The Next Steps in Robocall Mitigation
How to fight the security risks that robocalls bring.
The FCC’s STIR/SHAKEN framework represents significant progress, but billions of robocalls continue to create risk. The industry must now implement further measures, such as reputation scoring, to reduce the incidence of fraudulent calls, discusses Jamie Gibson, VP of technology and sales engineering at Ribbon.
Despite the best efforts of the Federal Communications Commission, robocalls continue to be a bane—and a risk—of everyday life for millions of people. YouMail tracked more than 3.8 billion robocalls to Americans in July 2022 alone, bringing the U.S. yearly total at that point comfortably over 30 billion.
For many people, the calls may be a nuisance, but they also are a cheap, persistent attempt for fraudsters to get a foot in the door. Fraudulent robocalls are projected to cost consumers $40 billion globally this year, up from $31 billion in 2021. Calls can, for example, spoof voice messaging to gain access to a victim’s voice messages or spoof credit card validation services in search of financial information. They can pose as banks, the IRS or other legitimate enterprises to steal information or cash. Robocall operators also frequently target hospitals, where calls can flood networks with denial-of-service attacks or deliver targeted phishing and vishing schemes that can disrupt patient care and put lives at risk.
The wireless industry and the Federal Communications Commission have taken steps in recent years to combat robocalls, with some success. The FCC, for example, has instituted several programs, such as helping medical facilities to adopt the Hospital Robocall Protection Group’s (HRPG) best practices as part of implementing the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act.
But the most significant effort is the STIR/SHAKEN framework, which requires carriers and other voice service providers to digitally authenticate phone numbers to prevent illegal spoofing. Major carriers and other providers implemented STIR/SHAKEN mandates last year, taking steps to ensure that robocalls didn’t originate in their networks. AT&T, for example, said it was blocking 1 billion robocalls a month, and carriers such as T-Mobile, Verizon, Comcast and AT&T are sharing information about the calls.
But as the recent numbers show, it’s not enough. It’s time for those efforts trying to mitigate robocalls to take the next step.
See More: Why Retailers Should Automate Their Contact Centers This Post-Holiday Season
The Limits of STIR/SHAKEN
The STIR/SHAKEN framework really took hold in 2021, as major carriers and most others implemented the protocols and procedures to meet a June 30 deadline set by the FCC. Gateway providers, which offer the entry point for foreign calls, and facilities-based small service providers have until June 30, 2023.
The framework’s 007-esque acronym combines the technical protocol Secure Telephone Identity Revisited (STIR) and the governance framework Signature-based Handling of Asserted Information Using toKENs (SHAKEN), the latter covering the United States and Canada. Its standards and protocols allow for calls carried over IP networks to be authenticated and verified. Caller IDs are signed by the originating carrier and verified by other carriers as they move through interconnected networks, so the provider of the consumer who receives a call can verify that the number displayed on the customer’s phone is legitimate.
By making it very likely that calls are coming from a valid source, STIR/SHAKEN thwarts the ability of robocallers to spoof calls for fraudulent purposes. Caller ID authentication, when effectively implemented, gives subscribers a high level of confidence that the caller is who they present themselves to be while also allowing law enforcement and consumers to more easily identify illegal calls.
But putting an end to illegal robocalls altogether isn’t that simple. For starters, not all robocalls are illegal. Political calls, appointment reminders from healthcare providers and calls from charities are among the automated calls featuring a prerecorded voice (often a telltale sign of fraud) that are allowed. Allowing one type of call while prohibiting the other can be complex.
Beyond caller ID, providers need to take defenses to the next level, incorporating factors such as the caller’s reputation and the trust context surrounding the call.
Consider the Source and Its Reputation
A next-generation solution would take an analytics-based approach to creating “reputations” for callers and establish a trust context, which examines information on a call’s origins and how it enters the service provider’s network in order to measure how well they match.
Reputation scoring uses machine learning models to analyze calls and assigns scores to the call and guidance on how to validate them as part of a process that adapts to the type of call. It’s a way to assess a caller’s likely intent, somewhat similar to how FICO scores measure credit risk.
In a simple scenario, a spoofed number that is unallocated, unused, invalid or appears on a Do-Not-Originate list will be easily identified as illegal and blocked at the originating switch.
However, when a robocall operator spoofs a valid number, the scoring solution analyzes the call against standard calling patterns. If the analysis detects signs that the call is likely to be malicious, it will tell the originating switch to block the call. Some calls might need to be clearer cut, such as those from a known subscriber via a peering partner or unknown subscribers from an international carrier. The analysis has to be thorough to avoid the possibility of blocking a call from a valid source or letting a malicious call proceed.
Analytics and reputation scoring support putting calls into a trust context, which is built on knowing the location of the call’s origin (and any other information about the originator), where the call enters the network, and how it gets to the network of the provider delivering the call.
For example, a call from a known subscriber on a local network is very likely to be trustworthy and should always be verified. If a call from that same phone number enters via another carrier, however, it is most likely spoofed and should be blocked.
An approach that can deliver refined robocall mitigation would be highly scalable, with a range of identity assurance services, and include features such as configurable and dynamic machine learning models, open APIs to handle real-time queries and open data integration, to name a few.
Building on STIR/SHAKEN
STIR/SHAKEN is a significant advance in the ongoing battle against illegal robocalls, but it is not the final step, as the billions of robocalls continue to prove. Caller ID authentication and the protocols and procedures of the framework have made progress and laid the groundwork for further efforts.
But it is now up to the telecommunications industry, working together, to further improve how calls are identified, analyzed and either validated or blocked. Call analytics, reputation scoring and trust context add precision to authenticating calls. Implementing these measures can help considerably in restoring trust. And the industry must continue to work together and share ideas on decreasing fraudulent calls, which remain one of the market’s biggest challenges.
How are you tackling fraudulent robocalls? Share with us on Facebook, Twitter, and LinkedIn.
Image Source: Shutterstock
MORE ON FRAUDULENT ROBOCALLS
