Security Research · July 2025

Neighbor Spoofing & STIR/SHAKEN Explained: Why Scammers Use Local Numbers (And How to Defeat Them)

In 2025, a massive portion of all robocalls detected by tracking systems used a fake local area code. A huge segment of spam calls look like they come from your neighborhood — and that number is rising. Here is exactly how that trick works at the protocol level, what STIR/SHAKEN can and cannot stop, and why on-device intelligence is the only reliable defense.

The Psychology Behind the Local Number

You see a missed call. The area code matches yours. Your first instinct is not scammer — it is doctor, neighbor, school, landlord. That split-second assumption is precisely what scammers are engineering.

Research consistently shows that people are significantly more likely to answer calls from a local number compared to toll-free or out-of-state numbers. Scammers know this. Their automated VoIP dialers are explicitly programmed to rotate through numbers matching the target's area code and NXX prefix — the first six digits — to maximize answer rates. The "what if I miss something important" anxiety does the rest.

The tactic surged massively in 2025 compared to the prior year. According to Callro's 2026 Robocall Statistics report, Americans received approximately 52.5 billion robocalls throughout 2025 — and a massive portion of the scam-heavy segment of those calls wore a local disguise. Across the past five years, tracking systems have flagged hundreds of millions of unique area code-spoofed numbers. The scale is industrial.

How Caller ID Spoofing Works at the SIP Layer

Every VoIP call begins with a SIP INVITE — a Session Initiation Protocol handshake that negotiates the call before a single millisecond of audio is transmitted. Buried inside that INVITE is a From: header.

The From: header was designed to carry the caller's display name and SIP URI — e.g., From: "John" <sip:2125550142@provider.com>. In most SIP implementations, the originating software can write anything into this field. No ownership verification occurs at the SIP layer itself.

Once that manipulated SIP message travels through VoIP-to-PSTN gateways — the handoff points between the internet and the traditional phone network — the falsified caller ID is simply propagated downstream. The receiving carrier trusts the incoming data and displays it on your screen. The entire fraud chain runs on assumed trust, a relic of a phone network designed decades before internet-scale fraud existed.

Modern AI-driven autodialers can cycle through thousands of spoofed local numbers per minute, generating entirely fresh numbers on each batch. This means every single call can come from a number that has never appeared in any database — ever.

STIR/SHAKEN: The FCC's Cryptographic Answer

The FCC mandated STIR/SHAKEN deployment for major carriers starting June 2021, with subsequent expansions covering gateway and intermediate providers. The framework uses public-key cryptography to digitally sign each call at the originating carrier. Think of it as a notarized stamp that travels with every call.

STIR (Secure Telephony Identity Revisited) defines the cryptographic token format — a JSON Web Token signed with the carrier's certificate. SHAKEN (Signature-based Handling of Asserted information using toKENs) defines the industry governance and policy framework around who gets to issue those certificates and what their attestation claims mean.

When your phone receives a STIR/SHAKEN-signed call, the framework embeds an attestation level in the token — a single letter that summarizes how much the originating carrier actually verified about the caller. That letter is the single most important signal for evaluating call legitimacy.

STIR/SHAKEN Attestation Levels — What the Letter Means
LevelNameWhat It MeansFraud Risk
AFull AttestationCarrier verified the caller's identity AND confirmed they are authorized to use the exact number displayed. Direct, verified business relationship.Low
BPartial AttestationCarrier knows who the customer is but cannot verify they own or are authorized to use the specific number being displayed. Common with PBX systems.Medium
CGateway AttestationCall arrived from an external network (often international). Carrier has no relationship with the actual caller and cannot vouch for anything.High
No AttestationCall was not signed at all. Originating provider is either not STIR/SHAKEN compliant or deliberately bypassed the framework.Critical

Sources: FCC STIR/SHAKEN framework documentation; TransUnion Caller Intelligence; Sangoma Technologies. Callro reads all four attestation states natively via Android's ROLE_CALL_SCREENING API.

The STIR/SHAKEN Gap: Why the Problem Isn't Solved

STIR/SHAKEN is a meaningful step forward. It is not a solution. Three structural gaps keep spoofed calls flowing despite its existence.

Partial Adoption

As of 2025, fewer than half of registered voice service providers had fully deployed proper caller-ID authentication. Calls originating from non-compliant carriers travel unsigned — triggering the "No Attestation" state — and the FCC's own Robocall Mitigation Database enforcement removed 1,203 non-compliant providers in a single August 2025 action. Gaps in the chain are gaps for scammers.

Attestation C Is Signed, Not Safe

Gateway attestation (level C) means a call has been signed — it has a valid cryptographic token — but the signer is explicitly declaring they have no idea who the caller actually is. The signature is real; the identity is unknown. Many fraud calls arrive with a technically valid C-level attestation, fooling systems that treat "signed" as synonymous with "safe."

No Behavioral History in the Token

STIR/SHAKEN verifies identity at the carrier level. It says nothing about what that number has done historically — whether it called 10,000 people today, whether it plays a spoofed local prefix, or whether it has been associated with fraud patterns. A fresh spoofed number with a valid attestation is completely invisible to the framework.

Why Cloud Blockers Can't Stop First-Call Spoofed Numbers

Cloud-based spam blockers — those that ping a remote server to look up a number before deciding — operate on a simple principle: if a number has been reported as spam by enough users, it gets added to a blocklist. This works well for repeat offenders.

It fails completely for first-call spoofed numbers. A modern robocall campaign generates fresh numbers on every batch run. Each number has never called anyone before. It does not exist in any database. No prior complaints. No history. Cloud lookup returns clean — call goes through.

There is also a structural privacy cost: cloud blockers require your device to transmit inbound call metadata — often including the calling number — to a remote server on every call, before you even answer. You are sharing data on every call, including legitimate ones.

The first-call problem is unsolvable with cloud data alone. Callro was built around the constraint that first-call spoofed numbers are the hardest problem — and cloud lookup is not the answer. Its 26-layer Gauntlet Engine runs entirely on your device using Android's ROLE_CALL_SCREENING API — the same OS-level hook that Google's own Phone app uses — and delivers a verdict in approximately 18 milliseconds. For a deeper look at how Android's ROLE_CALL_SCREENING works, see our dedicated explainer.

How Callro's Gauntlet Engine Defeats Neighbor Spoofing

Callro was built around the constraint that first-call spoofed numbers are the hardest problem — and cloud lookup is not the answer. Its 26-layer Gauntlet Engine runs entirely on your device using Android's ROLE_CALL_SCREENING API — the same OS-level hook that Google's own Phone app uses — and delivers a verdict in approximately 18 milliseconds.

STIR/SHAKEN Attestation

Reads A/B/C/missing natively. Attestation C and unsigned calls are treated as elevated-risk signals from the first millisecond.

Neighbor Spoof Detection

Identifies calls where the displayed number's area code and NXX prefix match the user's own number — a hallmark pattern of automated local spoofing.

Call Pacing Analysis

Legitimate callers do not dial at machine speed. Gauntlet detects inhuman call timing patterns characteristic of autodialer campaigns.

SIT Tone Signaling

Blocked calls receive a 913.8 → 1370.6 → 1776.7 Hz tone sequence that autodialer software interprets as a disconnected line, removing your number from future campaign lists.

Zero Data Exfiltration

Zero READ_CONTACTS. Zero READ_CALL_LOG. No call metadata ever leaves your device. Every decision is local, private, and instant.

26 Concurrent Signal Layers

STIR/SHAKEN attestation is one of 26 independent signals evaluated simultaneously. A clean attestation alone does not pass a spoofed call.

Because every layer runs locally, Callro can flag a spoofed call that has never appeared in any database — something cloud-dependent blockers are structurally incapable of doing. It requires no phone number lookup, no remote server round-trip, and no exposure of your call metadata to a third party.

FCC Enforcement: What's Happening at the Regulatory Level

The FCC has significantly intensified enforcement through 2025. In February 2025 it proposed a $4.5 million fine against Telnyx LLC for its alleged role in a government impersonator robocall scheme. In August 2025 it removed 1,203 voice service providers from the Robocall Mitigation Database in a single enforcement sweep for failing certification requirements — effectively cutting those providers off from the U.S. phone network.

New penalty structures formalized toward the end of 2025 set $10,000 fines for false or inaccurate RMD filings, with $1,000 per entry not updated within 10 business days. A December 15, 2025 effective date was set for mandatory blocking requirements using Do Not Originate (DNO) lists.

In May 2026, the FCC adopted further expanded Know-Your-Upstream-Provider (KYUP) obligations — requiring providers to perform deeper due diligence on upstream partners and close remaining loopholes including "undue hardship" extensions. State-level mandates are layering on top as individual states introduce their own caller-ID authentication rules.

All of this enforcement is necessary and correct. It is also slow. Regulatory timelines operate in quarters and years; spoofed calls operate in milliseconds. Until full universal STIR/SHAKEN adoption closes every gap, consumer-side protection remains essential.

Frequently Asked Questions

What is neighbor spoofing?

Neighbor spoofing is when a scammer configures their VoIP dialer to display a caller ID that matches your area code — and often your exact 6-digit NXX prefix — even though the call originates from a completely different location or country. The goal is purely psychological: a familiar-looking number dramatically increases the chance you'll answer.

What does STIR/SHAKEN actually do?

STIR (Secure Telephony Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) are FCC-mandated standards that use public-key cryptography to digitally sign calls at the originating carrier. The receiving carrier (or your phone) can then verify whether the calling number was legitimately authorized, reducing the ease of spoofing at scale.

What is the difference between STIR/SHAKEN attestation A, B, and C?

Attestation A (Full) means the carrier verified the caller's identity AND their right to use that exact number — highest trust. Attestation B (Partial) means the carrier knows who the customer is but cannot confirm they own the displayed number. Attestation C (Gateway) means the call transited in from an external network the carrier cannot vouch for — lowest trust, highest scam probability.

If STIR/SHAKEN exists, why am I still getting spoofed calls?

Three reasons: (1) Fewer than half of registered voice service providers had fully deployed proper caller-ID authentication as of 2025. (2) Attestation C calls are signed but carry zero meaningful identity guarantee — they still pass through. (3) STIR/SHAKEN says nothing about a number's behavioral history. A brand-new spoofed number with a valid-looking attestation is invisible to cloud blocklists that rely on prior complaint data.

Why can't cloud-based spam blockers catch first-call spoofed numbers?

Cloud blockers work by comparing inbound numbers against databases built from user reports and carrier data. A freshly spoofed number — one that has never called anyone before — doesn't exist in any database yet. It has zero complaint history. The first victim is always unprotected. On-device behavioral detection (call pacing, SIT tone analysis, STIR/SHAKEN attestation reading, pattern matching across 26 signal layers) can flag these zero-history calls without needing prior data.

Does Callro read my contacts or call log?

No. Callro requests zero READ_CONTACTS and zero READ_CALL_LOG permissions. All 26 Gauntlet Engine layers run entirely on your device using Android's ROLE_CALL_SCREENING API. No call audio, no metadata, and no personal data ever leaves your phone.

What is the SIT tone Callro uses to signal a blocked call?

Callro plays a three-frequency Special Information Tone sequence: 913.8 Hz → 1370.6 Hz → 1776.7 Hz. This is the same tonal pattern traditionally used by the telephone network to indicate a disconnected or non-working number. Automated robocall dialers are programmed to interpret this tone as a dead line and remove the number from their calling list, providing additional long-term protection beyond a single block.

Stop Spoofed Calls Before They Ring

Callro's 26-layer Gauntlet Engine reads STIR/SHAKEN attestation natively, detects neighbor spoofing patterns in real time, and decides in ~18 ms — entirely on your device, with zero data leaving your phone.

Get Callro Free — 7-Day TrialSee How It Works →

$9.99/month after trial · Android only · USA · No contracts

Ready for silence?

7 days free. No card needed.