The problem: anyone can spoof a caller ID
For decades, the caller ID on your phone was just a label the originating carrier could set to anything they wanted. There was no cryptographic verification: if a robocaller wanted to display your neighbor’s area code, your bank’s number, or even your own number, the carrier on the other end had no way to tell it was fake.
That’s why “neighbor spoofing” works. It’s why scam calls show up looking like they’re from your local police, your bank, or the CRA. The phone network was built on trust, and that trust got abused at scale.
STIR/SHAKEN: cryptographic caller-ID verification
STIR/SHAKEN is two protocols working together:
- STIR (Secure Telephone Identity Revisited): the IETF standard for cryptographically signing caller-ID information at the originating carrier.
- SHAKEN (Signature-based Handling of Asserted information using toKENs): the framework carriers use to actually deploy STIR across the public phone network.
When a call originates, the originating carrier signs a token attesting to how confident they are that the caller is allowed to use the number being displayed. That signed token rides along with the call through the network. When the call reaches the terminating carrier (the one ringing your phone), they verify the signature and attach a verification level to the call.
You see this verification level reflected in the verdict for each call.
The three attestation levels
Every STIR/SHAKEN-verified call carries one of three attestations:
- A (Full attestation). The originating carrier knows the customer and verified they’re authorized to use the number being displayed. This is the strongest signal of authenticity.
- B (Partial attestation). The originating carrier knows the customer but can’t verify the number being displayed actually belongs to them. Common for businesses using carrier-side dialers.
- C (Gateway attestation). The originating carrier received the call from somewhere else (often international) and can’t verify the caller or the number. Most spoofed and spam calls fall in this bucket.
A call without any STIR/SHAKEN attestation is sometimes worse than C: it means the call traversed networks that don’t support the standard at all.
What STIR/SHAKEN catches, and what it doesn’t
It catches: outright spoofing within the part of the network that’s deployed STIR/SHAKEN. If a robocaller in another country tries to display a Toronto number through a non-compliant gateway, that call arrives with a C attestation (or none at all), and your carrier can flag it.
It doesn’t catch: legitimate businesses sending unwanted calls from their own real numbers. STIR/SHAKEN only verifies that the number is real and the caller is authorized to use it. It doesn’t say anything about whether the call is wanted. A telemarketer using their own validly-registered number can still get an A attestation. STIR/SHAKEN is one signal, not the whole answer.
STIR/SHAKEN in Canada
The CRTC mandated STIR/SHAKEN for Canadian carriers in 2021. As of 2024, all Canadian voice providers using IP-based interconnect must implement it. Calls from outside Canada, calls over legacy TDM circuits, and calls between carriers that haven’t fully migrated still arrive without verification, which is why “no STIR/SHAKEN” is a meaningful signal in itself.
How WIGGWIGG uses it
The STIR/SHAKEN attestation is one of five layers in our inbound spam filter. It’s free, always on, and always logged: every call you receive shows the attestation level it arrived with in your filter log. You can also opt into “strict mode”: in strict mode, calls your carrier could not verify (C or no attestation) get blocked instead of letting through.
We don’t run any extra cryptographic checks ourselves; STIR/SHAKEN is verified by your terminating carrier before the call ever reaches us. We just read what’s there and surface it.
The takeaway
STIR/SHAKEN is the closest thing the phone network has to TLS for caller ID. It’s not a complete solution to spam (it can’t stop legitimate businesses from making unwanted calls), but it’s a meaningful first layer, especially for catching the obvious spoofing that fueled the worst of the robocall era. When your phone rings and the verification is missing or flagged C, that’s a real signal that something is off.