Your phone just got more protection against spam calls. But it’s not safe yet

A phone screen shows received spam risk calls

The FCC approved a rule Thursday that should help block spam calls from outside the U.S. But the agency has yet to take action on the intensifying plague of spam text messages.

If you haven’t been warned recently that your car warranty has expired, that something has gone badly wrong with your Social Security account or that you are in big trouble with the Internal Revenue Service, then you must not have a phone.

Those are just a few of the most popular messages delivered by robocallers, who often hide behind spoofed numbers to fool you into answering. RoboKiller, a company that makes technology to identify bogus calls, estimated that Americans were deluged with more than 72 billion spam calls in 2021 — a 32% increase over 2020. Spammers rang Californians’ phones more than 7 billion times, RoboKiller estimated.

On Thursday, the Federal Communications Commission took another step to identify and potentially block spam calls, closing one of the big loopholes in its enforcement efforts. The commission voted unanimously to extend its crackdown on caller ID spoofing — that is, callers who disguise the phone number they’re using — to the gateways handling calls coming into the U.S. from other countries.

It’s good news for people tired of getting calls from “Spam Likely.” But that doesn’t mean it’s safe to pick up the phone every time it rings — at least not yet.

The international gateways targeted by Thursday’s rule have seen a growing number of spam calls since the FCC started to attack spoofing in 2019 through technical standards known as STIR/SHAKEN. The standards, which major phone companies have been required to implement, verify caller ID information as it is transmitted from carrier to carrier along the call’s route.

STIR/SHAKEN doesn’t block spam calls by itself. Instead, it helps carriers identify calls with spoofed IDs, which they can use other technology to block. And in some cases, it can help identify calls that an international gateway must block or face having all of its traffic rejected by the U.S. carriers it connects to, a spokesman for the commission said in an email.

Adding the international gateways to STIR/SHAKEN is “the right move,” said Chief Executive Jim Dalton of TransNexus, a company that helps carriers implement the standards. “Unless you have STIR and SHAKEN everywhere,” Dalton explained, “it’s worthless. It’s like a bucket with a hole.”

And to date, there have been a lot of holes. Unlike the days of the Ma Bell monopoly, when there were relatively few companies involved in the transmission of a phone call, the current system is like a brigade that passes a call from carrier to carrier to carrier, said Giulia Porter, vice president at RoboKiller. And not every company in that chain has been required to pass along the verified caller ID information.

So far, Dalton said, only about 25% of all calls reach their destinations with accurate caller ID info. Another gap in the STIR/SHAKEN chain is due to close at the end of June, when smaller carriers that have seen a large volume of spoofed calls will be required to implement the standards. But that will still leave a wide lane for spoofed calls, Dalton said, because STIR/SHAKEN applies only to networks that transmit calls via internet protocol, such as the ones operated by cable TV and wireless providers. “Legacy” networks that transmit calls the way they did before the internet revolutionized telephony aren’t covered.

The FCC told the industry to figure out a way to stop spoofing on legacy networks, Dalton said, and it has done so. “The technology is here, and it works,” he said. “But nobody’s going to deploy it until there’s a mandate.”

By the way, the gaps in STIR/SHAKEN and the frequent use of spoofing by spammers explains why it doesn’t seem to do anything when you tell your phone to block a spammer’s number, Porter said. The number you’re blocking probably isn’t the one being used to call you.

Ending spoofed calls is just part of the solution. By the commission’s estimate, more than half of spam calls come from numbers that aren’t spoofed.

One way to address that issue, Porter said, is to assign a reputational rating to numbers that reflects how often they’re used for spam. That rating could then be used by carriers to identify and block likely sources of unsolicited calls.

That sort of analysis is used by internet service providers to shunt unsolicited mass emails into spam folders. Phone companies also use it to mark calls “Spam Likely,” a less-than-foolproof designation that leaves it up to consumers to decide whether to take the call. The more calls that have verified caller ID information, the more effective the analysis will be.

Bear in mind that not all unsolicited calls are scams, nor are they all illegal. The Supreme Court ruled last year that robocalls violate federal law only if the numbers are dialed randomly or sequentially. If the caller dials your number on purpose because it’s on a list being targeted, you are fair game.

There are a number of ways to try to defend yourself, such as signing up for the Federal Trade Commission’s Do Not Call Registry to deter unsolicited sales calls or using an app to block potentially spurious calls. Spammers and scammers have been so good at circumventing those barriers, though, that some people have resorted to answering calls only from people they know. When the caller leaves no voicemail, that’s a pretty good sign it was spam.

But those defenses won’t stop spam texts, which are a growing scourge. RoboKiller estimates that Americans received nearly 88 billion spam texts last year, a 58% jump from the year before. Many of them are phishing scams that try to lure you into clicking on a link that will install malware or extract sensitive personal information from you. STIR/SHAKEN doesn’t have any effect on them. And the FCC hasn’t yet acted on Chairwoman Jessica Rosenworcel’s proposal to block them.

This story originally appeared in Los Angeles Times.