The victim has just unknowingly redirected all their calls to the criminal.
Criminals impersonate bank officials using deepfake audio technology to create false urgency about account breaches, then redirect calls to intercept verification codes. The *21 code trick enables remote call forwarding to attackers' devices, allowing them to intercept bank verification calls and authorize fraudulent transfers.
- Criminals use deepfake audio to clone voices of bank officials, family members, and trusted contacts
- The *21 code activates call forwarding, redirecting all incoming calls to the attacker's device
- Once call diversion is active, attackers intercept bank verification codes and authorize fraudulent transfers
- Financial institutions warn customers never to dial codes like *21 or share credentials over phone calls
Financial institutions alert customers to vishing scams where criminals use AI-generated voice deepfakes and call diversion tactics to steal banking credentials and drain accounts.
Your phone rings. The number is unfamiliar, but the voice on the other end sounds official—calm, authoritative, the way a bank executive should sound. There's a problem with your account, the caller explains. Suspicious activity. Your cards are being blocked. You need to act now.
This is vishing, and it has evolved into something far more dangerous than the simple phone scams of years past. Financial institutions across the country are now warning customers about a sophisticated fraud operation that combines artificial intelligence, social engineering, and a technical trick that turns your own phone against you. The criminals aren't just impersonating bank officials anymore. They're cloning voices—using deepfake audio technology to sound exactly like people you trust, asking for money in moments of manufactured crisis.
The attack unfolds in stages. It begins with a call from an unknown or blocked number. The person on the line claims to be a bank representative or security officer and describes an urgent problem: fraudulent transactions, a compromised account, immediate action required. To make the lie credible, the attacker often recites personal details about the victim—information gathered from data breaches or public sources. The pressure mounts. The victim feels cornered, afraid of losing access to their money.
Then comes the technical maneuver that makes the whole scheme work. The attacker tells the victim to dial a code on their phone: *21, followed by a phone number the attacker provides. Most people don't know what this code does. It activates call forwarding—a standard phone feature that redirects incoming calls to another device. But in this case, the victim has just unknowingly redirected all their calls to the criminal's phone. Every call meant for them now goes to the attacker instead.
Once the call diversion is active, the attacker instructs the victim to attempt a transaction or contact their bank to "resolve" the problem. The victim dials their bank's number, but the call doesn't reach the bank. It reaches the criminal, who answers as if they were a bank representative. The victim, already frightened and trusting the voice they hear, follows instructions. They provide account credentials, card numbers, personal identification details. When the bank sends a verification code by voice call—a security measure designed to prevent exactly this kind of theft—the attacker receives it instead. With that code, they authorize transfers and drain the account.
What makes this attack particularly insidious is the emerging use of voice cloning technology. Criminals are no longer limited to impersonating generic bank officials. They can now clone the voices of family members, close friends, or trusted contacts. A victim receives a call that sounds exactly like their mother, their brother, their best friend—someone in desperate need of money for an emergency. The emotional manipulation combines with technological deception. The victim's defenses crumble.
The banks have begun issuing alerts, urging customers to remember a simple rule: legitimate financial institutions will never ask you to dial codes like *21, will never ask you to redirect your calls, and will never pressure you into immediate action based on a phone call alone. If you receive such a call, hang up and call your bank directly using the number on your card or statement. Verify the emergency yourself. Do not use any phone number the caller provides. Do not activate call forwarding for anyone. Do not share credentials, card numbers, or verification codes over the phone, no matter how real the voice sounds or how urgent the situation feels.
As voice cloning technology becomes cheaper and more accessible, security experts expect these attacks to multiply. The criminals are betting that the human instinct to trust a familiar voice, combined with fear and urgency, will override caution. The banks are betting that awareness and a few simple rules will not.
Notable Quotes
Legitimate financial institutions will never ask you to dial codes like *21, will never ask you to redirect your calls, and will never pressure you into immediate action based on a phone call alone.— Banking security guidance
The Hearth Conversation Another angle on the story
Why does the *21 code work so well? Couldn't the phone company prevent this?
The code itself is legitimate—it's a standard feature for people who want to forward calls while they're away. The phone company has no way to know the user didn't authorize it. The attacker makes the victim do it themselves.
So the victim is technically the one who activates the trap?
Exactly. They're tricked into doing it, but yes. The attacker never needs access to the victim's phone. The victim hands over the keys.
What about the voice cloning part? How realistic is it actually?
Realistic enough to fool someone who's already frightened and expecting a call from that person. If your mother calls saying she needs money for a medical emergency, you're not analyzing the acoustic properties of her voice. You're panicking.
Can banks detect when a call has been diverted like this?
Not in real time, not from the customer's perspective. By the time the bank realizes something is wrong, the money is usually gone. That's why prevention—not falling for it in the first place—is the only real defense.
What's the hardest part of this scam to pull off?
Getting the victim to dial that code. Everything else follows naturally once they do. The attacker has to create enough fear and urgency that the victim stops thinking and just obeys.
And if someone realizes mid-call what's happening?
They should hang up immediately and call their bank from a different phone, using a number they know is real. But most people don't realize until it's too late.