Call Forwarding Scam Alert: New USSD Code Threat at Transit Hubs

The modern commuter, caught in the bustle of daily transit, often relies on the convenience of their smartphone to navigate the world. However, this same reliance has birthed a sinister, high-stakes threat now actively targeting unsuspecting individuals at bus stands and railway stations. Security agencies have issued urgent, high-priority warnings regarding a sophisticated physical social engineering campaign involving the call forwarding scam. This is not a digital hack requiring complex malware; it is a manipulation of human trust, exploiting the very tools designed to connect us.

The Mechanics of the Deception: Why It Works

The call forwarding scam succeeds precisely because it lacks the traditional indicators of a cyberattack. There are no suspicious email links to click, no pop-up malware warnings, and no obvious breaches of a device’s operating system. Instead, the attack leverages a legitimate, built-in feature of cellular networks: the Unstructured Supplementary Service Data (USSD) interface.

What is a USSD Code?

USSD (Unstructured Supplementary Service Data) is a protocol used by GSM cellular telephones to communicate with the service provider’s computers. It is the language behind those quick, text-based menus you interact with when checking your prepaid balance or purchasing data. Unlike SMS, which is a store-and-forward system, USSD establishes a real-time, bidirectional session. Because these codes operate directly between the handset and the mobile network’s Home Location Register (HLR) or Mobile Switching Center (MSC), the changes they trigger are stored on the network side—not just on the phone itself.

The Anatomy of the Attack

The social engineering aspect is a masterclass in psychological manipulation. The attacker—often physically situated near transit hubs—approaches a target, feigning an “urgent emergency,” such as a dead battery or a forgotten phone, and asks to make a brief call. Once the unlocked device is in their possession, the fraudster quickly executes a USSD command, typically something similar to *21*[attacker_number]#.

When this code is dialed, the network is instructed to implement “unconditional call forwarding.” This command is insidious for three primary reasons:

• Invisibility: The phone’s standard UI often provides no persistent warning that call forwarding is active.
• Network-Level Persistence: Because the rule resides in the carrier’s core network, the victim’s phone can still make outgoing calls and browse the web, making the breach appear non-existent.
• Intercepting MFA: Crucially, this redirection includes SMS messages and voice calls used for Two-Factor Authentication (2FA) and One-Time Passwords (OTPs).

The Aftermath: From “Emergency Call” to Financial Ruin

Once the call forwarding is active, the victim’s phone becomes a ghost. When a bank, social media platform, or payment gateway sends an authentication code to the victim’s number, that communication is immediately routed to the attacker’s device. The attacker, usually possessing already-stolen credentials for the victim’s financial accounts, then triggers password resets or unauthorized transactions. They receive the OTP, bypass the security barrier in real-time, and drain accounts before the victim even realizes their communication line has been severed.

This is a high-efficiency attack. The transition from physical interaction at a bus stop to a total account takeover can take mere minutes. By the time the victim reaches their destination and realizes they haven’t received expected alerts or calls, the financial damage is often already irreversible.

Why Public Transit Hubs?

Transit hubs are ideal venues for this specific breed of social engineering due to the environmental factors that lower our natural defenses:

1. The “High-Stress/High-Urgency” Environment: Commuters are often rushed, distracted by schedules, or worried about missing a connection. This is the optimal environment for an attacker to create a fake, time-sensitive emergency.
2. Social Compliance: Humans are inherently wired to assist others in perceived distress. An appeal for help during a travel crisis triggers a reflex to be helpful, which the scammer weaponizes to gain physical access to the device.
3. Anonymity: High foot traffic allows the fraudster to vanish into a crowd immediately after the code is dialed, leaving the victim with no way to identify them.

Defensive Strategies: Reclaiming Your Security

Authorities emphasize that the best defense against the call forwarding scam is rigorous adherence to a “zero-trust” approach when dealing with strangers. However, if you suspect your device may have been compromised, or if you simply wish to perform a routine security audit, follow these technical steps immediately.

1. Immediate Deactivation

If you have any reason to believe your call forwarding has been altered, dial ##002#. This is the universal USSD command for most major carriers to cancel all call, SMS, and data forwarding services. It is a “reset” button that clears any conditional or unconditional diversion rules stored on the network.

2. The “Hard” Verification Method

Do not rely solely on your phone’s notification bar to check your status. To manually verify if call forwarding is active, you can query your network using codes like *#21#. This will return a “setting interrogation report” from your carrier, showing the status of your call and data forwarding. If you see any number listed that you do not recognize, it is a definitive indicator of an active diversion.

3. Implementing Physical Security

Never hand over an unlocked phone to a stranger, regardless of the perceived emergency. If someone claims they have a life-threatening crisis, offer to dial the number for them while holding the phone firmly in your hand, or suggest they find an official transit employee or security guard. A locked, encrypted smartphone should remain under your physical control at all times.

4. Hardening Account Security

Relying exclusively on SMS-based 2FA is becoming increasingly risky given the prevalence of SIM-swapping and call-forwarding scams. Transition to more secure alternatives:

• Authenticator Apps: Use apps like Google Authenticator, Authy, or Microsoft Authenticator, which generate codes locally on your device rather than relying on vulnerable cellular network signals.
• Hardware Security Keys: For high-value accounts (banking, primary email), use physical FIDO2/U2F keys. These are immune to remote interception, as they require physical possession of the key to authorize a login.
• Carrier PIN/Password: Contact your mobile service provider and add an additional PIN or password to your account. This prevents unauthorized personnel from making changes to your line, including call forwarding settings, via customer support fraud.

The Changing Landscape of Social Engineering

The rise of the call forwarding scam signals a disturbing trend: as digital security software becomes more robust, criminals are shifting their focus back to the “wetware”—the human element. In an age where we are constantly tethered to our devices, the psychological manipulation required to bypass modern security is becoming more targeted and effective.

We must cultivate a healthy skepticism. When a “delivery agent,” a “stranded traveler,” or a “bank representative” asks you to perform a technical action on your phone, stop. Verify the request through official channels. The few seconds you take to validate a request are the only barrier between your personal security and a total digital takeover. The call forwarding scam is not just a warning about a specific code; it is a fundamental reminder that in the digital age, your phone is the master key to your life—and you must guard it with absolute vigilance.