Perhaps you’ve received a phone call warning you that IRS agents are on the way to your door. You can still avoid six months in the slammer by making a prompt payment of $5,000 in bitcoin or gift cards from the local mall. The fake IRS call is only one of myriad annoying, if not frightening, robocall scams operating today.
“Where did this evil come from?” asks Katherine Bindley in The Wall Street Journal. Today’s robocall with a spoofed caller ID, she writes, traces its roots back to legitimate businesses operating multiple phone lines with a single caller ID. No matter which employee called you over which of multiple lines, caller ID would tell you your bank or pharmacy, for example, was calling. Unfortunately, now, any crook with access to the Internet can set up a mini call center that auto-dials numbers and spoofs caller IDs—perhaps indicating a call is coming from a friend, or at least a local exchange.
Of course, knowing where the evil is coming from isn’t sufficient to stop it. “There is no silver bullet,” Bindley writes.
However, she adds, “With caller ID basically broken, developers have proposed a call-certifying protocol (known as STIR) and guidelines for implementing it (known as SHAKEN).” STIR (Secure Telephony Identity Revisited) is an IETF standard, while SHAKEN (Signature-based Handling of Asserted information using toKENs) is an ATIS and SIP Forum specification developed in an effort to efficiently implement STIR. “The SHAKEN framework provides guidance for service providers to implement STIR,” according to ATIS. “Together, STIR/SHAKEN will offer a practical mechanism to provide verified information about the calling party as well as the origin of the call—what is known as “attestation”—for the first time in the network.”
Bindley writes that with STIR/SHAKEN, “…an originating phone carrier could check that a caller has the right to use a number and create a digital fingerprint for the call. The carrier on the receiving end could verify that nothing was messed with in transit.” She quotes Jim McEachern, a principal technologist with ATIS, as saying the technologies don’t say that a call is coming from a specific number—only that the caller is entitled to use that number, harking back to the days when a legitimate business would use a single caller ID across multiple wirelines.
Calles with spoofed IDs would still get through, although carriers could flag them as unverified. The carrier I use, T-Mobile, already appends a “Scam Likely” tag to the IDs of many incoming calls.
Bindley quotes McEachern as saying serious robocall relief through STIR/SHAKEN may be two to five years off. She also quotes Matthew Berry, chief of staff at the FCC, as saying, “We are optimistic it will have an impact but again, this alone is not going to solve the problem.”
In another initiative, put in place last November, the FCC adopted rules allowing carriers to block calls from area codes that don’t exist, numbers that aren’t assigned to anyone, and entries on a “Do Not Originate” list. Bindley quotes Berry as saying these rules had been effective is stopping IRS scammers, although Bindley suggests that the scammers have been adapting.
Meanwhile, advises Bindley, “When you get a robocall, hang up.” In addition, add yourself to the FTC’s Do Not Call Registry and file robocall complaints. You can also take advantage of any robocall-avoidance services your carrier might offer, or try third-party call-blocking apps like Nomorobo or Hiya.
