Skip to main content

The Silent Hijack: New USSD Scam That Bypasses All Digital Defences

 

India's cybersecurity landscape faces a critical new threat a shockingly simple phone scam that requires no technical sophistication from fraudsters yet bypasses nearly all modern digital security measures. The Indian Cyber Crime Coordination Centre (I4C) has issued an urgent nationwide alert about a social engineering attack that uses fundamental telecom features to hijack victims' financial lives. Unlike phishing or malware, this scam exploits the trusted USSD protocol, making every mobile user from smartphone owners to basic feature phone users equally vulnerable.

This is where the technical deception occurs. The provided code isn't a verification string but a USSD command activating unconditional call forwarding. 

Typically formatted as *21*[Scammer's Phone Number] #, this sequence when dialled and pressed call silently reroutes all incoming calls to the fraudster's device. The victim might hear a standard confirmation tone or see a "service activated" message, but receives no persistent alert or SMS notification about this fundamental change to their call settings. The entire exploitation takes less than 30 seconds.

Why This Represents a Paradigm Shift in Cybercrime

This scam's dangerous innovation lies in its exploitation of infrastructure-level trust. USSD codes operate directly between the handset and mobile carrier's servers, requiring no apps, internet connectivity, or user permissions. This creates multiple unprecedented vulnerabilities:

  1. Universal Accessibility: It targets India's 500 million feature phone users with equal effectiveness as smartphone owners, dramatically expanding the potential victim pool.
  2. Security Software Bypass: Antivirus programs, firewalls, and spam filters designed to detect malicious apps or suspicious links are completely irrelevant against legitimate telecom commands.
  3. Psychological Plausibility: The request to "dial a code for verification" sounds technically credible to most users, unlike requests to install unknown apps or share passwords directly.
  4. Delayed Discovery: Victims continue to make outgoing calls normally. The hijacking only reveals itself when expected OTP calls never arrive often hours or days later, after significant financial damage has occurred.

The Aftermath: A Complete Communications Takeover

Once call forwarding activates, the scammer controls the victim's incoming communication lifeline. Every authentication mechanism relying on voice calls becomes compromised:

  • Banking OTPs and transaction alerts
  • UPI/Payment app verification calls
  • WhatsApp/Telegram authentication codes via call
  • Email password reset confirmations
  • Two-factor authentication calls for any service

With this access, fraudsters can systematically drain bank accounts, apply for instant loans in the victim's name, take over social media profiles, and create new financial accounts all while the victim remains unaware their communication channel has been completely compromised.

Code Magic – If You Ever Feel Something Is Wrong, Dial ##002# And Hit Call. This Cancels All Forwarding of Calls. Think Of It as An Emergency "Stop" Button for Your Phone.

Become a Code Sleuth: You Can Find Out Whether Someone Is Forwarding Your Calls. Here's How to Check:

Dial *#21# To See If Any and All of Your Calls Are Being Redirected. Dial *#62# To See If Calls Go to Another Phone When Your Phone Is Off. Dial *#67# To See Where Calls Go When You Are Busy.

Golden Rule: Do Not Ever Dial (A) Code That Starts With (A) *21, *61, *67, *401 Just Because Somebody on The Other End of The Telephone Agrees That You Should!!! It's Like Giving A Stranger Your House Keys.

Change Your Valuable Habits:

Trust Your Intuition Instead of the Person on the Line. If Someone Asks You to Call a Code, Download An App, Or Share A Screen to Fix Something Just Say No. Hang Up. Reputable Companies Do Not Operate This Way.

Use The Hang Up & Call Back Method. This Works Extremely Well! If Your Bank, Package Delivery Service, Etc., Calls, Thank Them for Their Call, Close the Call, Then Re-Dial Their Official Number Listed on Their Website Or Other Documentation.

If compromised, victims must act within the critical first hour: dial ##002#, contact banks via official numbers (not those provided by the scammer), freeze accounts, and immediately file reports at cybercrime.gov.in and with helpline 1930. The speed of response directly correlates to potential recovery.

 

Labels:

Popular posts from this blog

ChatGPT-5 Is Powerful and Fast, But It Can’t Replace Software Engineers!

  As someone who’s been following tech closely for over a decade, I’ve seen countless innovations come and go but few have stirred as much excitement and debate as ChatGPT. ChatGPT has developed, and launch ChatGPT 5, it genuinely seems that the enhancements have significantly slowed down. Previous iterations led to significant advancements in AI capabilities, particularly in assisting with coding. However, the enhancements now seem minor and somewhat gradual. It feels as though we’re experiencing diminishing returns in the extent to which these models improve at truly substituting real coding tasks. The vast majority of people say that AI is going to replace software engineers very soon. Yes, AI can perform simple activities and support routine activities, but where there are intricate things like planning the system, tackling more challenging problems, grasping actual business needs, and collaboration with others, it hasn't been able to catch up yet. T hese require creativity...
Read more

Security Flaw in India's Income Tax Portal Exposes Sensitive Taxpayer Data

A major security vulnerability in India's income tax filing portal has been fixed, TechCrunch reported. The flaw, discovered by security researchers Akshay CS and "Viral" in September, allowed logged-in users to access real-time personal and financial information of other taxpayers. This included sensitive details such as full names, home addresses, email addresses, dates of birth, phone numbers and bank account information. Exposed Aadhaar numbers of individuals The security flaw in the income tax filing portal also exposed Aadhaar numbers, a unique government-issued identification number used for identity verification and accessing government services. TechCrunch verified the data by allowing researchers to search its records on the portal. The researchers confirmed on October 2 that the vulnerability had been patched. Discovery process Researchers found bug while filing tax returns The researchers found the security flaw while filing their recent income tax return on...
Read more

Beware of Fake Starlink Mini Messages: Satellite internet is not free in India.

    A viral message is making the rounds on WhatsApp and social media in India, claiming to offer zero monthly fees and unlimited internet  via a device called   Starlink Mini.While the offer may sound tempting but it is completely misleading and has been flagged by the Indian government as unauthorized and false. Starlink Is Not Yet Operational in India As of June 2025 The satellite internet service by Elon Musk’s SpaceX has not launched its commercial operations in India. Although the company has received a Letter of Intent from the Department of Telecommunications (DoT), it still requires key regulatory approvals including: 1.Spectrum allocation 2.Clearance from IN-SPACE (Indian National Space Promotion and Authorization Centre) Until these approvals are granted, no official Starlink services including Starlink Mini are available in India. Once Starlink gets the green light to operate in India, here’s what consumers can realistically expect: Monthly ...
Read more