What can be done about the growing threat of spoofing?

Robocalls and “spoof” calls are much more than just annoyances. They’re also a lucrative underworld business that poses significant security and privacy threats to businesses and consumers. Between March 2017 and March 2018, nearly 25 million Americans lost almost $9 billion to scam phone calls.

If any doubt remains how insidious the business is, just enter “spoof calls” into a search engine and marvel at all the slick websites offering to “fake your caller ID.” Businesses that offer these services can serve as many as 5,000 simultaneous robocalls every second.

Although 2009’s Truth in Caller ID Act criminalized spoofing with intent to defraud or harm, the number of robocalls around the world grew by more than 325% last year. First Orion expects that nearly 50% of all U.S. mobile calls this year will be scam calls.

Nobody is immune from spoof attempts

Even AT&T’s CEO couldn’t avoid getting robocalled as he was interviewed on C-SPAN in March. Randall Stephenson was obviously trying to make a point when the call came in, but the fact remains: Most mobile phone users are so wary of these calls that they answer barely more than half of them.

The good news is that relief is coming. The bad news? In any battle of cybercriminals vs. cybersecurity professionals, it will probably always be a cat-and-mouse game, with the rodents continually figuring out new ways to foil the felines.

The scourge of robocalling is comparable to the nefarious ubiquity of fakery in email, text messaging, and social media accounts. Dozens of thoughtful, consumer-focused articles offer advice and instruction on how to block or reduce the number of robocalls and text messages, but most of the solutions treat the symptoms and not the disease. The root problem is that these platforms lack robust identity models that can verify that a message (or a call) comes from who appears to come from.

Public policy matters – and works

There is an answer to the robocalling problem: an aggressive, viable, standards-based solution. And it has arrived on the scene with public policy support: The Alliance for Telecommunications Industry Solutions’ STIR/SHAKEN (Secure Telephone Identity Revisited and Signature-based Handling of Asserted Information Using toKENs) was recently endorsed by the Federal Communications Commission (FCC).

STIR/SHAKEN is a technology that uses authorized, trusted digital certificates to verify that the number on an incoming telephone has not been spoofed. The FCC’s endorsement quickly led to its adoption by the nation’s leading phone-service providers, including AT&T, Century/Link, Charter, Comcast, Cox, Google, Sprint, TDS, T-Mobile, US Cellular, Verizon and Vonage.

In many ways, this development mirrors the DHS’s October 2017 Binding Operational Directive (BOD) 18-01, which mandated that U.S. federal agencies adopt email authentication standards. It also emphasizes a key point: policy matters, and policy works.

DMARC: The STIR/SHAKEN of email

The DHS edict required all executive branch agencies to deploy the Domain-based Message Authentication, Reporting and Conformance (DMARC) authentication standard and set it to a policy that rejects fake emails – effectively preventing bad actors from spoofing government officials’ email addresses.

Within one year, 57% of all agencies had were protected by a DMARC record with a strict “enforcement” policy, and today over 70% of agencies are protected. In fact, federal agencies demonstrated the highest rates of DMARC implementation and enforcement of any group of organizations, public or private, in America or abroad.

Sad but true: It’s a never-ending battle

The FCC’s adoption of STIR/SHAKEN represents a major, positive step forward in the fight against robocalling. But it’s a never-ending battle, as these stories illustrate:

While there is no panacea to completely eliminate spoofing — whether in phone calls, email or on social media sites — it’s evident that authentication standards such as DMARC and STIR/SHAKEN can stamp out a huge portion of these impersonators — particularly if public policy helps drive widespread adoption.

Organizations that deploy authentication standards will continue to be in a better position to halt the spread of unwanted messages from sinister sources. But it will only be through commitment and vigilance that the epidemic can continue to be addressed and contained.

Committed public policy that requires the implementation of authentication standards, supported by all organizations that send and receive communications, will always stand as the foundation to fight spoofing.