Inside a trusted call: Architecture and call path visibility

For Infrastructure and CX leadership, traditional voice defenses are buckling under the pressure of evolving fraud. Defending the enterprise now requires a simultaneous response to two escalating threats: the sophisticated infiltration of inbound call flows by bad actors and the systematic silencing of outbound reach by carrier-level ‘Spam’ labeling and spoofing.

Legacy strategies, defined by siloed solutions and Band-Aid fixes that sit over existing infrastructure instead of in the call path, have reached a breaking point. Most security frameworks exist at the enterprise perimeter and fail to recognize the carrier network as an area of bolstered defense. Leaving this piece out introduces CX friction and leaves critical visibility gaps between the carrier and the agent desktop.

Your carrier is the first line of defense. To secure the enterprise perimeter and restore consumer confidence, the strategy must shift from reactive firefighting to a network-integrated defense. This breakdown highlights the highest‑risk points in today’s call flow and explains the carrier‑level architecture needed to mitigate these threats before they ever reach the enterprise or the customer. 

Outbound architecture: The three layers of trust

For outgoing calls, CX and IT leaders are facing a growing engagement crisis. With 85% of consumers ignoring unrecognized IDs and 66% refusing to answer even when a name is present, the ‘default-to-ignore’ setting has broken enterprise workflows.^[2]  This results in losses like depleted lead conversion, missed appointment revenue, and agents wasting high-cost minutes dialing into the void.

While IP-based standards like STIR/SHAKEN are foundational for verifying call origin across networks, fraud schemes continue to evolve, and downstream mislabeling has become a systemic failure point. Many enterprises attempt to solve this by purchasing branded calling solutions.

However, if your underlying network layer isn’t secure, bad actors can hijack branded displays to defraud customers with higher efficiency. Additionally, if a carrier’s analytics engine mistakenly flags high-volume traffic (such as legitimate healthcare reminders or bank fraud alerts) as ‘Spam Risk’, the network-level warning will override the expensive branded display.

To restore outbound trust, enterprises need a tiered architecture: Reputation management, Network authentication, and Identity presentation.

Layer 1: Number Reputation Management (NRM)

The first step in outbound architecture is opening up the black box of number reputation within the carrier ecosystem. Reasons like sudden spikes in legitimate enterprise call volumes can trigger analytics engines, resulting in improper ‘Spam Risk’ labels that decimate answer rates.

Bandwidth’s Number Reputation Management (NRM) solves the critical visibility gap. Instead of guessing why calls aren’t connecting, NRM provides a centralized dashboard to track how your outbound calls are being labeled across AT&T, T-Mobile, Verizon, and major consumer blocking apps.

How call labels are determined:

Crucially, NRM goes beyond monitoring. It facilitates remediation. Bandwidth registers your numbers with the analytics ecosystem to prove legitimacy. If NRM detects a ‘Spam’ or ‘Scam’ label, Bandwidth intercepts the issue and works directly with carrier analytics engines to request the removal of the improper label on your behalf.

See it in action

Layer 2: Identity Authentication  

Even with a clean reputation, spoofers can still weaponize your phone numbers and branded display. This can be solved with pre-call authentication working alongside Analytics Engines to ensure that only your legitimate calls have your correct branded display. But traditional pre-call authentication solutions force IT teams to deploy integrations at the SBC level, anchoring them to on-premise hardware and stalling cloud modernization.

Bandwidth’s Identity Authentication API shifts this security check entirely to the cloud-native network layer. It validates the calling party, the recipient, and the timestamp in real-time to the partner analytics engine—right in the call path before it hits the mobile phone.

How calls are verified for spoof:

1. Sending token: When an enterprise initiates an outbound call, Bandwidth automatically sends an API signal to the partnered analytics engine to request a unique security ‘token’. This token contains the exact call details and is generated with a short Time to Live (TTL). 
2. Querying for token: The terminating Mobile Network Operator (MNO) queries its analytics engine for this token. 
3. Authentication: If the token is found, the call is cryptographically verified as legitimate, allowing the branded display to pass through. If there is no token, the analytics engine recognizes it as a spoofed call from a bad actor, leaving the call label vacant or applying a ‘Spam Likely’ label.

Layer 3: Branded ID presentation

With the foundation secured, the final architectural layer is visual branding. When paired with network-level authentication, your customers receive visual reassurance that cannot be hijacked by spoofers. Branded calling solutions are evolving with the market, but current identity display solutions lack consistency across carriers and devices and do not always reinforce trust in the caller. 

Inbound architecture: Automating authentication and reducing friction

For years, the standard line of defense against inbound contact center fraud has been Knowledge-Based Authentication (KBA). This is a reactive defense to an active problem. 46% of customers feel answering KBA questions is frustrating or completely unnecessary. ^[1] Relying on human agents to play detective not only makes the enterprise vulnerable to social engineering but drastically inflates Average Handle Time (AHT) and operational costs.

To build a trusted inbound architecture, IT leaders must shift authentication to the carrier network: applying verification and bioauthentication before the call ever reaches an agent or IVR.

Real-time call verification

By analyzing metadata in milliseconds, enterprises can separate authentic customers from spoofers. Bandwidth’s Call Verification product operates natively in the inbound toll-free call flow to provide spoof and fraud scoring, using ANI validation and querying a real-time national fraud database.

How Call Verification works:

The SIP INVITE: When an inbound call hits the Bandwidth network, a globally unique Call-ID is generated and passed via an X-User-to-User header within the SIP INVITE,.

1. API query: The contact center’s application initiates a rapid HTTP GET request to the BAND REST API endpoint to retrieve the fraud and spoof scores.
2. Risk scoring: Within 60 milliseconds, the API checks the industry’s largest national fraud database and returns a JSON payload containing a spoofingRisk score (validating the Automatic Number Identification/ANI) and a fraudRisk score.

Risk scoring:

With these scores injected directly into the IVR business logic, CX leaders can dynamically route calls. Known, low-risk customers receive a ‘green’ score, allowing the IVR to step down authentication by 1-2 steps, saving an estimated 30 seconds (or $0.50) per call. Conversely, high-risk callers are forced into stringent step-up authentication or dropped before reaching an agent. Customers see an increase in IVR call containment with a 2%+ increase in IVR self-service rate.

Voice bioauthentication via Pindrop Integration

For highly regulated industries, the ultimate zero-friction security layer is passive voice bioauthentication. However, bringing a tool like Pindrop to a cloud contact center (CCaaS) can present an integration headache. Historically, enterprises had to maintain legacy, on-premise Session Border Controllers (SBCs) simply to manage call control and fork the media stream to third party apps like the authentication engines.

Bandwidth solves this by integrating Pindrop at the carrier level using SIP REC (Session Recording Protocol), allowing enterprises to fully migrate to the cloud and deprecate their edge SBCs,.

How Bandwidth-Pindrop integration works:

1. Call routing: A customer places an inbound call to your toll-free number. Bandwidth manages the SOMOS routing via advanced template management.
2. Redundancies activated: Bandwidth distributes your traffic across upstream carriers so you’re never single-threaded for voice.
3. Media forking & authentication: Bandwidth delivers calls to Pindrop and your CCaaS simultaneously via SIP and media forking. During this interaction, callers are authenticated, or flagged as fraudulent in real-time and that analysis is fed back to the Pindrop UI.

By forking the Real-Time Transport Protocol (RTP) media directly from the carrier core, Pindrop passively analyzes the caller’s voice audio and background metadata in the background. It boasts a 99% customer authentication rate, completing authentication in ~10  seconds, empowering agents with real-time biometric trust indicators while providing a frictionless experience for the consumer.

Visibility and insights: Bringing it all together

Securing the call path is ineffective without continuous, holistic monitoring. Enterprises managing complex communications tech stacks require granular visibility into the health of their voice traffic to prevent issues before they degrade the customer experience.

To elevate this visibility, IT leaders can deploy Anomaly Detection for Voice (ADV). Rather than relying on manual monitoring or static thresholds, ADV leverages proprietary AI and machine learning models to analyze your organization’s unique inbound and outbound voice traffic patterns. The algorithm learns your baseline patterns, even accounting for holiday hours and seasonality. If the AI detects an unusual trend, such as a sudden drop in outbound call volume or an unexpected spike indicative of a toll fraud attack, it fires off customizable alerts via webhook or email. This transitions the enterprise from a reactive posture (i.e. learning about service outages or active fraud attacks from angry customers) to a proactive stance, minimizing downtime and mitigating revenue loss. Take a tour to see the anomaly detection dashboard.

The Number Reputation Management (NRM) dashboard serves as the source of truth for outbound call labels across major carriers and consumer apps. With this tool, you can monitor all your number cohorts within a single window with automatic facilitation of call mislabel remediation. Take a tour to see the NRM dashboard.

Case closed: Transitioning to secure communications

A fraud prevention stack is incomplete if it doesn’t start at the carrier layer. The carrier layer is the only point where spoofing can be detected in real-time, where STIR/SHAKEN attestation is verified, and where the raw call metadata is generated. Any fraud prevention stack that doesn’t start at the network layer is inherently incomplete. It’s defending the house while leaving the gate wide open.

By replacing whac‑a‑mole fixes in the stack with a network‑integrated defense, Infrastructure and CX leaders can achieve three key goals:

• Architectural modernization: Retire legacy SBCs and other on‑prem middlemen by using cloud‑native SIP REC media forking and API‑based call authentication.
• Systematic reputation recovery: Overcome inconsistent branding and adopt a tokenized, network‑layer identity that can ensure that your branding is consistently displayed for your outgoing calls and not hijacked by spoofers.
• Proactive operational command: Shift from reactive firefighting to real‑time visibility with AI‑driven anomaly detection and a call labels dashboard that spots threats before they reach agents or affect performance.

A strengthened voice network keeps scammers out, protects brand equity, and ensures legitimate customer interactions stay smooth and friction‑free.

Next step: Review the full call flow specifications to determine how Bandwidth’s contact center security and trust services can integrate with your existing CCaaS and UCaaS environment.