Fighting Spam With STIR/SHAKEN
Implementing STIR/SHAKEN and call attestation was essential to help fight phone scammers. However, many in the telecom community remained concerned that scammers can still exploit call technology for their financial benefit.Rich call data (RCD) may answer some of the current system's weaknesses, but RCD has some limitations.
Those in the industry are now discussing the need for a third party to audit rich call data at the termination provider to prevent brand spoofing. Protecting your caller ID is a work in progress.
What is Brand Spoofing?
Brand spoofing occurs when a scammer targets your brand via email, SMS, or phone calls to perform malicious acts. These communications seem authentic, so they are often very effective in gathering sensitive personal and financial information. They may use your logo, reference current employees, or offer other personal information about your brand to fool consumers.
Sadly, brand spoofing has been on the rise. One prime example of this fraud is a robocall that spoofs a legitimate caller ID. This method gives scammers more power by bestowing an air of legitimacy on their calls. Other scams are also widespread. For instance:
- 58% of consumers have reached a spoofed website using search engines.
- 56% of consumers have reached a spoofed website using social media.
- 55% of consumers have been directed to a fake website from a phishing email.
These fraudsters can easily trick even careful consumers.
What is Rich Call Data?
Rich call data (RCD) relays a calling party's information through SIP headers in the STIR/SHAKEN framework. This system has the potential to enhance the displays of caller IDs by including:
- Authenticated name and number of the incoming caller.
- Incoming caller's business logo.
- Organization type such as hospitals, non-profits, etc.
- Originating location of the call.
- Reason for the call such as a healthcare update or customer service.
RCD data is part of the SHAKEN identity token. It has a digital signature created by the oversight infrastructure, which helps ensure that the information is accurate.
The implementation of rich call data may make enhanced caller ID services obsolete. RCD can be a powerful branding tool for your business when contacting customers since it can display your logo, company name, department, and intent of the call.
How Can Scammers Exploit Rich Call Data?
Industry analysis shows that attestation ratings are not always accurate, and call spoofing is still occurring at a frightening rate. These findings demonstrate inconsistencies in how STIR/SHAKEN information is being analyzed and that the system still needs improvement.
This analysis leads to the question, "If RCD replaces the CNAM way of relaying caller ID information, what's to stop a scammer from exploiting RCD as well?" Bad actors could spoof your phone number, logo, and other branded information on a scam call with RCD caller ID. This fraud could lead to devastating consumer losses and a tarnished business reputation.
What Solutions Exist?
RCD is a promising development, but its use is not widespread. Currently, RCD has been tested but isn't being used publicly. When RCD is operational, the originating service provider verifies its caller and transmits this information to the consumer. Many experts want to strengthen RCD by including an additional audit by a third party when the terminating service provider receives the data.
Third Party Audits
In theory, the SIP header should contain accurate caller ID information if the origination is verified. However, can the terminating service provider trust the vetting services of the originating services provider? In some case, this answer is no. This is why some have proposed a third party audit at the terminating service provider.
Adding this additional check makes the process more secure for consumers. However, it also means the third-party auditor will need to query the RCD data, making it similar to how CNAM data is currently displayed.
Monitor Your Call Data
Until RCD is widely implemented, businesses should adopt practices to better monitor their phone numbers and call data. You should check your outgoing calling numbers frequently for flags. You must carefully purchase and manage your lead lists to ensure they don't contain outdated information. By doing so, you can detect spoofing attempts early and any other issues resulting in flagged or blocked calls. When you spot these problems, you can quickly take action to mitigate the negative effect on your sales and your company's reputation.