PART 3: Voice Fraud SHAKEN not STIRed

November 8, 2023

In an increasingly connected world, ensuring the security and authenticity of information and interactions has become both more difficult and important. Making systems more consumer-friendly while protecting data integrity and reducing operating costs has created an almost impossible conundrum for contact centers. Amongst a plethora of threats, voice fraud in call centers is an ever-growing menace, compromising the trust and financial well-being of both businesses and consumers.

According to data published in February this year, in 2022, the Canadian Anti-Fraud Centre (CAFC) received 90,377 fraud reports totaling more than $530 million in losses.  Based on CAFC’s assertion that only between five and ten percent of victims file fraud reports, losses in 2022 may well have exceeded two billion.

In a report issued by Seattle-based Hiya last spring, it appears that while Americans received more spam calls than Canadians, Canadians received a much higher proportion of fraud calls. In the U.S. in the first quarter, 25% of unrecognized calls were spam, of which just 0.7% were considered fraud. In Canada, 18.3% of unrecognized numbers were considered spam, of which 6.3% were of a fraudulent nature.

Some of the most common scams in Canada are related to cryptocurrency trading and those targeting newer immigrants who may be less familiar with the way the government works.  The latter included callers impersonating government officials claiming to be from the Canada Border Services Agency or Canada Revenue Agency.

Voice fraud poses significant challenges for businesses and consumers alike. The implications of such fraud are manifold: financially, it can lead to unauthorized transactions that drain bank accounts or rack up unauthorized purchases; emotionally and socially, it corrodes the trust that customers place in businesses, making it difficult to restore once violated.  

The methods employed by fraudsters are evolving and sophisticated. Tactics range from voice phishing, where scammers impersonate trusted figures, to manipulating caller IDs to appear legitimate.  More advanced methods involve using AI to create voice 'deepfakes' or recording a victim's voice to deceive voice authentication systems.

However, despite some of the advances in AI, Caller ID Spoofing is still a favorite tactic among scammers.  Because it exploits the inherent trust we place in familiar names and numbers, the public remains all too susceptible to this type of subterfuge. To combat illegal spoofing, industry technologists from the Internet Engineering Task Force (IETF) and the Alliance for Telecommunications Industry Solutions (ATIS) developed standards for the authentication and verification of caller ID information for calls carried over an IP network.  

The IETF formed the Secure Telephony Identity Revisited (STIR) working group, which has produced several protocols for authenticating caller ID using the Session Initiation Protocol (SIP). Signature-based Handling of Asserted information using toKENs (SHAKEN) specification which standardizes how the protocols produced by STIR are now being implemented across the industry. The STIR/SHAKEN framework consists of two high-level components: (1) the technical process of authenticating and verifying caller ID information; and (2) the certificate governance process that maintains trust in the caller ID authentication information transmitted along with a call.

The Canadian Secure Token Governance Authority (CSTGA) is responsible for the deployment of STIR/SHAKEN in Canada. The CSTGA is tasked with selecting the Policy Administrator (PA) and Certificate Authority (CA), which are necessary for the implementation of STIR/SHAKEN.

The effectiveness of STIR/SHAKEN protocols in reducing illegal spoofing and identifying fake callers has been widely recognized.  In the U.S., the Federal Communications Commission (FCC) has stated that widespread deployment of STIR/SHAKEN will reduce the effectiveness of illegal spoofing, allowing law enforcement to identify fraudsters easily, and help phone companies identify calls with spoofers caller ID’s information, before those calls reach their subscribers.

However, the effectiveness of STIR/SHAKEN protocols in reducing unwanted calls is dependent on the extent of its implementation by telecommunications service providers (TSPs). The Canadian Radio-television and Telecommunications Commission (CRTC) has directed TSPs effective from 30 November 2021 to implement STIR/SHAKEN as a condition of offering and providing telecommunications services.

While STIR/SHAKEN protocols are a significant step forward in combating caller ID spoofing and some types of robocall scams, their effectiveness is magnified when used in conjunction with other methods.

1. Blacklists and Whitelists: Many anti-spam solutions maintain blacklists of known fraudulent numbers and whitelists of verified safe numbers. Calls from blacklisted numbers can be blocked or flagged for users.

2. Behavioral Analytics: Advanced systems analyze call patterns and behaviors to identify suspicious activity. For example, if a number makes an unusually high volume of calls in a short period, it could be flagged as suspicious.

3. Caller ID Reputation Services: These services rate the trustworthiness of different caller IDs based on reports from users and known spam databases.

4. Frequency Analysis: If a particular number is making frequent calls in quick succession, it could be an indicator of robocalls or spam activity.

5. Audio Fingerprinting: Some advanced systems can analyze the audio content of calls to identify known spam or scam messages. For example, if the same recorded message is detected across multiple calls, it can be flagged or blocked.

6. Real-time Analytics: Some solutions provide real-time analytics on incoming calls, flagging those that exhibit signs of being fraudulent or malicious based on various criteria.

7. CAPTCHA for Calls: Like online CAPTCHAs, some systems introduce a challenge-response test for the caller to complete, which can deter automated spam calls.

8. Grey Lists: This is a technique where unknown incoming calls are temporarily blocked. The calling system is then instructed to call back after a short delay. Non-fake or Human callers will usually call back, whereas many automated systems will not.

9. Network-level Filters: Telecom providers themselves can employ filters at the network level to block calls that are likely to be spam or fraud, based on known patterns or reports.

10. Geographic Filtering: If a business rarely gets legitimate calls from specific countries or regions, those can be filtered out to reduce the chance of international call scams.

11. Crowdsourced Feedback: Some apps and services rely on user reports to flag or block unwanted calls.  As users report spam or fraudulent numbers, the service becomes more effective for everyone.

12. Heuristics: This involves using algorithms to analyze call metadata (e.g., origin, destination, frequency) to make educated guesses about the legitimacy of a call.

While these methods in conjunction with the general adoption of STIR/SHAKEN protocols will significantly reduce the number of fraudulent calls, no system will be entirely foolproof. It will always remain essential for organizations and individuals to be cautious and verify the identity of callers, especially when dealing with sensitive or personal information.

Like what you're reading? Stay tuned the final installment to our Cybersecurity series coming soon!

And if you don't want to miss any news from Connex, sign up to our newsletter below.