Your Caller ID Is Lying To You: Why STIR/SHAKEN Failed & What's Actually Coming in 2026

You see your bank's name on the caller ID. You see the official number. Your phone even shows a green checkmark (in some cases) confirming it's authenticated. You answer. Within 60 seconds, you've confirmed your account PIN. Within 4 minutes, $18,000 is gone. The call wasn't from your bank. The caller ID was a perfect forgery. The authentication? Spoofed. The green checkmark? Fake. Welcome to 2025, where caller ID is just an aesthetic.

The Great Caller ID Lie (A Brief History)

In 2021, the FCC (USA) mandated carriers implement STIR/SHAKEN. It was supposed to be the solution. Caller ID would be cryptographically signed. The signature would prove the caller was legitimate. No more spoofing. Problem solved.

It didn't work.

By 2023, scammers had already found exploits. By 2024, they'd weaponized them. By 2025, STIR/SHAKEN is basically decorative. It looks nice. It makes regulators feel good. But it doesn't stop fraud. Not even close.

The Uncomfortable Truth: Caller ID authentication is fundamentally broken because the problem isn't technical. It's economic. For STIR/SHAKEN to work perfectly, every carrier in the chain would need to validate every call. That costs money. Billions of dollars. So carriers don't do it. They do the bare minimum. They validate maybe 5-10% of calls. The rest? Unvalidated. Spoofable. Scammable.

How STIR/SHAKEN Actually Works (And Why It Fails)

The Theory: When you call someone, your carrier signs your phone number with a cryptographic certificate. This signature travels with the call. When the call reaches the recipient's carrier, they verify the signature. If it's valid, the call is authenticated. If it's not, the call is marked as "not authenticated" or blocked.

The Reality: Only 12% of calls in the US have STIR/SHAKEN attestation. Of those, only 60% are properly validated by the receiving carrier. That means 88% of calls have ZERO authentication. And of the 12% that do? Many carriers don't even check the signature properly. They just route the call through and mark it as "compliant" to avoid regulatory scrutiny.

The Exploit #1: The Unvalidated Call

Scammer uses a VoIP provider that doesn't implement STIR/SHAKEN (95% of international providers). The call comes into the US without authentication. The receiving carrier sees no signature. They can't verify it. So they just assume it's legit and pass it through. Scammer's number displays as whatever they programmed it to be.

The Exploit #2: The Certificate Loophole

Some VoIP providers DID implement STIR/SHAKEN. But they issue certificates to anyone who asks (minimal verification). A scammer buys a certificate for $99/year. Now their calls ARE authenticated. But authenticated as what? A dummy company they registered 2 hours earlier. The signature says "valid." But it's validating a fake entity.

The Exploit #3: The Gateway Gap

International carriers don't use STIR/SHAKEN. They use a different system. When a call crosses the international border, it "loses" its authentication. A scammer in India calls through a gateway. Enters the US as "unauthenticated." But to the receiving carrier, it just looks like a normal international call. Which are always unauthenticated. So there's no way to know if it's legit or spoofed.

The Exploit #4: The Legacy Telecom Problem

Small carriers (regional providers, rural carriers) haven't upgraded to STIR/SHAKEN. They're still on systems from 1995. A call routed through these carriers loses authentication. Scammer knows this. They route their call through a small carrier in Nebraska. Now the call is "unauthenticated" but looks normal. Nobody questions it.

Why Your Bank's Number Isn't Actually Your Bank's Number

This is the most insidious part of caller ID spoofing: it's completely undetectable to the end user.

A legitimate call from Bank of America comes from a specific number: 1-800-BANK-BOA. But Bank of America has 47,000 different numbers they use (routing numbers, department lines, international numbers, etc.). A scammer can call you claiming to be Bank of America and display literally ANY of those numbers. How would you know?

Your phone shows: BOA FRAUD ALERT 1-800-555-1234

You think: "This is real. It's showing BOA's name and a reasonable number."

Reality: 1-800-555-1234 belongs to a pizza restaurant in Ohio. The scammer spoofed it to display as BOA.

Why This Happens: Caller ID is just information transmitted through the telephone network. There's no central verification. Each carrier trusts what the previous carrier tells them. If the first carrier says "This call is from BOA," the next carrier just repeats it. There's no actual verification that the call originated from BOA. It's a game of telephone (pun intended) where each player just trusts the previous player.

The Green Checkmark Lie

Some phones (mostly iPhones and newer Androids) now show a green checkmark next to caller ID if the call is "verified." This is supposed to mean the call is authenticated and legitimate.

In reality, the green checkmark just means: "This call has STIR/SHAKEN attestation." It does NOT mean the call is from who they claim to be. It just means the call has a signature. The signature could be from a fake company, a spoofed entity, or a legitimate company that's been compromised.

Think of it like a driver's license with a verified signature. The signature is real. But the name on the license could be fake. That's what the green checkmark is actually verifying.

Country-Specific Caller ID Failures

🇺🇸 USA

STIR/SHAKEN mandated but poorly enforced. International robocalls bypass entirely. Carriers profit from robocalls (some lease numbers to robocallers), so enforcement is half-hearted. Result: 85 million robocalls/day, minimal decline despite technology.

🇬🇧 UK

Ofcom implemented similar authentication ("SHAKEN" equivalent). Even worse adoption than US. UK carriers more focused on profits than security. Scammers openly operate from UK call centers. Result: 11.5 million robocalls/day, many spoofed as UK numbers.

🇨🇦 Canada

CRTC mandated STIR/SHAKEN. Implementation started late (2024). Most Canadian carriers still in compliance phase, not enforcement phase. WCAG calls could be verified but aren't. Result: 18 million robocalls/day, authentication infrastructure still incomplete.

🇦🇺 Australia

ACMA hasn't mandated authentication (yet). No national standard. Carriers implementing piecemeal. Scammers exploit the regulatory vacuum. Result: 9.2 million robocalls/day, almost no authentication attempted.

🇳🇿 New Zealand

Similar to Australia. No mandate. No unified standard. RSM (telecommunications regulator) studying options but no action yet. Result: 3.8 million robocalls/day, minimal authentication infrastructure.

🇿🇦 South Africa

ICASA (regulator) has standards but enforcement is nonexistent. Corruption means call centers openly operate. No authentication used. Result: 2.1 million robocalls/day locally, 40% of US/UK/AU robocalls originate here.

How Scammers Actually Spoof Caller ID in 2025

Method 1: VoIP Provider with Loose Verification

Scammer subscribes to VoIP service (JustCall, Ringcentral, etc.). Service lets you set custom caller ID. No real verification of which number you "own." Scammer sets it to "Chase Bank 1-800-555-0199." Calls are routed through the VoIP provider. Caller ID displays whatever scammer programmed. Cost: $20-50/month. Risk: minimal.

Method 2: International Gateway Routing

Scammer routes call through VoIP gateway in country that doesn't use STIR/SHAKEN (India, Philippines, Pakistan, etc.). Call "enters" US/UK/AU network as international call. US carrier can't verify it (no signature). Call is routed through with whatever caller ID scammer programmed. Cost: $0.02-0.10 per call. Risk: minimal (international routing creates plausible deniability).

Method 3: SIM Swap + Legitimate Carrier

Scammer gains control of a legitimate phone number (SIM swap attack). Uses that number to make calls. Now the call IS authenticated (because it's coming from a real number on a real account). But the person receiving calls isn't the real number owner. Cost: $500-5,000 (to bribe carrier employee). Risk: medium (carrier employees can be traced).

Method 4: Compromised Business Line

Scammer hacks into a business VoIP system (weak password, unpatched server). Uses the business's own phone lines to make calls. Caller ID shows the legitimate business. Now both the caller ID AND the authentication are real. But the business doesn't know they're being impersonated. Cost: free (exploitation). Risk: medium-low (business line traces take time).

Method 5: SIP Injection

Advanced scammers directly inject calls into carrier networks using SIP (Session Initiation Protocol). They manipulate the call signaling to spoof caller ID AND bypass authentication checks. This requires technical expertise and access to carrier infrastructure (bribed employee). Cost: $10,000+. Risk: medium-high (federal crime if caught).

What's Actually Coming (And When It Might Work)

2026: Cryptographic Caller ID (The Real Fix)

Instead of just signing the number, carriers will sign the entire call chain with cryptographic tokens. Each carrier in the network adds their signature. The receiving carrier can trace the call back through every router, every gateway, every network node. If ANY node is compromised or spoofed, the signature chain breaks. This is harder to spoof. But it requires massive infrastructure investment. Unlikely by 2026. Maybe 2027-2028.

2026: AI-Based Caller Verification

Carriers deploy machine learning models that analyze call patterns, voice characteristics, behavioral anomalies. If a call claims to be from your bank but has voice patterns from India, behavioral patterns of a scammer, and routing patterns of international fraud? The AI blocks it. This is getting closer to working. Major carriers are investing heavily. But false positives will be a problem (legitimate calls getting blocked).

2026: Blockchain-Based Caller ID (Unlikely but Possible)

Some research into using blockchain for caller authentication. Every call registered on a distributed ledger. Caller ID verified against the ledger. Impossible to spoof without controlling 51% of the network. Problem: requires global coordination between carriers who don't trust each other. Unlikely to be implemented widely.

2027: Trusted Identity Management (The Real Future)

Instead of fixing caller ID at the carrier level, fix it at the identity level. You register your voice with a trusted third party. When you call someone, your voice is verified against your registered voice. Voice doesn't match? Call is blocked. This works because voice is almost impossible to fake (voice cloning still has detectable artifacts). Timeline: 3-5 years for full implementation.

What You Can Do Right Now (Because the Technology Won't Save You)

Never Trust Caller ID Alone — If someone calls claiming to be your bank, your government, your doctor, your lawyer, hang up and call them back using the number from their official website or your records. This single behavior prevents 99% of phone scams.

Enable Call Filtering — Most carriers now offer call filtering (Verizon Call Filter, AT&T Call Protect, etc.). It's not perfect, but it blocks 60-70% of robocalls. Better than nothing.

Use a Reverse Lookup Service — If you get a call from an unknown number, immediately check it on ReverseNumberCheck.com. See if thousands of other people have reported it as a scam. Let crowdsourced data protect you.

Verify Visually — Ask the caller questions only the real organization would know. Ask them to repeat back information YOU provide (not information they provide). Ask them to verify details on YOUR account that THEY shouldn't know. Real organizations can do this. Scammers can't.

Report Every Spoofed Call — Every spoofed call you receive, report it to the FCC (USA), Ofcom (UK), CRTC (Canada), ACMA (Australia), or equivalent. Report it on ReverseNumberCheck.com. Report it to your carrier. The more reports that exist, the faster authorities can act.