USSD Trap: The New Face of Cyber Fraud

A few days ago, I received a frantic call from a friend. For obvious reasons, I am not mentioning her name. She told me that several of her acquaintances had started receiving messages from her number, claiming that she urgently needed money for a medical emergency etc. Soon after, she began getting calls from concerned friends asking about her condition and enquiring actually what all is happening with her.


Confused and alarmed, she tried to understand what had gone wrong. She recalled that earlier She had received a call from someone posing as a courier service executive. The caller claimed that the delivery person was unable to locate her address and asked her to contact a number provided in a message. Trusting the information, she followed the instructions, contacted the number, and even received the courier.


However, something did not feel right. When she called the same number again, the person on the other end changed his tone and claimed that he was untraceable and that even the police would not be able to apprehend him. Feeling helpless, my friend reached out to me.


I asked her to share the screenshot of the message she had received. The content confirmed my suspicion. It was a classic case of a USSD-based social engineering fraud.


In such crimes, victims typically receive a message asking them to dial a number such as *21*(Fraudster’s Number) # under some pretext. It may be presented as a step to track a courier, claim an offer, or resolve a delivery issue. In reality, it is a carefully crafted scam. The perpetrators use social engineering techniques to psychologically manipulate the victim, creating urgency or curiosity so that the individual acts without proper verification. In the process, the victim unknowingly compromises basic cyber security practices.


A USSD, or “Unstructured Supplementary Service Data” code, is a real-time communication protocol used by GSM mobile phones to interact directly with a telecom service provider’s system. These codes, usually beginning with * and ending with #, enable quick actions such as checking balances or accessing network services without requiring an internet connection. Because USSD operates instantly over the cellular network, it is faster than SMS and does not depend on data connectivity.


Fraudsters exploit this feature by tricking users into dialing specific USSD codes that activate call forwarding. For instance, dialing *21*(Fraudster’s  Number)# can forward all incoming calls from the victim’s phone to another number controlled by the fraudster. Once this is enabled, calls including OTPs and two-factor authentication codes are redirected. This allows criminals to bypass security layers, gain access to bank accounts, and even take control of social media profiles.


In most cases, the success of such fraud depends on human behaviour rather than technology. The criminals design their messages around triggers such as courier deliveries, gifts, or urgent notifications etc.. These stimuli often push individuals to act quickly, without allowing the rational part of the brain to assess the situation. The victim, almost in a trance-like state, follows instructions and inadvertently opens the door to exploitation.
The precaution, therefore, is simple but crucial. Never dial unknown codes received through SMS, WhatsApp, email, or unsolicited calls. Always verify courier or service-related messages through official applications, websites, or verified customer care numbers. Under no circumstances should one act on instructions from unknown sources without proper verification.


If such a code is dialed inadvertently, immediate corrective action is essential. Call forwarding should be deactivated by dialing ##21#, and its status can be verified by dialing *#21#. The victim should report the incident without delay to the nearest police station, or lodge a complaint on the National Cyber Crime Reporting Portal at https://cybercrime.gov.in, or by calling the Cyber Crime Helpline on 1930. Prompt reporting enables a lawful investigation, increases the chances of apprehending the perpetrator, and helps build records that contribute to wider public awareness.


It is worth noting the awareness efforts of Chandigarh Police, who have displayed prominent public messages carrying the helpline number 1930 at Sukhna Lake, along with the cautionary words “Stop, Think and Act.” Such initiatives serve as a vital reminder that in the digital age, awareness remains the first line of defence. I witnessed this myself while strolling around Sukhna Lake with my family.


Cyber fraud today is less about hacking systems and more about manipulating people. Staying alert, verifying information, and acting with caution can prevent such incidents and protect both personal and financial security.
Cybercriminals don’t hack devices, they manipulate minds. Stay aware, stay safe.