Cybercriminals Exploit Call Forwarding Feature in Growing Financial Fraud Scheme

A sophisticated cyber fraud operation is targeting mobile phone users by manipulating call forwarding functions to intercept one-time passwords (OTPs) and gain unauthorized access to bank accounts. The Indian Cyber Crime Coordination Centre (I4C), operating under the Ministry of Home Affairs, has issued urgent warnings about this escalating threat, which exploits legitimate telecom features through deceptive social engineering tactics.

The scheme represents a concerning evolution in financial cybercrime, transforming everyday mobile functions into weapons for account takeover. By the time victims recognize suspicious activity, fraudsters may have already drained accounts or compromised sensitive personal information, highlighting critical vulnerabilities in mobile security awareness.

Background and Context

The exploitation of call forwarding features marks a significant development in cybercriminal methodology, building upon established techniques of social engineering and telecommunications manipulation. According to the National Cybercrime Threat Analytics Unit, this particular scam has gained momentum as digital payment systems become more widespread and consumers increasingly rely on mobile banking services.

USSD (Unstructured Supplementary Service Data) codes—those sequences beginning with asterisks and hash symbols that allow users to access telecom services without internet connectivity—have become the unlikely weapon of choice for fraudsters. These codes, designed for legitimate network operations, now facilitate a stealthy method of redirecting communications without triggering immediate victim suspicion.

Key Figures and Entities

The Indian Cyber Crime Coordination Centre (I4C) has taken the lead in documenting and responding to this threat. As the central agency coordinating cybercrime response across India, their advisory provides detailed intelligence about how these scams operate and technical guidance for potential victims.

According to I4C's official advisory, fraudsters typically impersonate delivery or courier service representatives, leveraging the increased reliance on e-commerce during recent years. By posing as legitimate businesses attempting to confirm or reschedule deliveries, they establish credibility before requesting victims to dial specific USSD codes that activate call forwarding to numbers controlled by the criminals.

Legal and Financial Mechanisms

The technical mechanism behind this fraud relies on call diversion codes that reroute incoming voice calls and SMS messages. The most commonly exploited USSD code begins with *21, which when followed by a phone number activates unconditional call forwarding. Other prefixes identified by authorities include *61 and *67, which trigger different forms of call diversion.

Once activated, these forwarding settings capture verification codes sent by banks, payment platforms, and authentication services. This enables fraudsters to complete unauthorized transactions, reset passwords, and gain control of messaging applications like WhatsApp and Telegram. The financial impact can be devastating, with victims sometimes discovering the fraud only after significant funds have been transferred.

The technical simplicity of these attacks belies their effectiveness. The Telecom Regulatory Authority of India has acknowledged that while call forwarding serves legitimate purposes, safeguards against misuse remain limited, particularly when authorization is given through social engineering rather than direct user initiation.

International Implications and Policy Response

While the current advisory focuses on reported cases in India, security experts warn that similar schemes likely operate globally wherever call forwarding features exist. The method's technical universality makes it easily adaptable across telecommunications networks worldwide, presenting a challenge for international regulatory cooperation.

The I4C recommends immediate deactivation of all forwarding services by dialling ##002# if users suspect they may have been compromised. They also emphasize the importance of verification through official channels rather than responding to unsolicited communications, regardless of how convincing they may appear.

Victims of such scams are advised to report incidents immediately through the national cybercrime helpline at 1930 or by filing a complaint on the official cybercrime reporting portal. The agency stresses that prompt reporting significantly increases the chances of recovery and prevents further exploitation.

Sources

This report draws on the official advisory issued by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs, documentation from the National Cybercrime Threat Analytics Unit, and reporting from Asianet Newsable published in October 2024. Additional context includes information from the Telecom Regulatory Authority of India and the national cybercrime reporting framework.