A plain-English explanation of the STIR/SHAKEN call authentication system and what it means for stopping spam calls.
Before STIR/SHAKEN, the phone network had no mechanism to verify whether a caller was authorized to display a specific number on caller ID. The technology underlying phone calls — particularly VoIP (Voice over Internet Protocol) systems — allowed anyone to specify any phone number in the caller ID field, including numbers belonging to government agencies, banks, or other trusted organizations. Scammers exploited this extensively: IRS impersonators displayed "800-829-1040" (the actual IRS helpline), bank impersonators displayed their target's bank's actual customer service number, and Social Security Administration impersonators displayed numbers that appeared to originate from SSA offices in Washington DC. The displayed number was literally meaningless as an authentication signal — it told you what the caller wanted you to think, not who was actually calling.
The scale of spoofing-based scam calls was enormous. YouMail's data shows that the peak year for neighbor spoofing (where scammers displayed numbers matching the recipient's local area code and prefix) was 2018-2019, when hundreds of millions of such calls were placed monthly. The FTC's imposter scam losses — the category most dependent on spoofed caller ID — peaked at over $2 billion annually in that same period. The problem wasn't just consumer harm; it was also undermining trust in the phone network itself. Answer rates for unknown numbers fell from approximately 60% in 2015 to below 40% by 2020, because consumers learned that caller ID information was unreliable. Legitimate businesses making real calls to real customers found their calls going unanswered because consumers had stopped trusting caller ID.
The FCC mandated implementation of STIR/SHAKEN for large US carriers by June 30, 2021, with extended deadlines for smaller carriers. The mandate came after years of industry discussion, voluntary compliance that moved too slowly, and passage of the TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence Act) in December 2019, which gave the FCC explicit Congressional authority to require caller ID authentication. The FCC's implementation order (FCC 20-42) required all voice service providers to implement STIR/SHAKEN or adopt an approved alternative robocall mitigation program. This regulatory mandate transformed STIR/SHAKEN from an industry best practice to a legal requirement for US carriers.
STIR/SHAKEN works like a digital signature system for phone calls — conceptually similar to the digital certificates that identify websites in a browser. When you visit "https://bankofamerica.com" and see the padlock icon, your browser has verified a digital certificate proving that the website is actually operated by Bank of America, not by someone who purchased a domain that looks similar. STIR/SHAKEN provides an analogous verification for phone calls: when a call is placed, the originating carrier (the carrier the caller uses) digitally signs the call with a certificate proving it has authenticated the caller's right to use the displayed number. The receiving carrier (your carrier) verifies this digital signature before delivering the call to your phone.
The signing process uses public-key cryptography: each carrier has a private signing key (kept secret) and a public verification key (shared publicly). When carrier A places a call, it signs the call's identity information (the calling number, the called number, the time) using its private key. Carrier B, receiving the call, uses carrier A's public key (obtained from a central certificate authority) to verify the signature. If the signature is valid, carrier B knows that carrier A actually signed this call — meaning carrier A is claiming this call originated from someone authorized to use the displayed number. If the signature is invalid or missing, carrier B knows the call either didn't pass through carrier A or was tampered with.
What consumers see is the result of this verification — a "Verified" indicator (a checkmark, a shield, or a "Verified Call" label) on supported devices when a call passes STIR/SHAKEN with full attestation. On iPhone with iOS 15+, verified calls display with a green circle and "Verified" text. On Android with the Google Phone app, verified business calls may display with a verified business icon. These indicators tell you that the originating carrier has confirmed the calling party is authorized to use the displayed number — not that the call is necessarily from a trustworthy person, but that the caller ID information is not spoofed. A verified call from a scam operation that registered actual numbers would still show as verified, which is why STIR/SHAKEN is a necessary but not sufficient protection against phone fraud.
The verified checkmark (or equivalent indicator on your device) has a specific and limited meaning. It means: the carrier that originated this call has cryptographically attested that the calling party is authorized to use the phone number displayed on your caller ID. It does NOT mean: the caller is who they say they are, the call is from a legitimate business or government agency, the call is not a scam, or the caller has good intentions. The distinction is important because the most common misunderstanding about STIR/SHAKEN is that verified calls are "safe." A scammer who registers legitimate phone numbers through a compliant carrier and uses those numbers for scam calls will generate fully verified (A-level attested) calls that display the checkmark.
The three attestation levels represent different levels of verification confidence. Full attestation (A level, represented by the strongest verified indicator) means the carrier confirmed: (1) the calling party is a known customer of the carrier, (2) the calling party is authorized to use the specific number displayed. This is the strongest guarantee — the carrier has done the most verification. Partial attestation (B level) means the carrier confirmed the call originated from its network and the calling party is a known customer, but the carrier didn't specifically verify the calling party's authorization to use the specific number displayed. Gateway attestation (C level) means the call entered the US network from an external or untrusted source — the carrier at the US entry point can only verify the call came through a certain gateway, not the ultimate origin. Most scam calls from overseas receive C-level attestation or no attestation.
From a consumer decision standpoint: a call with no STIR/SHAKEN verification should be treated with heightened skepticism — it may have originated from an unimplemented carrier, an international source, or be a spoofed call. A call with C-level attestation similarly indicates unverified origins. A call with A-level attestation indicates the carrier has done the most thorough verification, which reduces the probability of spoofing but doesn't eliminate the possibility of fraud from legitimately-registered numbers. The verification indicator is best used as one input into overall call trust assessment, combined with knowledge of who might be calling you (are you expecting a call from this type of organization?) and the content of the call (does the request or claim make sense?).
STIR/SHAKEN has real and significant limitations that prevent it from being a complete solution to robocalls and phone fraud. The most fundamental: it only covers US domestic calls between carriers that have implemented the standard. International calls — which represent a significant portion of scam traffic originating from India, the Caribbean, West Africa, and other regions — arrive at US networks from foreign carriers without STIR/SHAKEN signatures. These calls receive C-level attestation at best, which doesn't prevent them from completing — it just flags them as unverified. Consumers and carrier filtering systems still must decide what to do with unverified calls, and the threshold for blocking unverified calls without false positives for legitimate international calls (family calls from abroad, business calls from global companies) is difficult to calibrate.
Small and rural carriers have had implementation challenges. The FCC granted extensions to carriers with fewer than 100,000 subscribers, and some of these small carriers — which serve rural markets — have been slow to complete implementation. Calls transiting from a small unimplemented carrier to a large implemented carrier may receive lower attestation levels than the call quality deserves. The FCC's robocall mitigation database (fcc.gov/robocall-mitigation-database) lists the mitigation plans filed by carriers that haven't implemented STIR/SHAKEN — carriers on this list are subject to additional monitoring requirements, but full enforcement against small non-compliant carriers is ongoing.
The most significant structural limitation: STIR/SHAKEN doesn't prevent scammers from registering legitimate phone numbers and placing calls from those registered numbers. As STIR/SHAKEN has become more widespread, industry analysts at TransUnion and YouMail have noted a shift in scam operations toward registered number ranges — acquiring actual accounts with carriers rather than spoofing numbers they don't own. The verified call indicator is being "earned" legitimately to avoid spam filters. This adaptive response means the total volume of spoofed calls has decreased while the share of scam calls using legitimately-registered numbers (which generate full attestation) has increased. STIR/SHAKEN solves the spoofing problem more effectively than the fraud problem, and complementary tools (behavioral call analytics, consumer education, enforcement against complicit carriers) are necessary alongside it.
The evidence for STIR/SHAKEN's impact is positive but modest. YouMail's data shows that neighbor spoofing — where scammers display numbers matching the recipient's area code and prefix — declined approximately 30-40% in the two years following STIR/SHAKEN's June 2021 mandate. TransUnion's annual Telco Fraud Report corroborates this with similar estimates for spoofed call reduction. The reduction is most pronounced for calls between large carriers where both originating and terminating carriers have full STIR/SHAKEN implementation.
Total robocall volume has not declined proportionally to the reduction in spoofed calls. The 2025 total of approximately 47 billion calls represents only a modest decline from the 2019 peak of 58.5 billion, and a significant portion of that decline predates STIR/SHAKEN and is attributable to increased carrier-level filtering using behavioral call analytics. The most aggressive estimate of STIR/SHAKEN's contribution to total call reduction is 15-20%; most analysts attribute 70-80% of any reduction to complementary filtering technologies that use behavioral patterns (call rate, number age, destination patterns) rather than attestation. STIR/SHAKEN is most effective at identifying specific types of calls (spoofed numbers) and least effective against the adaptive response of scammers who legitimately register numbers.
Industry consensus is that STIR/SHAKEN is necessary but not sufficient. The FCC's 2024 and 2025 enforcement actions against "gateway providers" — wholesale VoIP carriers that knowingly pass scam traffic — represent the complementary enforcement strategy. By targeting the infrastructure through which scam calls enter the US network, rather than individual scammers (who are difficult to prosecute when located overseas), the FCC addresses the supply chain of scam calling. Transaction Network Services (TNS) and Neustar (now TransUnion) provide carrier-level call analytics that identify scam call patterns independent of STIR/SHAKEN attestation — these behavioral analytics tools are driving the most significant reductions in spam calls reaching consumers as of 2026.
RELATED GUIDES
LOOKUP BY AREA CODE