Is STIR/SHAKEN a Failure?
You’ve probably seen the takes. “STIR/SHAKEN was supposed to stop robocalls.” “I still get spam calls every day.” “Billions spent on compliance and nothing changed.” And look — if the measure of success is “did robocalls disappear overnight,” then sure, it failed. But that was never a realistic expectation, and framing it that way misses what’s actually happening.
The silver bullet problem
Let’s get this out of the way: STIR/SHAKEN was oversold in some quarters. The promise — or at least the public perception — was that once carriers started signing calls, the robocall problem would be solved. That was never true. STIR/SHAKEN is a necessary tool, but it was never sufficient on its own. It’s one layer in what has to be a multi-layered defense.
Expecting STIR/SHAKEN to stop robocalls is a bit like expecting a lock on your front door to eliminate burglary. It raises the bar. It doesn’t make the problem disappear.
So what IS it doing?
Quite a lot, actually, if you know where to look.
Providers are getting shut down. The FCC has been using STIR/SHAKEN data and the Robocall Mitigation Database to identify bad actors and take action. Carriers that can’t or won’t comply are getting their traffic blocked by downstream providers. That wasn’t happening before. The enforcement pipeline is real, and it’s getting moose-re aggressive.
The unsigned traffic pool is shrinking. As more carriers implement STIR/SHAKEN, the volume of calls with no attestation at all keeps getting smaller. That matters because unsigned calls increasingly stand out. They’re easier to flag, easier to filter, and harder to hide behind.
Attack vectors are narrowing. Robocallers used to be able to spoof any number from anywhere with no accountability. Now they need to find carriers willing to originate their traffic and sign it — or find gaps in the system. Those gaps still exist, but there are fewer of them, and they’re getting smaller.
The best proof it’s working? The fraud.
Here’s what really tells the story: bad actors are now committing fraud to obtain STIR/SHAKEN certificates. They’re creating fake companies, filing bogus paperwork, and trying to game the certificate issuance process — all because they need a valid certificate to keep their operations running.
Think about what that means. For maybe the first time in the history of telecom, there’s a real gatekeeping mechanism that’s forcing the bad guys to adapt. They can’t just plug in and start blasting calls anymore. They have to work to get through the gate. And when they do, they leave a trail that makes them easier to catch.
If STIR/SHAKEN were a failure, nobody would bother trying to fraud their way into it.
Whack-a-moose
Is it still a game of whack-a-mole? Absolutely. Bad actors adapt. They find new carriers, new vectors, new ways to slip through. But the moles are running out of holes. The combination of STIR/SHAKEN attestation, the Robocall Mitigation Database, traceback efforts, and FCC enforcement actions is slowly — maybe frustratingly slowly — tightening the noose.
Are we where anyone hoped we’d be by now? Probably not. But the trajectory is right. The tools are getting better, the enforcement is getting sharper, and the cost of being a bad actor keeps going up.
The bottom line
STIR/SHAKEN isn’t a failure. It’s a foundation. It gave the industry something it never had before: a way to verify who’s making a call and hold someone accountable when the answer is “nobody legitimate.” What we do with that foundation — how aggressively we enforce, how quickly we close gaps, how well we coordinate across the ecosystem — determines whether it ultimately succeeds.
Necessary, but not sufficient. And that’s okay. Most important things are.
If you’re a carrier working through your own STIR/SHAKEN obligations, we can help with the compliance side. And if you want the basics, check out our STIR/SHAKEN explainer.