The USSD Scam Economy: How Call Forwarding Becomes a Weapon for Financial Theft

A silent crisis is unfolding at the intersection of global telecommunications infrastructure and digital finance. Cybercriminals are weaponizing a fundamental feature of every mobile network—Unstructured Supplementary Service Data (USSD) call forwarding—to orchestrate large-scale financial theft, bypassing multi-factor authentication (MFA) and other modern security controls with alarming ease. This scam economy exploits a critical trust relationship between users, their mobile devices, and their banks, revealing a systemic vulnerability that the security community is scrambling to address.

The technical mechanics are deceptively simple yet devastatingly effective. Attackers, often posing as bank officials, technical support agents, or telecom representatives, contact potential victims. Through persuasive social engineering, they convince the target to dial a specific USSD code, such as 21, 61, or 67, followed by a phone number controlled by the fraudster. For example, a victim might be told to dial 21# to 'activate a new security feature' or 'deactivate a fraudulent transaction.'

Once executed, this code silently activates unconditional call forwarding on the victim's line. Every incoming call and, critically, every SMS—including one-time passwords (OTPs), transaction authorization codes, and bank alert messages—is instantly redirected to the criminal's number. The victim's phone shows no ongoing call or obvious indication that forwarding is active. From this moment, the attacker owns the victim's digital identity for any service tied to that phone number.

The fraudster then initiates transactions on the victim's banking or payment apps. When the bank sends an OTP to verify the transaction, the SMS is seamlessly forwarded to the criminal, who completes the authentication. The victim remains entirely unaware until they discover emptied accounts. This attack vector is particularly insidious because it bypasses security measures installed on the victim's device, such as antivirus or secure messaging apps; the compromise occurs at the network level.

This scam highlights a profound architectural flaw: the security of the entire digital banking ecosystem often rests on the integrity of a single, legacy telecom feature—SMS delivery. USSD codes, designed decades ago for basic service management, were never built with modern security threats in mind. They require no secondary authentication, no user confirmation beyond dialing, and provide minimal feedback. This creates a low-barrier, high-reward attack model for criminals.

The impact is global, with significant reports from India, the UK, and other regions. In India, authorities have issued specific warnings about numbers starting with sequences like 21, 61, and *67. In the UK, the context of growing sophisticated threats, including those potentially linked to state-affiliated groups, adds a layer of geopolitical risk to this technical vulnerability. The scam is not limited to individual savings; business accounts and corporate financial flows are equally susceptible.

For the cybersecurity community, this represents a multi-faceted challenge. First, it's a problem of awareness. End-users, even technically savvy ones, do not understand the power of USSD codes. Second, it's a problem of responsibility. Telecom operators own the USSD infrastructure, while banks own the authentication process that depends on it. This creates a dangerous gap in accountability and remediation. Third, it's a problem of legacy technology. Patching or securing decades-old telecom signaling protocols is a monumental task with global interoperability implications.

Mitigation strategies must be equally layered. On the user education front, a global campaign is needed to establish a simple rule: never dial a code suggested by an unsolicited caller. Telecom operators could implement technical safeguards, such as introducing confirmation prompts for forwarding commands, adding delay timers for activation, or allowing users to block all forwarding requests via their account portal. Regulatory bodies must pressure operators to treat USSD security with the same urgency as network integrity.

For financial institutions, the imperative is clear: reliance on SMS-based OTP for high-value transactions is no longer tenable as a sole factor. Banks must accelerate the adoption of more secure alternatives, such as push notifications to registered authenticator apps, hardware security keys, or biometric verification that is device-bound and cannot be intercepted via network forwarding. A risk-based authentication approach, where unusual transactions trigger a different, more secure verification method, is essential.

Ultimately, dismantling this scam economy requires a coordinated effort across industries. Cybersecurity teams within banks must engage directly with security teams at telecom providers. Information sharing about malicious numbers and attack patterns needs to be real-time and automated. The era of treating telecom infrastructure as a 'trusted black box' is over. Its vulnerabilities are now directly exploitable for financial gain, making its security a core concern for every CISO in the financial sector and beyond. The weaponization of call forwarding is a stark reminder that in our interconnected digital world, the weakest link is often the oldest technology we forgot to protect.