Imagine you are waiting for a delivery; maybe a new phone cover, a book, or something that you ordered online. Coincidentally, your phone rings. The person on the other end introduces himself as a delivery agent and says he is nearby but cannot verify your number in the system. The tone is respectful, the conversation sounds routine, and nothing feels suspicious.
To ‘fix the issue’, he asks you to dial a short code on your phone: a combination of numbers, asterisks, and hashes. It sounds technical, official, and harmless. You dial it, believing it is just a simple verification step like the one you did earlier.
A small notification flashes on your phone screen. It disappears too quickly to process. The caller reassures you that the process is complete and hangs up. As you waits for the delivery, the person doesn’t show up. You let go, thinking the product will be delivered tomorrow.
Then, slowly, things begin to feel strange.
Your phone stops ringing. Important calls never reach you. Friends say your number seems unreachable. In the background, without you realising it, every call meant for you is silently being forwarded to someone else. Bank verification calls, OTP confirmations, account recovery calls—everything is diverted.
What felt like a normal delivery verification was actually the moment a cybercriminal took control of your calls using a ‘USSD code’. All it took was one phone conversation, one dialled code, and a few seconds of trust.
The National Cybercrime Threat Analytics Unit of the Indian Cybercrime Coordination Centre (I4C) has recently observed a trend in cybercrime in which USSD (Unstructured Supplementary Service Data) codes are used to enable call forwarding by impersonating a delivery agent.
USSD is a session-based text messaging service without a store-and-forward mechanism (unlike SMS) that is practical for interactive communication, such as banking or education. It runs on the network and doesn’t need to be installed on the user’s phone. A USSD code is a special sequence of numbers, asterisks, and hashes used to interact with a telecom service provider or access telecom services without an internet connection.
Story continues below this ad
How does this scam technically work?
“Technically, the scam abuses legitimate ‘GSM call-forwarding USSD commands’ such as *21*# or *401*#. When a user dials these codes, the telecom network treats it as an authorised subscriber action and updates the call-forwarding configuration at the network level (MSC/HLR),” said Abhishek Mathew, cyber threat intelligence researcher, CloudSEK.
“Once enabled, all incoming calls, including bank OTP calls, IVR verification calls, and app verification calls, are silently forwarded to the attacker’s number. The victim’s phone often shows no incoming call at all, or only a missed-call indicator,” he added.
Manish Agrawal, senior executive vice president, Credit Intelligence and Control Dept, HDFC Bank, opined that USSD-based call forwarding fraud is a growing threat that exploits unsuspecting citizens by tricking them into dialling special codes. These codes silently divert incoming calls, bank verification, and OTPs to numbers controlled by fraudsters. With a few simple secure banking habits, citizens can protect themselves from such scams.
“Social engineering plays a major role in such a scam,” said Utsav Kumar, cybercrime investigator. “They create a scenario where either the person gets scared or puts their trust in the caller. This can either be done on a mass level, where scammers call randomly, or another way is where the victim is thoroughly studied.”
Story continues below this ad
Why users don’t realise they have been scammed
“Users don’t really realise that they have been scammed because dialling a USSD code looks like a normal phone action, with no strong warning or confirmation naming the destination number. Call-forwarding is stored on the network, not locally on the device, so day-to-day phone usage appears normal. Many banks and apps still rely on voice-call OTPs, which now go directly to attackers. This makes the compromise invisible until account takeovers or fraudulent transactions occur,” said Mathew.
Who is the prime target?
“Frequent users of online delivery and courier services are prime targets because the scam relies heavily on credible social engineering, not malware or technical exploits. People are accustomed to receiving calls from delivery agents regarding address confirmation, OTPs, or rescheduling, so such interactions have very low suspicion thresholds,” Mathew said.
He added that once trust is established, scammers exploit the fact that standard call-forwarding USSD codes work uniformly across major Indian operators like Jio, Airtel, and Vi. Codes such as *21*# or *401*# behave as legitimate subscriber commands on these networks, making the attack scalable regardless of the victim’s operator.
Mathew also said that there is no confirmed evidence of a single fresh large-scale data breach driving this campaign. “Instead, the targeting aligns with previously leaked or scraped phone-number datasets, routine exposure of contact details through e-commerce and courier workflows and timing-based attacks where scammers simply call users who are statistically likely to be expecting deliveries. In short, attackers are exploiting user behaviour and telecom feature uniformity across operators, rather than a specific vulnerability or new data leak,” he added.
Story continues below this ad
Which common USSD codes are used?
Commonly misused codes include:
📌 *21*# – unconditional call forwarding
📌 *401*# – call forwarding on some Indian networks
📌 *61*#, *67*# – conditional forwarding (no answer / busy)
Early warning signs to detect the scam:
Key warning signs include:
🎯 Sudden drop in incoming calls, or contacts reporting that the phone is ‘unreachable’
🎯 Not receiving OTP or verification calls from banks, UPI apps, or messaging platforms
🎯 Unexpected “call forwarding active” indicators on the phone
🎯 Discovering unknown numbers listed under call-forwarding settings
Immediate action users should take:
🎯 Dial ##002# to cancel all call forwarding
🎯 Check call-forwarding settings for each SIM
🎯 Change passwords and PINs for banking, UPI, email, and messaging apps if exposure is suspected
What should citizens do?
Manish Agrawal said, “It is crucial for citizens to remain vigilant. Fraudsters rely on urgency and deception, often impersonating as a courier or support staff to trigger call forwarding.”
Story continues below this ad
Citizens are advised to follow the ‘LBW Rule’
📍 Law Enforcement: File a complaint at https://cybercrime.gov.in or call 1930.
📍 Bank: Contact your bank immediately if you notice any unauthorised transactions via Credit/Debit cards, Net Banking, or UPI.
📍 Wipe: Completely wipe your devices and change passwords to ensure security.
📍 Use official apps, websites, or customer care numbers for any change requests instead of codes dictated over calls.
Dos
📍 Verify the caller: Disconnect and call back using official customer care numbers or apps.
📍 Check call forwarding status periodically.
📍 Use official channels—handset settings, operator apps, or authenticated portals—for managing call forwarding.
📍 Enable strong security on banking apps: device lock (PIN/biometric), in-app PINs, and transaction alerts via SMS and email.
Don’ts
📍 Do not dial, save, or share codes like 21, 61, 67 when asked by unknown callers—even if they mention “delivery,” “KYC,” or “SIM blocking.”
📍 Do not click suspicious courier or delivery tracking links that instruct you to dial a code or call a non-official number.
📍 Do not share OTPs, PINs, CVV, passwords, or card details with anyone—even if the caller ID appears trusted.
📍 Do not ignore unusual network messages or sudden changes in call behaviour, such as repeated “call forwarded” tones.
📍 Do not assume USSD call forwarding is impossible—scammers may exploit residual or alternative mechanisms.
“I4C and its National Cybercrime Threat Analytics Unit (NCTAU) have issued multiple advisories warning users against USSD-based call forwarding scams, particularly those involving delivery-agent impersonation. The Department of Telecommunications (DoT) has also publicly cautioned users against dialling codes such as *401#, while CyberDost and PIB channels continue to run awareness campaigns,” Mathew said.
Story continues below this ad
“Importantly, the DoT formally directed telecom operators to suspend USSD-based call forwarding from April 15, 2024, requiring a shift to app-based or customer-care–driven alternatives. However, the continued occurrence of this scam into late 2025 suggests incomplete enforcement at the operator level or technical gaps in legacy network infrastructure,” he added.
“Possible reasons include non-uniform implementation across operators, continued support for feature-phone users, and older switching systems that still honour legacy USSD commands. The persistence of the scam despite regulatory action indicates that awareness alone is insufficient. This highlights the need for stronger technical safeguards, such as mandatory on-screen confirmations naming the destination number, SMS alerts whenever unconditional call forwarding is enabled, and treating call forwarding as a security-sensitive action comparable to SIM swap or eSIM activation, rather than a frictionless legacy feature,” Mathew said.
The safe side
As the world evolves, the digital landscape evolves as well, bringing new opportunities—and new risks. Scammers are becoming more sophisticated, exploiting vulnerabilities to their advantage. In our special feature series, we delve into the latest cybercrime trends and provide practical tips to help you stay informed, secure, and vigilant online.
9 min read
