We’re sure you’ve received at least one robocall in the last month.
Right?
They are everywhere, interrupting family dinners, and your silent Sunday morning routine. Even your company phone number gets them. Or, worst of all, your customers get suspicious robocalls using your company’s name that compromises your public image.
They look like legit phone calls, so you’re never sure if a real person is trying to reach you, if it’s a scam, another robot offering something you have no interest in or luring your customers into a scam.
So what to do?
VoIP providers, traditional telecom companies and the government teamed up to help by creating a system that authenticates telephone numbers before a call is received.
Phone number authentication is a big deal because it validates the ID of the original caller. This technology is called STIR/SHAKEN, and complying to it is mandatory in the United States.
Let’s learn more about how this regulatory technology work and how it combats ID spoofing and robocalls, and, also, how it affects your business communications.
What is STIR/SHAKEN?
First things first. STIR/SHAKEN is a combination of two acronyms:
- STIR = Secure Telephone Identity Revisited
- SHAKEN = Signature-based Handling of Asserted Information Using ToKENs
STIR/SHAKEN is a set of industry protocols that helps verify a caller’s identity by confirming they’re authorized to use the phone number they’re calling from.
When a call is placed, the provider attaches a digital signature to confirm the level of confidence they have in that particular call. This information travels with the call so the receiving provider can check its authenticity, helping to filter out calls like scams or robocalls before they reach the recipient.
This process assists call recipients in protecting themselves against caller ID spoofing, maintaining their trust in the phone service.
When we talk about Voice over Internet Protocol, STIR/SHAKEN uses the Session Initiation Protocol (SIP) header to validate VoIP calls and transmit the authentication certificate.
How does STIR/SHAKEN work?
STIR/SHAKEN employs digital certificates and public key cryptography to confirm that the displayed calling party matches the actual source of the call.
To better understand how this works, let’s look at each protocol separately:
H4: STIR: Secure Telephone Identity Revisited
STIR operates within VoIP networks. When a call is initiated, the originating service provider assesses the call’s source and assigns an attestation level:
- Full Attestation (A): The provider has authenticated the caller and can confirm they are authorized to use the calling number.
- Partial Attestation (B): The provider has authenticated the caller but cannot verify their authority to use the calling number.
- Gateway Attestation (C): The provider has authenticated the source of the call, but has no relationship with the originator.
This information is encapsulated in a digital signature, known as a PASSporT (Personal Assertion Token), which is attached to the call’s SIP identity header.
SHAKEN: Signature-based Handling of Asserted Information Using toKENs
SHAKEN provides guidelines for how service providers should handle and verify these digital signatures across their networks. When a call reaches the terminating provider, they use the originating provider’s public key to decrypt the PASSporT and verify the call’s authenticity.
Depending on the verification result, the call can be:
- Delivered with a verification indicator.
- Marked as potential spam or spoofed.
By verifying the caller’s identity, terminating providers can label or block calls accordingly, therefore offering end users more transparency and helping prevent suspicious activity.
Is STIR/SHAKEN compliance mandatory?
Yes, if you are a reseller or business owner that owns and uses U.S. phone numbers. If you are a U.S. telephony provider or use U.S. phone numbers for outbound calls (which can be quite common for call centers and VoIP resellers), it is mandatory that you comply with STIR/SHAKEN.
Regulation was made mandatory in 2021 for large carriers and in 2022 for small and rural carriers as a response to the rise in robocalls all over the U.S. In December 2023, for example, Americans received over 3 billion robocalls—almost 17 spam calls per person.
That’s a lot, right?
It also explains why the FCC, the U.S.’ Federal Communications Commission, releases updates regarding STIR/SHAKEN regulations frequently, to keep up with increased call spoofing and robocalls.
Let’s take a look at what’s new for 2025.
STIR/SHAKEN 2025: What’s new
As mentioned before, the FCC has announced new requirements under its Eighth Report and Order. These updated rules impact voice service providers that resell VoIP services in the U.S. and are set to go into effect on June 20, 2025.
The biggest takeaway is that providers with a STIR/SHAKEN implementation requirement should no longer rely on its upstream, as per June 20th, 2025, to sign calls on their behalf.
Providers will also need to update their Robocall Mitigation Plan in FCC’s Robocall Mitigation Database to explain what are their actions related to robocalls, even if they don’t have an obligation for STIR/SHAKEN implementation.
The FCC emphasizes that all providers, regardless of their STIR/SHAKEN implementation status, must properly certify their position:
“Currently, all voice service providers, all gateway providers, and certain non-gateway intermediate providers are required to implement STIR/SHAKEN in the IP portions of their networks unless subject to an implementation extension.”
What does this mean for you?
If you are a VoIP reseller subject to STIR/SHAKEN requirements, you will need to take the following steps:
- Update your Robocall Mitigation Plan in the FCC’s database by the June 20, 2025 deadline, clearly stating whether you’ve fully, partially, or not implemented STIR/SHAKEN, and why.
Even if you are not currently obligated to implement STIR/SHAKEN, updating your mitigation plan is still highly recommended to remain compliant and transparent with FCC expectations.
| NOTE: Remember that, as a reseller, you will need to assign attestations for your customers’ outgoing calls, meaning you need to be sure of your customer’s information before signing their call with a certificate. If you cannot validate that the caller ID is owned by your customer, you have to assign it a lower attestation. Non-compliance to STIR/SHAKEN can result in legal and financial penalties, from fines to cease-and-desist orders from the FCC. |
Type of calls STIR/SHAKEN mitigates
Ok, let’s get into the specifics of what STIR/SHAKEN protocols can do. As we mentioned before, this is a framework designed to combat caller ID spoofing by verifying the authenticity of phone calls.
It helps remediate and reduce various types of suspicious calls by ensuring that the displayed caller ID matches the actual source of the call.
Here are some common types of calls STIR/SHAKEN aims to address:
- Phishing
- Robocalls
- Vishing
- Tech support scams
Phishing
Phishing calls involve scammers impersonating legitimate organizations (like banks or government agencies) to trick individuals into revealing sensitive information, such as passwords or credit card numbers.
By authenticating caller ID information, STIR/SHAKEN makes it more difficult for attackers to spoof trusted numbers, thereby reducing the effectiveness of phishing attempts.
Robocalls
Robocalls are automated calls that deliver pre-recorded messages, often used for telemarketing or scams.
STIR/SHAKEN helps reduce robocalls by allowing service providers to certify whether they can confirm a call is truly coming from the number it claims to use.
When a call is passed with a lower certification, terminating providers may choose to flag it as spam or block it entirely, depending on their policies. This extra layer of validation improves the chances of keeping robocalls out of consumer inboxes.
Vishing
Vishing, short for “voice phishing”, is a type of scam where attackers use phone calls to deceive individuals into providing personal or financial information.
These calls often appear to come from trusted sources due to caller ID spoofing. STIR/SHAKEN combats vishing by ensuring that the caller has the right to pass caller ID information, otherwise the call will be signed with a lower certification, making it easier for individuals to identify and avoid fraudulent calls.
Tech support scams
In tech support scams, fraudsters pose as technical support agents from reputable companies, claiming that the victim’s computer has issues that need immediate attention. They may request an update on software, remote access or payment for unnecessary services.
STIR/SHAKEN helps prevent these scams by providing the correct certification for the caller’s number, making it harder for scammers to impersonate trusted organizations.
Want to stop receiving spam calls on your VoIP.ms phone number? Take a look at this tutorial:
Benefits of STIR/SHAKEN
You might feel like you know this already, but let’s remember the benefits of STIR/SHAKEN not only for the final consumer, but also for your business.
- Reduces spam and robocalls: By flagging or blocking this type of call, STIR/SHAKEN make communications system more reliable and secure. Voice service providers monitor traffic patterns and identify suspicious robocalling, allowing you to take appropriate actions.
- Caller IDs become trustworthy: Thanks to these regulations, you now know the calls you’re getting are from legitimate callers, and can prioritize them over spam.
- Makes fraud more difficult: Many times, fraudulent calls leads to financial losses. With STIR/SHAKEN, fraudsters have to spend additional effort trying to source verified caller ID.
- Business calls are more successful: Because of the call authentication process, chances of potential clients and customers picking up calls increase.
Why use authenticated numbers for outbound calling?
Implementing authenticated numbers in your outbound calling strategy is crucial for
- Ensuring compliance,
- Enhancing your company’s reputation,
- And increasing call answer rates.
Here’s how:
Compliance with regulations
As a business owner or VoIP reseller, The FCC mandates the implementation of STIR/SHAKEN protocols to combat caller ID spoofing and reduce suspicious calls.
By authenticating your outbound calls, you adhere to these regulations, demonstrating your commitment to lawful communication practices and protecting your business from potential legal and financial repercussions.
Improved company reputation
Authenticated calls display verified caller ID information, which helps build trust with your customers since you now have certificate authority.
When recipients see that a call is from a confirmed source, they are more likely to engage positively— a.k.a., they’re prone to picking up.
This transparency not only fosters trust but also enhances your brand’s credibility and reputation in the market.
Increased call answer rates
Calls from authenticated numbers are less likely to be marked as spam or fraudulent by carriers and call-blocking apps. This increases the likelihood that your calls will reach the intended recipients and be answered.
And, as you can imagine, higher answer rates lead to more successful customer interactions and can significantly improve your outreach efforts.
Stay compliant with VoIP.ms
VoIP.ms is fully compliant with the new STIR/SHAKEN stipulations and continues to sign outbound calls from U.S. phone numbers using its own certificate.
As a business, you still need to ensure you are compliant with the FCC, but you can be ahead of the curve by opting for a reliable VoIP provider that’s served over 100,000 customers worldwide with their telecommunications needs.
STIR/SHAKEN FAQ
Don’t see a question you need answered? Ask it directly to our Sales Team!
1. What is robocalling and number spoofing?
Robocalling refers to the use of automated dialing systems to deliver pre-recorded messages. While some robocalls are legal (like those from schools or healthcare providers), many are used for scams or unauthorized telemarketing regardless of your phone company.
Number spoofing occurs when a caller deliberately falsifies the information transmitted to your caller ID to disguise their identity, often impersonating a local or trusted number to increase the chance of the call being answered.
2. What does an attestation rating of a call mean?
Under the STIR/SHAKEN solution, each call receives an “attestation level” that indicates how confidently the originating provider can verify the caller’s identity and their right to use the number:
- Full Attestation (A): The provider knows the caller and confirms they are authorized to use the calling number.
- Partial Attestation (B): The provider knows the caller but cannot verify the number’s ownership.
- Gateway Attestation (C): The provider is simply passing the call through and cannot verify the source.
These ratings help downstream providers and call-blocking tools assess whether a call is trustworthy.
3. How does STIR/SHAKEN help reduce robocalls?
STIR/SHAKEN works by cryptographically assigning incoming calls with a certificate that says they are from the number it claims to originate from. When calls are authenticated and receive a high attestation level, recipients and carriers can trust that the caller ID is confirmed.
When calls can’t be verified or receive lower attestation ratings, they may be flagged, blocked, or sent to voicemail. This system significantly reduces the success rate of suspicious robocalls and helps rebuild consumer trust in answering phone calls.