In an era where our smartphones serve as digital vaults containing everything from personal conversations to financial information, a simple three-character code—*#21#—has emerged as a critical tool for detecting one of the most insidious forms of mobile compromise: carrier-level call forwarding. This USSD (Unstructured Supplementary Service Data) code allows users to instantly check whether their calls, messages, and data are being secretly redirected to another number without their knowledge, a tactic increasingly employed by sophisticated attackers and even exploited in domestic surveillance scenarios. While this vulnerability affects all mobile operating systems, Windows users who rely on mobile tethering or Microsoft's Phone Link app for cross-device functionality face particular risks, as compromised call forwarding can intercept verification codes and two-factor authentication messages essential for Windows account security.

Understanding Carrier-Level Call Forwarding: The Silent Threat

Carrier-level call forwarding operates at the network level, meaning it's configured directly with your mobile service provider rather than through your phone's settings menu. When activated, this feature silently redirects incoming calls, text messages, and sometimes even mobile data sessions to another number chosen by the attacker. Unlike device-based forwarding that can be easily checked in your phone app settings, network-level forwarding is invisible on the device itself—your phone shows normal signal strength and appears to function normally while your communications are being intercepted elsewhere.

This form of attack has gained prominence in recent years as security researchers have documented its use in targeted surveillance campaigns. According to a 2023 report from the Electronic Frontier Foundation, network-level forwarding has been exploited by both state-sponsored actors and commercial spyware vendors to monitor journalists, activists, and political dissidents. The technique is particularly dangerous because it doesn't require physical access to the target device—attackers can sometimes activate it through social engineering of carrier support staff, SIM swapping attacks, or exploiting vulnerabilities in carrier self-service portals.

How *#21# Works: The Technical Details

The #21#* code is part of a family of USSD codes standardized by the GSM Association for interacting with mobile network services. When you dial #21#* and press the call button, your phone sends a query to your carrier's network asking for the current status of all call forwarding settings. Within seconds, you typically receive an on-screen response showing whether forwarding is active for voice calls, text messages, fax calls (on supported networks), and data connections.

Most carriers worldwide support this code, though the exact response format may vary slightly. Common responses include:
- "Call forwarding is deactivated for all services" (safe status)
- "Call forwarding is active for voice calls to [number]" (compromised)
- "Forwarding active: Voice to XXX-XXX-XXXX, SMS to YYY-YYY-YYYY" (multiple redirections)

It's important to note that #21#* only checks the status—it doesn't change any settings. To deactivate forwarding if found, you would typically use ##21# (though carrier variations exist). For a complete check, security experts recommend also testing related codes: #61# for missed call forwarding, #62# for forwarding when unreachable, and *#67# for forwarding when busy.

The Windows Connection: Why PC Users Should Care

For Windows enthusiasts and professionals, mobile security directly impacts desktop and laptop security through multiple integration points. Microsoft's increasing emphasis on cross-device experiences means your phone's compromise can become your computer's vulnerability:

1. Two-Factor Authentication Interception: Most Microsoft accounts, including those used for Windows login, Office 365, and Azure services, rely on SMS-based two-factor authentication as either a primary or backup verification method. If call forwarding is active, authentication codes sent via text message can be intercepted, allowing attackers to bypass 2FA and gain access to your Microsoft ecosystem.

2. Phone Link App Vulnerabilities: Windows 11's Phone Link app (and its predecessor, Your Phone) creates a direct bridge between your PC and mobile device. While convenient for receiving notifications, making calls, and accessing messages from your desktop, this connection could potentially expose Windows to threats originating from a compromised phone.

3. Mobile Tethering Risks: Many Windows users rely on smartphone tethering for internet access. If carrier-level forwarding includes data sessions (as some implementations do), your PC's internet traffic could theoretically be monitored or redirected when connected through a compromised mobile hotspot.

4. Microsoft Account Recovery: The account recovery process for Microsoft services often involves sending verification codes to your registered mobile number. With call forwarding active, an attacker could trigger account recovery requests and intercept the confirmation codes, effectively hijacking your entire Microsoft identity.

Real-World Attack Scenarios and Detection Challenges

Recent security incidents have demonstrated how carrier-level forwarding enables sophisticated attacks. In 2022, cybersecurity firm CrowdStrike documented a campaign where attackers used a multi-step approach: first obtaining personal information through phishing, then socially engineering carrier support to enable call forwarding, and finally intercepting banking authentication codes to drain victims' accounts. The attackers specifically targeted individuals who used SMS-based 2FA for financial services.

Detection remains challenging because:
- No Device Indicators: Unlike malware that might cause battery drain or unusual behavior, carrier-level forwarding leaves no traces on the device itself
- Carrier Transparency Issues: Some carriers don't notify customers when forwarding settings change, though regulations are improving in many regions
- Technical Knowledge Gap: Most users don't know about USSD codes or how to check for network-level compromises

Windows users face additional detection hurdles because security software on PCs typically doesn't monitor mobile network configurations. While Windows Security provides excellent protection against desktop threats, it has no visibility into whether your linked phone's calls are being forwarded at the carrier level.

Beyond *#21#: Comprehensive Mobile Security for Windows Users

While *#21# provides a crucial check, comprehensive protection requires a layered approach:

1. Regular USSD Code Audits: Make checking #21#*, #61#, #62#, and *#67# a monthly habit, similar to changing passwords. Consider setting calendar reminders for these security checks.

2. Carrier Protections: Enable all available security features with your mobile provider:
- SIM Lock/PIN: Prevents SIM swapping attacks
- Port Freeze: Stops unauthorized number transfers to other carriers
- Account Security PIN: Adds extra verification for account changes
- Carrier Notifications: Opt into alerts for any forwarding or account changes

3. Microsoft Account Hardening: Reduce reliance on SMS authentication:
- Use Microsoft Authenticator app or hardware security keys instead of SMS codes
- Enable Windows Hello biometric authentication where available
- Review account recovery options and remove phone numbers if possible
- Regularly check sign-in activity at account.microsoft.com/security

4. Windows-Specific Protections:
- Keep Phone Link app updated through Microsoft Store
- Consider using a separate phone number for Microsoft account recovery
- Use Windows Sandbox or a virtual machine for sensitive activities when tethering
- Enable Controlled Folder Access in Windows Security to protect against ransomware

5. Alternative Authentication Methods:
- FIDO2 Security Keys: Physical devices that provide phishing-resistant 2FA
- Windows Hello for Business: Enterprise-grade biometric authentication
- Certificate-Based Authentication: For organizations with PKI infrastructure
- Temporary Access Passes: Time-limited codes for secure login

The Future of Mobile-Network Security

The persistence of carrier-level forwarding vulnerabilities highlights broader issues in telecommunications security. As 5G networks expand and integrate more deeply with cloud services (including Microsoft's Azure ecosystem), the potential attack surface grows. Industry responses are emerging:

GSMA's Mobile Security Guidelines: The GSM Association has published enhanced security guidelines for carriers, including recommendations for better customer notification about forwarding changes and stronger authentication for account modifications.

Regulatory Developments: The FCC in the United States and similar bodies worldwide are implementing rules requiring carriers to implement stronger customer authentication and provide free security features like SIM lock.

Technical Solutions: Some carriers are implementing:
- Real-time forwarding alerts via SMS or app notifications
- AI-driven anomaly detection to flag suspicious forwarding patterns
- Blockchain-based SIM management for tamper-proof SIM card records

For Windows users, Microsoft is gradually reducing SMS dependency in authentication systems. The company's passwordless initiative, which includes Windows Hello and security key support, represents the future of account protection. However, until SMS authentication is completely phased out—likely years away for backward compatibility—checking for call forwarding remains essential.

Practical Steps for Immediate Protection

  1. Check Your Status Now: Dial *#21# on your mobile phone and record the results. If forwarding is active to an unknown number, contact your carrier immediately.

  2. Document Your Settings: Take screenshots of the *#21# response and store them securely. This creates a baseline for future comparisons.

  3. Contact Your Carrier: Ask about additional security features available on your account. Many providers offer enhanced protections that aren't enabled by default.

  4. Review Microsoft Authentication: Visit account.microsoft.com/security and replace SMS-based verification with the Microsoft Authenticator app or security keys.

  5. Educate Your Organization: If you manage Windows devices in a business environment, include mobile security awareness in employee training, emphasizing the connection between phone compromise and corporate network access.

  6. Monitor for Updates: Both mobile operating systems and Windows receive security updates that can address integration vulnerabilities. Enable automatic updates where possible.

Conclusion: A Simple Code with Critical Implications

The #21#* USSD code represents one of those rare intersections where extreme simplicity meets critical importance in digital security. For Windows users whose computing experience is increasingly intertwined with mobile devices through Microsoft's ecosystem, understanding and regularly using this code is no longer optional—it's a fundamental component of comprehensive digital hygiene. As attackers continue to evolve their techniques, moving beyond device-centric attacks to exploit network-level vulnerabilities, our defenses must similarly expand beyond traditional antivirus software to include carrier-level protections. The three seconds it takes to dial #21#* could be what stands between you and a catastrophic digital compromise that bridges your mobile and Windows environments. In today's interconnected threat landscape, that's time well spent.