Your phone rings, and the caller ID shows your bank's number. You pick up, and someone on the other end asks you to "verify" your account by reading back a code on your card. Except your bank never called. A scammer faked the number on your screen to make you trust the call.
In April 2026, Americans received roughly 4.2 billion robocalls, averaging about 13 per person (Congressional Research Service, 2026). The FTC logged over 2.6 million Do Not Call complaints in fiscal year 2025, with most violations coming from automated robocalls (FTC, 2026). Behind many of those calls is one common trick: phone number spoofing.
STIR/SHAKEN is a set of protocols the FCC now requires carriers to use, and the whole point is to verify that the originating carrier actually authorized the number showing on your caller ID. Here's how spoofing works, what STIR/SHAKEN does about it, where it falls short, and what you can do right now to protect yourself.
Key takeaways
- Phone number spoofing lets scammers display any number they want on your caller ID
- STIR/SHAKEN adds a digital signature to calls so carriers can check whether the caller's number was authorized by the originating provider before the call reaches you
- The FCC mandated STIR/SHAKEN for large U.S. carriers starting June 30, 2021, with smaller carriers following on later deadlines, but gaps remain
- Keeping your real phone number off broker sites and using masked numbers limits what spoofed callers can do, even when they get through
What is phone number spoofing?
Phone number spoofing is when a caller deliberately changes the number that shows up on your screen. A scammer sitting in another country can make your phone display a local number, your bank's number, or even a number from a government agency. The real call might come from a cheap internet phone service anywhere in the world, but you'd never know it from looking at your screen.
How scammers pull it off
Spoofing itself is surprisingly simple. Cheap VoIP services let callers pick whatever number they want to display, and some of these services charge as little as a few cents per call. The scammer enters a target number, chooses the fake caller ID they want to show, and dials. That's it.
Common spoofing tactics include:
- Neighbor spoofing: Your phone shows a call from your own area code and prefix, making it look local. You're far more likely to pick up a local number than a random out-of-state one.
- Organization impersonation: The display shows a number matching your bank, the IRS, or a delivery service. Because the number looks official, you're more likely to share sensitive information when asked.
- Your own number: Some scammers even spoof your exact number back to you, hoping curiosity gets you to answer.
Why caller ID spoofing works so well
Caller ID was designed in the 1990s as a convenience feature, not a security tool. The system trusts whatever number the calling carrier passes along. No built-in check ever existed to confirm that the number was real, and scammers have exploited that blind trust for years.
The FCC notes that spoofing isn't always illegal. A doctor's office displaying its main callback number instead of an individual line is a legitimate use. Spoofing crosses the line when it's used to defraud, cause harm, or wrongfully obtain something of value (FCC, Caller ID Spoofing).
How STIR/SHAKEN verifies calls
STIR/SHAKEN is a caller ID authentication framework that uses digital certificates to verify whether an originating carrier authorized the phone number displayed on an incoming call. The FCC requires U.S. voice service providers to implement the framework on IP-based networks. Calls that pass verification may display a "Verified" label, while unverified calls may be flagged or blocked.
The FCC made STIR/SHAKEN mandatory for large U.S. carriers starting June 30, 2021, under the TRACED Act, with smaller carriers following on extended deadlines. Canada set its own deadline in November 2021. The reasoning behind the mandate is straightforward. Scam phone number spoofing had grown so widespread that carriers needed a standardized way to flag suspicious calls at the network level, and if a call's origin can be verified by the carrier, spoofed numbers are more likely to get caught before they reach you.
What the acronyms mean
STIR stands for Secure Telephony Identity Revisited. SHAKEN stands for Signature-based Handling of Asserted Information Using Tokens. Together, they form a framework that attaches a digital certificate to each call as it travels through IP-based phone networks.
How the process works
When you place a call, your carrier checks whether you're authorized to use that number. The carrier attaches a digital signature to the call, like a stamp of approval. As the call moves through the network, the receiving carrier checks that signature against a trusted certificate authority. If everything lines up, the call may show a "Verified" label on your screen.
Here's how the full process breaks down:
- Your carrier confirms your identity and your right to use the number
- A trusted certificate authority issues a digital certificate
- Your carrier signs the call with that certificate
- The receiving carrier validates the signature and assigns a trust rating
What attestation levels mean
Not all verified calls carry the same level of trust. STIR/SHAKEN assigns one of three grades, and the grade directly affects whether the call gets through cleanly or gets flagged as spam.
- Full Attestation (A): The carrier knows the customer and confirms they're authorized to use that number. Highest trust.
- Partial Attestation (B): The carrier knows the customer but can't confirm they own the specific number. Moderate trust.
- Gateway Attestation (C): The call entered the network from an outside source, and the carrier can't verify the caller or the number. Lowest trust.
Calls with Full Attestation are least likely to get flagged. Calls with Gateway Attestation may be blocked or labeled "Potential Spam" before they ever reach your phone.
Where STIR/SHAKEN falls short
STIR/SHAKEN has reduced certain categories of spoofed calls, but it doesn't stop spoofing entirely. Here's why you still need more than just carrier-level verification.
Not every carrier has fully implemented it
As of late 2025, only about 4,084 out of 9,242 phone companies filing with the FCC had completely installed STIR/SHAKEN (U.S. PIRG, 2025). Smaller carriers and international providers may not support the framework at all. Calls coming from overseas, where many scam operations run, often bypass the system completely.
Verification doesn't mean safe
A call that passes STIR/SHAKEN verification confirms the carrier authorized it, not that the caller has good intentions. A scammer could register a legitimate phone number and still use it for fraud. The framework verifies identity at the carrier level, not the content or intent of the call.
Older networks remain vulnerable
STIR/SHAKEN works on IP-based networks. Many rural carriers and smaller providers still run older technology where the framework can't operate. The FCC requires these providers to implement alternative robocall mitigation programs, but coverage isn't seamless.
Not sure how exposed your number already is? Run a free safety scan to find out.
How to stop phone spoofing from reaching you
STIR/SHAKEN raises the bar for scammers, but you shouldn't rely on it alone. A layered approach works best, and most of these steps take just a few minutes.
Use your carrier's call-blocking tools
All major U.S. carriers offer free or paid call-filtering tools: Verizon has Call Filter, T-Mobile has Scam Shield, and AT&T has ActiveArmor. These tools use STIR/SHAKEN data plus their own analytics to flag or block suspicious calls. Check with your provider to make sure these features are turned on.
Screen unknown callers
Letting unknown numbers go to voicemail is one of the simplest ways to dodge spoofed calls. Legitimate callers typically leave a message, while many scammers just hang up. Some scammers do leave threatening or urgent voicemails designed to get you to call back, so treat any voicemail demanding immediate action with the same skepticism you'd give the call itself. A call screening tool can filter unknown callers before they even ring your phone.
Keep your real number off data broker sites
Scammers don't pick targets at random. Your phone number sits on dozens of data broker sites right now, bundled with your name, home address, and email. Removing your information from these databases cuts off the supply chain that feeds spoofing and vishing attacks.
Use a separate number for signups and public-facing accounts
Say you sign up for a food delivery app with your real phone number. A few months later, that app gets breached. Now your number is circulating on broker sites and dark web forums, and spoofed calls start rolling in. A masked phone number keeps your real line hidden from the start. If the alias gets compromised, you disable it and generate a new one, and your real number stays untouched.
Register with the Do Not Call Registry
Adding your number at donotcall.gov won't stop criminal callers, but it reduces legitimate telemarketing calls and gives you a basis to report violators. Over 258 million numbers are already registered, which shows how widely used this tool is (FTC, 2026).
Report spoofed calls
If you receive a spoofed call, reporting it won't get your money back directly, but it does create a record that regulators use to track patterns and shut down bad actors. The more reports the FCC and FTC receive about a specific number or campaign, the faster they can take enforcement action. Here's where to file:
- FCC: File at fcc.gov/consumers/guides/spoofing
- FTC: Report at reportfraud.ftc.gov
- FBI IC3: File at ic3.gov if money or personal data was lost
How Cloaked helps you stay ahead of spoofed calls
Spoofing works because your real phone number is already out there, tied to your name, address, and accounts, and Cloaked tackles that root problem. You can generate unique phone aliases for every account so your real number never gets exposed. Cloaked also removes your personal data from 300+ people-search sites, cutting off the pipeline scammers rely on. Pair that with dark web and SSN monitoring and $1M identity theft insurance, and you've got a real defense against the calls STIR/SHAKEN can't catch.
Take a safety scan and see how exposed your number already is, or contact us to learn more.
FAQs
What is phone spoofing in simple terms?
Phone spoofing is when someone changes the number that appears on your caller ID so the call looks like it comes from a trusted source. Scammers use spoofing to impersonate banks, government agencies, or local numbers. The call actually originates from somewhere else entirely.
Can STIR/SHAKEN completely stop spoofed calls?
No. STIR/SHAKEN makes spoofing harder by verifying the caller's number at the carrier level, but it can't stop all spoofed calls. Calls from international carriers, smaller providers that haven't fully implemented the framework, or scammers using legitimately registered numbers can still get through.
What is neighbor spoofing?
Neighbor spoofing is when a scammer displays a phone number with the same area code and prefix as yours. The goal is to make the call look local so you're more likely to answer. Most carrier filtering tools now flag many of these calls, but some still slip through.
How do I know if a call has been verified by STIR/SHAKEN?
On most Android phones, a verified call shows a green checkmark. On iPhones, a gray checkmark may appear in the call log. The exact display varies by carrier and device. A verified label means the carrier confirmed the number, but it doesn't guarantee the caller's intent is legitimate.
What should I do if my number is being spoofed by scammers?
You can't directly stop someone from spoofing your number. The FCC says spoofing episodes typically last only a few hours before scammers move to another number. In the meantime, set up a voicemail message explaining the situation, silence unknown callers, and report the spoofing to the FCC at consumercomplaints.fcc.gov.
Does registering on the Do Not Call list stop spoofed calls?
Registering at donotcall.gov reduces calls from legitimate telemarketers who follow the law, but criminal robocallers and spoofers ignore the list. The registry is still worth joining because it gives you a formal basis to report violators and helps the FTC track patterns for enforcement.


