Verified Origin: How STIR/SHAKEN Fights Phone Fraud in Brazil

Why Origem Verificada matters for your operation

If you run a telephony network, you already know that caller ID spoofing harms the entire chain. Your subscribers receive fraudulent calls, lose confidence in voice services, and start ignoring legitimate calls. For contact centers, the direct consequence is declining answer rates. For ISPs offering STFC or SCM with voice services, the issue goes beyond reputation: Anatel is making origin verification mandatory.

Resolution 777/2025 created the Origem Verificada (Verified Origin) program, Brazil's implementation of the STIR/SHAKEN protocol. By October 2028, all telecommunications service providers must be integrated into the system. This article explains what changes in your network, what investments are required, and how to prepare within the regulatory timeline.

How STIR/SHAKEN works in practice

The STIR/SHAKEN protocol (Secure Telephone Identity Revisited / Signature-based Handling of Asserted information using toKENs) uses digital certificates to validate the identity of each call originator.

When your operator originates a call, the softswitch or SBC digitally signs the SIP Identity header with a certificate issued by a certification authority recognized by ABR Telecom. The destination operator receives this signature and verifies it. If validation succeeds, the call reaches the recipient with the company name, logo, call purpose, and a verification seal.

The protocol defines three attestation levels you need to understand to configure your network correctly. Level A (Full Attestation) indicates your operator knows the customer and confirms they are authorized to use that number. This is the level that generates the full verification seal. Level B (Partial Attestation) confirms you know the customer but cannot attest to their right to that specific number. Level C (Gateway Attestation) indicates the call entered your network via a gateway and you cannot verify the actual origin.

In practice, calls with Level C attestation will be treated with increasing suspicion by smartphones and call-blocking apps. For contact centers that depend on high answer rates, ensuring Level A attestation is a priority.

Mandatory adoption timeline: what to do and when

Resolution 777/2025 establishes a gradual timeline through October 2028. Planning for your operation depends on your provider's size.

For PMS Group operators (Vivo, Claro, TIM, Oi), adapting networks to originate and verify calls with STIR/SHAKEN is the first phase. These operators are already in the implementation process, and their networks serve as the reference for interconnection with smaller providers.

For mid-sized operators, the second phase requires implementing verification support. This means your network must be able to both sign originated calls and verify received calls.

For regional providers and ISPs with STFC authorization, the final phase requires full integration into the system. If you still operate with a legacy softswitch that does not support STIR/SHAKEN headers in SIP, now is the time to plan for migration or upgrade.

What you need to implement in your network

Technical compliance involves three main components that directly affect your softswitch and SBC infrastructure.

The first is the STI-AS (Secure Telephone Identity Authentication Service). This service digitally signs calls originated on your network. It queries your operator's certificate and inserts the cryptographic signature into the SIP Identity header before forwarding the call.

The second is the STI-VS (Secure Telephone Identity Verification Service). This service verifies signatures on received calls. It queries the originating operator's public key and validates whether the signature is legitimate.

The third is integration with ABR Telecom's digital certificate infrastructure. Your operator needs to obtain telephone identity certificates, keep them updated, and ensure the STI-AS and STI-VS systems are connected to the certificate repository.

Additionally, your CDR systems need updating to record the attestation level for each call. This information is required both for regulatory auditing and for service performance reports.

ABR Telecom's role and company registration

ABR Telecom is the coordinating entity for Origem Verificada. It manages the digital certification infrastructure, administers the registry of verified companies, and maintains the database of verified numbers.

For your day-to-day operation, this means you will need to interact with ABR Telecom to obtain certificates, register client companies that want to use the verification seal, and keep information updated in the system.

If you operate a contact center or serve clients who make high-volume calls (banks, insurers, utilities), registering these companies in Origem Verificada is a value-added service you can offer. The system already records 2.2 billion contracted calls per month, demonstrating market demand.

Impact on your business model

Origem Verificada creates two concrete opportunities and one risk you need to manage.

The first opportunity is offering Origem Verificada registration and management as a service for your corporate clients. Companies that make high-volume calls want the verification seal to increase answer rates. You can facilitate this process.

The second opportunity is competitive differentiation. Operators that implement STIR/SHAKEN before the mandatory deadline demonstrate commitment to service quality and fraud prevention, which can be a strong sales argument.

The risk is failing to comply in time. Calls originated without verification will increasingly be blocked or flagged as suspicious by smartphones. If your network does not sign calls, your corporate clients will migrate to operators that offer this capability.

How Origem Verificada integrates with other Anatel rules

Origem Verificada does not operate in isolation. It is part of a regulatory ecosystem that includes the "Do Not Disturb" system, the rules for large callers, and the new RGST (General Regulation of Telecommunications Services).

For operators already dealing with large caller obligations, STIR/SHAKEN adds a verification layer that complements existing controls. Verified calls will receive preferential treatment, while unverified calls will face increasing restrictions.

For contact centers, the combination of these regulations requires extra attention. It is not enough to simply register the number in the "Do Not Disturb" system. You need to ensure calls leave your network with a valid STIR/SHAKEN signature and an appropriate attestation level.

Next steps for your operation

If you have not yet started planning, begin with a network assessment. Check whether your softswitch and SBC support the STIR/SHAKEN SIP Identity headers. Estimate implementation costs for STI-AS and STI-VS services. Contact ABR Telecom to understand the certification process.

The October 2028 deadline may seem distant, but the complexity of implementation and testing cycles require advance planning. Operators that wait until the last moment will face bottlenecks in certification and technical support from ABR Telecom.

References

• Resolution 777/2025 - General Regulation of Telecommunications Services (RGST)