In this issue:

• USSD code call forwarding scam

• WhatsApp's hidden privacy risk

• Data breaches this week (including social security numbers!)

USSD code call forwarding scam

A dangerous phone scam is making the rounds again, and it is one that too many people still have not heard about. It is known as the USSD code call forwarding scam, and it is particularly effective because it does not involve hacking your phone, stealing your password, or swapping your SIM card.

The scam usually starts with a convincing message or phone call. You might get a text claiming to be from a delivery company like FedEx or UPS, saying there was a problem delivering a package. Other versions pretend to be from your mobile carrier and warn about a security issue with your line. The message creates urgency and then offers a simple fix.

That fix is the trap.

The scammer tells you to open your phone’s dialer and enter a short code that looks harmless, something like 21 followed by a phone number and ending with a pound sign. They may call it a verification code or a tracking code. The cellular call forwarding functions may look like this:

• Verizon: *72 + [Phone Number]

• T-Mobile: **21* + [Phone Number] + #

• AT&T is not clear on how to forward so here are some various options:

  • **21* + [Phone Number] + #

  • *21* + [Phone Number] + #

  • 21 + [Phone Number] + #

In reality, it is a USSD command. USSD stands for Unstructured Supplementary Service Data, and these codes talk directly to your mobile carrier. (Some of us may remember call forwarding back when we had landlines.)

When you dial that code, you are not checking a package. You are turning on call forwarding.

Once call forwarding is active, all your incoming calls are silently sent to the scammer’s phone. Your phone still has signal. You can still text and browse the internet. The only thing you might notice is that calls stop coming in, which many people do not realize right away.

This is where the real damage happens. Many banks, email providers, and apps like WhatsApp offer a “call me with a code” option for account recovery. When the scammer tries to log in as you, that verification call goes straight to them. They hear the code, enter it, and take over your account.

Never dial a code that starts with an asterisk and ends with a pound sign if it came from a text, email, or phone call you did not initiate. Legitimate companies will never ask you to type a code into your dialer to fix a delivery or secure your account.

WhatsApp's hidden privacy risk

I use WhatsApp every single day. It is how I talk to talk to my colleagues, coordinate schedules, share photos, and keep up with people across time zones. For most of us, it feels like a safe and familiar application. That is why this new activity tracking threat caught my attention.

This is not about reading your messages. Your chats are still end-to-end encrypted which means nobody but you and the other person can read your messages.

The real issue is something called "metadata". This is the information at a higher level that describes things about you or the messages.

Researchers recently demonstrated a technique that lets someone track when you are actively using your phone, when you go to sleep, when you wake up, and even when you leave the house. All they need is your phone number.

The tracking works by sending invisible probes that never appear in your chat history. You do not see a message. You do not get a notification. But your phone quietly responds with a delivery signal. By measuring how fast that response comes back, an attacker can tell if your phone is in your hand, sitting idle, or offline. Over time, that builds a very accurate picture of your daily routine.

That kind of information is dangerous. It can be used for stalking. It can help criminals time burglaries. It can also make phishing attacks far more convincing because scammers know exactly when you are likely to respond.

What worries me most is how easy this is to abuse. There is no hacking required. No malware. Just a phone number and freely available tools.

The good news is that there is something you can do right now. In WhatsApp, go to Settings, then Privacy, then Advanced, and turn on “Block unknown account messages.” This limits silent probes from people who are not in your contacts. You may already have this setting turned off (I did).

I still use WhatsApp every day. But this is a reminder that privacy risks are not always obvious. Sometimes the most dangerous data is not what you say, but what your applications know about you.

Data breaches this week

Most of the time these will be companies that you don’t have any personal data with, but scan the names to make sure you aren’t affected. This week a lot of data was stolen including some social security numbers.

• 700Credit (credit checks for vehicles): 5.8M individuals: 700Credit Data Breach Impacts 5.8 Million Individuals

• SoundCloud: 20M+ individuals: User Data Compromised in SoundCloud Hack

• Richmond Behavioral Health Authority (RBHA) of Virginia: 113k individuals (including SS#): 113,000 Impacted by Data Breach at Virginia Mental Health Authority

Do you have an idea for a future newsletter? Please reply to this email and let me know.

Thank you so much!

Sincerely,
Cassie Crossley
Founder, Cyber Safe Center
https://www.cybersafecenter.com