Handling a spoofed number now that STIR/SHAKEN authentication is deployed?

I’ve gotten 8 messages so far in the last 2 days saying someone got a call from my number, who I don’t know and hadn’t called.

I know this has been a common problem in the past and saw some old questions about people whose numbers had been spoofed, for instance:

However, I think there’s new rules since 2021-06-30 and I wondered if those have changed anything on best practices. These docs from the FCC go over the new system:

So in theory, for the last 36 days the source of all calls should have been authenticated, and it should be impossible for someone to spoof my number, so I’m surprised that this has happened this week.

Is Republic Wireless in compliance with the FCC order to authenticate the source of calls, and if so is it possible to find out more about whoever has been initiating these calls?

(And was my number definitely spoofed, or could it have been a Republic Wireless call mapping error of some sort? Is there any way to get visibility on this, or do I just have to quietly accept dozens of people I don’t know trying to call me back without any way for me to take action on tracking down the root cause?)

Borrowed from Robokiller:

Call authentication technologies like STIR/SHAKEN don’t stop robocalls because, unfortunately, nobody can stop them. This is why:

  • Many robocallers originate from outside the U.S., which makes it difficult for them to be held accountable for their actions. New provisions (also under the TRACED Act) will fine illegal robocallers, but the government doesn’t have the jurisdiction to fine scammers outside the country.

Republic isn’t a carrier, Bandwidth is their carrier. They are compliant. When I call my T-Mobile phone from my Republic phone, it shows that the number is authenticated. This has NOTHING to do with someone who spoofs your number. They could be using a small carrier that doesn’t yet have to comply. They could be calling from overseas. The sending carrier sends the authentication. The spammer who spoofed your number is surely using a carrier that isn’t.

Carrier deliver calls whether authenticated or not because plenty of legitimate calls are not authenticated.


Oh, now that I read the first link again more carefully, it’s not until September 28th that carriers will have to stop accepting voice calls from carriers not in the mitigation database. June 30th is just the deadline to put required info into the database. That should at least stop spoofed calls from getting to US receivers.

1 Like

Thanks for the follow-up, hopefully, it will help other readers gain a better understanding of Stir/Shaken’s implementation timeline.
I will remain hopefully optimistic, however, the proof will be in the results obtained.

1 Like

I like your optimism, but if you dig in to what the order actually says, it simply says that you must be in the mitigation database. You can get in to the DB in one of 3 ways: 1) By certifying that all your traffic is authenticated via STIR/SHAKEN 2) That certifying some of your traffic is and that you have a “robocall mitigation program” in place or 3) Having none of your traffic authenticated via STIR/Shaken and certifying that you’ve taken “reasonable steps” to “avoid originating illegal robocall traffic”.

Pardon my cynicism, but given the amount of spam that originates from a couple of specific networks, I really don’t see this solving the issue. These less than upstanding carriers will simply not authenticate, says that they’re taking “reasonable steps” which is a term with huge amount of legal wiggle room, and that will be that. The spam calls won’t stop and the calls will still be delivered, unauthenticated, because they’re “in the mitigation database”. (Details on getting in the database here: https://www.fcc.gov/sites/default/files/rmd-instructions.pdf)

@louisdi is correct. This won’t work. Alas.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.