings/numeracle-fcc-comments-7-26-18

8. IETF, “RFC 8588: Personal Assertion Token (PaSSporT) Extension for Signature-based Handling of Asserted information using toKENs (SHAKEN),” https://datatracker.ietf.org/doc/rfc8588/

9. FCC, “Statement of Acting Chairwoman Rosenworcel,” FCC Item FCC-21-105, 2021, https://docs.fcc.gov/public/attachments/FCC-21-105A2.pdf

10. IETF, “RFC 8224: Authenticated Identity Management in SIP,” February 2018, https://datatracker.ietf.org/doc/rfc8224/

11. IETF, “RFC 8225: PASSporT: Personal Assertion Token,” Abstract, February 2018, https://datatracker.ietf.org/doc/rfc8225/

12. AT&T, “3 Things You Need to Know about Robocalls,” AT&T Cyber Aware Blog, August 30, 2017, https://about.att.com/pages/cyberaware/ni/blog/3-things-you-need-to-know-about-robocalls

13. Verizon, “Spoofing”, https://www.verizon.com/about/account-security/spoofing

14. T-Mobile, “2021 Corporate Responsibility Report”, https://cdn.tmobile.com/content/dam/t-mobile/ntm/specific-use/annual-report/TMobile_CSR21_16822_tagged.pdf

15. FCC, “Call Authentication,” https://fcc.gov/call-authentication

16. FCC, “REPORT AND ORDER AND FURTHER NOTICE OF PROPOSED RULEMAKING”, FCC Item FCC-20-42A1, https://docs.fcc.gov/public/attachments/FCC-20-42A1.pdf

17. Federal Trade Commission, “National Do Not Call Registry Data Book 2024,” November 2024 ,https://ftc.gov/system/files/ftc_gov/pdf/DNC-Data-Book-2024.pdf, p.6

18. FCC, “FCC Bars Over 1,200 Providers from Network Access for Their Continued Non-Compliance with Robocall Protections,” https://docs.fcc.gov/public/attachments/DOC-414073A1.pdf

19. FCC, “The Robocall Mitigation Database,” https://fccprod.servicenowservices.com/rmd?id=rmd_welcome