1 hour ago
5
The Hyderabad police on Wednesday issued an alert for a device-neutral cyber fraud. This fraud targets even iPhone users who had remained unaffected by .apk frauds. The new scam exploits the call-forwarding features to hijack WhatsApp accounts and dupe contacts for money.
The caller, speaking with calm urgency, claims to be from a courier company. “Our delivery agent is waiting right outside your door. Please type this code to verify your parcel,” the voice insists. The victim, unsuspecting and perhaps in a hurry, obediently keys in the digits: *21number#, unaware they’ve just handed over control of their phone. Within minutes, the conmen gain control of the WhatsApp account.
Using the trick, fraudsters redirect the victim’s calls to their device. The fraudster installs WhatsApp on another device using the victim’s number, opting for a call-based verification instead of an SMS. Since the call now forwards to them, the process goes through seamlessly. Before the victim even realises what’s happening, the scammer activates two-factor authentication, locking the real owner out for good.
Moments later, the victim’s contacts begin receiving messages from their number: “I’m in an emergency. My number isn’t working, please transfer some money to this number/account.” When they try to call, the number is unreachable. Several end up sending money, convinced their friend is in trouble.
What makes this scam particularly alarming is that it targets iPhone users, once believed to be relatively immune to such fraud. “Fraudsters are now exploiting telecom-based call-forwarding features that work across all devices,” said an official from the Telangana State Cyber Security Bureau (TGCSB).
“Fraudsters are aware of what telecom operator the victim is using and so the call forwarding code changes accordingly. When a victim enters this code followed by a phone number, they’re unknowingly rerouting their incoming calls and verification calls to the scammer. Once that happens, the fraudster can take full control of your WhatsApp and contacts and misuse it in any.”
The TGCSB has warned that such cases are rising across Hyderabad and Telangana, urging users not to share or enter codes provided by unknown callers, regardless of how convincing they sound. Multiple people in Hyderabad have reported receiving fake messages from courier companies, randomly claiming “Blue Dart courier dispatched” or saying a parcel has “reached the nearest hub.” These deceptive messages often create a sense of urgency and familiarity, making recipients more likely to follow instructions without pausing.
Officials advise users who suspect a breach to immediately disable call forwarding from settings, uninstall unfamiliar apps, back up important files, and reinstall WhatsApp only after securing their number.
In the case of Android phones, fraudsters send an APK file; if you click and install it, the app requests intrusive permissions and gains the ability to read your SMS and OTPs. The attacker then uses the intercepted OTP to re-register your WhatsApp on their device, which logs you out and places your account under their control. They proceed to message your contacts pretending to be you and ask for money.
English (US) ·