New Delhi: India’s cybercrime apparatus has flagged a new and highly deceptive fraud technique in which criminals are misusing USSD (Unstructured Supplementary Service Data) codes to secretly activate call forwarding on victims’ mobile phones. The alert has been issued by the National Cybercrime Threat Analytics Unit (TAU) under the Indian Cyber Crime Coordination Centre (I4C), functioning under the Ministry of Home Affairs.
The advisory, numbered TAU/ADV/007 and dated December 4, 2025, highlights a sharp rise in courier-impersonation scams where fraudsters redirect incoming calls — including banking OTP calls — without installing malware, sharing links, or seeking direct OTP consent.
Officials say this method is particularly dangerous because it exploits legitimate telecom features, leaving victims unaware of the compromise until financial losses or account takeovers occur.
What Is USSD — And Why It Is Being Weaponised
USSD is a telecom protocol that enables users to interact with their mobile network using short numeric codes combined with symbols such as * and #. These codes are commonly used for:
- Call forwarding
- Balance checks
- Network settings
USSD commands function without internet access and execute instantly. Cybercriminals are now manipulating unsuspecting users into dialing these commands, thereby gaining indirect control over their incoming calls.
Modus Operandi: How the Scam Works
According to the I4C advisory, the fraud unfolds in the following stages:
-
Courier Impersonation Call
The victim receives a call from someone posing as a courier or e-commerce delivery agent, claiming an address issue, delayed parcel, or verification requirement.
-
USSD Code Message
The victim is sent an SMS containing a USSD code starting with *21*, followed by a mobile number controlled by the fraudster.
-
False Pretext
The caller instructs the victim to dial the code, falsely claiming it is needed for delivery confirmation or rescheduling.
-
Call Forwarding Activated
Once dialed, all incoming calls to the victim’s phone are automatically forwarded to the fraudster’s number — often without a visible alert.
How Victims Lose Money and Digital Identity
With call forwarding enabled, fraudsters intercept:
- Bank OTP verification calls
- Automated transaction confirmation calls
- WhatsApp and Telegram account verification calls
This enables criminals to:
- Conduct unauthorised bank transactions
- Drain accounts without OTPs reaching the victim
- Hijack WhatsApp and Telegram accounts
- Impersonate victims to scam their contacts
Cyber officials warn that victims often discover the fraud only after money is withdrawn or accounts are locked out.
USSD Codes the Public Must Never Dial
The I4C advisory explicitly warns against dialing any USSD codes shared by unknown callers, especially:
- *21* (All call forwarding)
- *61* (Forward when unanswered)
- *67* (Forward when busy)
While these are legitimate telecom commands, authorities stress they are now being systematically exploited for financial fraud.
What to Do If Call Forwarding Is Activated
If users suspect call forwarding has been enabled without consent, they should immediately dial:
##002#
This universal command disables all forms of call forwarding and restores normal call routing.
Key Safety Advisory from I4C
The Indian Cyber Crime Coordination Centre has urged citizens to follow these precautions:
-
Do not dial phone-setting or verification codes sent by unknown callers
-
Treat urgent courier calls demanding immediate action as suspicious
-
Verify delivery issues only through official courier websites or helplines
-
Avoid clicking delivery-related links received via SMS or WhatsApp
Where to Report Cybercrime
Victims and citizens are advised to report incidents immediately through official channels:
- Cyber Crime Helpline: 1930
- National Cyber Crime Reporting Portal: https://www.cybercrime.gov.in
Authorities emphasise that early reporting significantly improves chances of fund recovery and helps dismantle organised cybercrime networks.
Why This Scam Is Especially Dangerous
Cyber experts note that unlike phishing links or fake apps, this method leaves no visible malware trail. A single USSD command, dialed in seconds, can silently compromise banking security and digital identity.
As digital payments expand, officials warn that fraud tactics are becoming less visible but more technically sophisticated, making public awareness the strongest line of defence.
