Fighting Caller-ID Spoofing

Caller-ID spoofing has become one of the most prevalent forms of telecommunications fraud, enabling scammers, robocallers, and malicious actors to disguise their identity and trick users into answering unwanted or dangerous calls. In 2025, billions of spoofed calls are still placed globally each year, costing consumers and businesses billions in losses and eroding trust in the phone system.

Caller-ID spoofing occurs when the originating caller manipulates the “From” or “Caller-ID” field in SIP (Session Initiation Protocol) signaling or SS7 signaling to display a false number—often a trusted local number, a bank, or a government agency. This exploits the trust users place in familiar numbers, leading to phishing (vishing), IRS scams, bank fraud, and one-ring scams. Traditional defenses like CNAM (Caller Name) databases and call-blocking apps are reactive and easily bypassed, making a cryptographic, network-level solution essential.

Background

Modern U.S. mobile operators use a combination of their LTE core network and IMS (IP Multimedia Subsystem) infrastructure to implement real-time call screening. In the LTE Evolved Packet Core (EPC), components like the Mobility Management Entity (MME) and Home Subscriber Server (HSS) provide the foundation for connectivity and subscriber data. The MME is the primary control-plane node in the EPC, managing user attachment, mobility, and session setup. The HSS is a centralized database of subscriber profiles (including service subscriptions and settings) and also handles subscriber authentication and authorization. These core elements ensure that a user’s device is reachable for incoming calls (for example, the MME coordinates device paging and bearer setup when a call arrives) and that the device is registered to the IMS for voice service. The IMS/VoLTE architecture sits on top of the EPC and handles call signaling and media over IP. Key IMS components include the Call Session Control Functions (CSCF) – notably the Serving-CSCF (S-CSCF), which knows a user’s subscription and determines what application services apply to their calls. When a VoLTE call is incoming for a subscriber, the S-CSCF (in conjunction with the HSS) routes the call to that user’s device and can invoke application servers based on the user’s profile. This is critical for call tagging: the operator can configure an IMS Telephony Application Server (TAS) to perform spam screening as part of the call setup. In short, the LTE/EPC core (MME, HSS, etc.) provides the plumbing (connectivity, location, and subscriber info) that allows the IMS voice network to deliver calls and apply services like scam labeling in real time.

Fortunately, the industry has responded with STIR/SHAKEN, a robust framework designed to authenticate caller identity and combat spoofing in real time. This blog explains how STIR/SHAKEN works technically, how calls are tagged during transit, and which network elements in a mobile network operator’s (MNO) core infrastructure manage this process.

STIR/SHAKEN Caller ID Authentication

To assess the validity of an incoming call’s Caller ID, U.S. carriers leverage the STIR/SHAKEN framework alongside their IMS call processing. STIR/SHAKEN is an industry-standard system designed to combat caller ID spoofing by requiring carriers to cryptographically sign and verify calling numbers. In practice, when a call originates, the originating service provider attaches a digital certificate (signature) to the call’s SIP signaling that attests to the caller’s identity. The terminating carrier (e.g. the mobile operator receiving the call) runs this through a verification service to ensure the signature is valid and the number hasn’t been spoofed. Essentially, this acts like a digital passport for the call, with the carrier assigning an attestation level that indicates how confident it is in the caller’s identity. For example, Full Attestation (A) means the originating carrier knows the customer and that they’re authorized to use that number (high trust), whereas Gateway Attestation (C) means the call came from an unfamiliar or external source and cannot be verified. STIR/SHAKEN has been mandated by the FCC for U.S. carriers (since June 30, 2021) as a foundational layer to validate caller legitimacy in real time. A call that passes STIR/SHAKEN validation with full attestation is less likely to be fraudulent, while a call with no valid signature or a low attestation (e.g. “C” level from an unknown source) raises suspicions. This verification result is fed into the carrier’s spam detection logic. In summary, STIR/SHAKEN is handled within the carrier’s network (often at IMS border gateways or SIP session controllers) and provides a real-time check on caller ID authenticity, which is one input to determining whether a call should be labeled “Scam Likely.”

• STIR (SecureTelephone Identity Revisited) is an IETF standard (RFC 8224, RFC 8588, etc.) that defines a mechanism to cryptographically sign and verify the identity of the calling party.
• SHAKEN (Secure Handling of Asserted information using toKENs) is the ATIS (Alliance for Telecommunications Industry Solutions) implementation of STIR, specifically tailored for U.S. carriers and mandated by the FCC since 2020 (with full enforcement by 2023). SHAKEN extends STIR by defining operational rules, certificate authorities, and trust frameworks for inter-carrier deployment.

Together, STIR/SHAKEN provide end-to-end caller authentication by attaching a digitally signed token to SIP calls, allowing the terminating network to verify the call’s authenticity and assign an attestation level (A, B, or C) that indicates how much confidence the originating network has in the caller’s identity.

How STIR/SHAKEN Tags Calls in Real Time

The process happens during call setup in the SIP signaling path, with minimal added latency (typically <50 ms). Here’s the technical flow:

1. Originating Network Signing (Caller Authentication)
   • The call originates from a customer or enterprise trunk.
   • The originating service provider (OSP) authenticates the caller:
     • For verified customers (e.g., registered business lines): Full attestation (A-level).
     • For known gateways or unauthenticated trunks: Partial (B-level) or gateway (C-level) attestation.
   • The OSP’s Signing Service (often a dedicated STIR/SHAKEN server or integrated into the SBC) generates an Identity header containing:
     • A JSON Web Token (JWT) signed with the provider’s private key.
     • The caller’s number (TN), called number, timestamp, and a unique call identifier.
     • An attestation level (A/B/C) and origination identifier.
   • The signed token is inserted into the SIP INVITE message as an Identity header (per RFC 8224).
2. Inter-Carrier Transport
   • The call traverses IP interconnects (SIP trunks) or PSTN gateways.
   • Intermediate carriers can add passport headers (additional Identity headers) if they perform their own verification/signing, creating a chain of trust.
3. Terminating Network Verification
   • The terminating service provider (TSP) receives the SIP INVITE with Identity header(s).
   • The Verification Service (usually integrated into the terminating SBC or a dedicated policy server) validates the token:
     • Checks the signature using the public key from the Secure Telephone Identity Policy (STI-P) repository.
     • Verifies the certificate chain (issued by a trusted Certificate Authority like ComsignTrust or Iconectiv).
     • Confirms the timestamp is fresh and the caller ID matches the asserted identity.
   • If valid, the call is assigned a verified status (e.g., “A” for full trust).
   • If invalid or missing, the call may be flagged, blocked, or marked as “spoofed” (displayed to the end user as “Spam Risk” or similar).
4. End-User Display
   • On compatible handsets (Android 9+, iOS 14+ with carrier support), the terminating app or OS displays indicators like a green checkmark, “Verified Caller,” or warning icons based on the attestation level.

This signing and verification happen in real time during call setup (within the 3–5 second ring time), making it seamless for users.

Network Platforms in the MNO Core that Manage STIR/SHAKEN

STIR/SHAKEN is integrated into the IMS (IP Multimedia Subsystem) core of modern MNOs. Key elements include:

• Session Border Controller (SBC): The primary point for signing (originating) and verification (terminating). SBCs like Oracle, Ribbon, or Cisco integrate STIR/SHAKEN modules.
• Application Server (AS) / Telephony Application Server (TAS): Handles policy decisions, attestation assignment, and call routing based on verification results.
• STI-PA (Secure Telephone Identity Policy Administrator): Manages certificate lifecycle and trust anchors (often outsourced to vendors like TransNexus or Neustar).
• HSS/UDM (Home Subscriber Server / Unified Data Management): Stores subscriber data that helps determine attestation level (e.g., enterprise vs. residential).
• PCRF/PCF (Policy and Charging Rules Function): Enforces policies like blocking unverified calls or applying spam labels.
• Interconnect SBCs / IPX Providers: Handle inter-carrier signing/verification when calls cross networks.

In 5G networks, the IMS Core (with 5G-IMS) natively supports STIR/SHAKEN, and the Network Exposure Function (NEF) can expose verification status to third-party apps.

Current Status and Future Outlook

As of early 2026:

• The U.S. has near-universal adoption (FCC mandates 100% coverage for major carriers).
• Canada, UK, France, Germany, and others have rolled out or mandated similar frameworks (often called STIR or SHAKEN-like).
• Challenges remain: International calls, legacy TDM networks, and bad actors spoofing within trusted trunks.
• Future: Deeper integration with 5G core, AI-based anomaly detection, and global trust frameworks (e.g., GSMA’s IPX-based STIR).

Conclusion

STIR/SHAKEN represents a significant step forward in restoring trust to the phone network by cryptographically tagging calls in real time. While full global adoption is ongoing, the technical foundation —rooted in IMS core elements like SBCs, AS, and policy functions— provides a scalable, standards-based defense against one of the most damaging forms of telecom fraud.

If you’re working on solutions to combat caller-ID spoofing —whether through STIR/SHAKEN deployment, network hardening, fraud prevention tools, or innovative anti-spoofing strategies— we warmly invite you to consider Hacom Technologies as your trusted partner. With deep expertise in telecommunications security and a genuine commitment to protecting users and operators alike, we’re ready to support you every step of the way. Reach out today, let’s build a safer calling experience together!