The Indian Cybercrime Coordination Centre (I4C) has issued a critical warning about a sophisticated new wave of cybercrime targeting mobile phone users across the country. The scam involves fraudsters impersonating delivery agents to trick individuals into dialing Unstructured Supplementary Service Data (USSD) codes, which silently hijack their incoming calls, including crucial One-Time Passwords (OTPs) from banks.
How the Delivery Call Scam Unfolds
Imagine receiving a call while you are expecting an online delivery. The caller, posing as a courteous delivery executive, claims they are nearby but are unable to verify your contact number in their system. To resolve this supposed issue, they instruct you to dial a short, technical-looking code—a combination of numbers, asterisks (*), and hashes (#)—on your keypad.
Believing this to be a standard verification step, many users comply. A brief notification may flash on the screen and vanish. The caller confirms the "process is complete" and disconnects. The delivery, of course, never arrives. The victim may dismiss it as a delay, but the real damage is already done at the network level.
Without the user's knowledge, all incoming calls are now being forwarded to a number controlled by the scammer. This includes voice calls from banks for transaction verification, OTP confirmations, and account recovery calls. The victim's phone may stop ringing normally, with friends and family reporting it as unreachable, while financial accounts are quietly compromised.
The Technical Mechanics of the Fraud
According to cyber threat intelligence researcher Abhishek Mathew from CloudSEK, this scam exploits legitimate GSM call-forwarding USSD commands. "When a user dials codes like *21*# or *401*#, the telecom network treats it as an authorised subscriber action and updates the call-forwarding configuration at the network level," Mathew explained.
Once activated, this setting diverts all incoming calls to the attacker's number. The victim's device often shows no sign of an incoming call, or at most a missed call notification. Since the forwarding is managed by the network (MSC/HLR) and not the device itself, daily phone use appears normal, making the hack incredibly stealthy.
Utsav Kumar, a cybercrime investigator, emphasized the role of social engineering. "They create a scenario where either the person gets scared or puts their trust in the caller. This can be done through random mass calling or by thoroughly studying a specific target," he said.
Who is at Risk and How to Protect Yourself
Frequent users of online shopping and courier services are prime targets, as they are accustomed to verification calls from delivery personnel, which lowers their suspicion. The scam works uniformly across major Indian telecom operators like Jio, Airtel, and Vi, using codes such as *21*# for unconditional forwarding or *401*# on some networks.
Manish Agrawal, Senior Executive Vice President at HDFC Bank, advised citizens to cultivate secure banking habits and remain vigilant. "Fraudsters rely on urgency and deception, often impersonating courier or support staff," he noted.
The I4C and its National Cybercrime Threat Analytics Unit (NCTAU) have issued multiple advisories on this threat. The Department of Telecommunications (DoT) had formally directed telecom operators to suspend USSD-based call forwarding from April 15, 2024, pushing for app-based or customer-care alternatives. However, the persistence of these scams into late 2025 suggests gaps in enforcement or legacy network issues.
Immediate Actions if You Suspect a Scam
If you experience a sudden drop in calls or miss important OTPs, take these steps immediately:
- Dial ##002# to deactivate all call forwarding settings.
- Manually check the call-forwarding settings for each SIM card in your phone.
- If you suspect your financial data was exposed, change passwords and PINs for banking, UPI, email, and messaging apps without delay.
Experts recommend following the 'LBW Rule' for a comprehensive response: Lodge a complaint with law enforcement at cybercrime.gov.in or call 1930; inform your Bank about any unauthorized transactions; and Wipe your device's security by changing all passwords.
Dos and Don'ts to Stay Safe
Dos:
- Verify unknown callers by disconnecting and calling back on official customer care numbers.
- Periodically check your call forwarding status through your phone settings or operator app.
- Use only official channels (handset settings, operator apps) to manage call forwarding.
- Enable strong security on banking apps, including device locks and transaction alerts.
Don'ts:
- Never dial, save, or share codes like *21*, *61*, or *67* when instructed by an unknown caller, even if they mention "delivery," "KYC," or "SIM blocking."
- Do not click on suspicious delivery tracking links that ask you to dial a code.
- Never share OTPs, PINs, CVV, or passwords with anyone, regardless of how trustworthy the caller ID appears.
- Do not ignore unusual network behavior like repeated "call forwarded" tones or a sudden lack of incoming calls.
As digital interactions increase, so do the methods of exploitation. This USSD scam underscores the critical need for public awareness combined with stronger technical safeguards from telecom providers, such as mandatory on-screen confirmations and SMS alerts for any call-forwarding activation.
