The man hung up.

The SMS read:

She remembered her sister’s golden rule: No real agent ever asks for the code.

She reported the number to the FIA Cyber Crime Wing. Three days later, they called back: her quick refusal had helped them trace a small ring operating out of a guesthouse in Gulshan-e-Iqbal. They’d been collecting verified numbers to drain digital wallets.

“Madam, if you didn’t request it, please ignore,” the agent said. “But change your ATM PIN as a precaution.”

Then Fatima’s phone rang. A man with a polished Karachi accent claimed to be from “PakNet Fraud Department.”

Fatima’s story became a quiet cautionary tale in her family WhatsApp group. And every time an unknown code arrives on a screen in Lahore, someone whispers: 56789. Don’t share. Think twice.

Fatima stared at the screen. She hadn’t requested any code. Her fingers hovered over the delete button, but something made her pause. A month ago, her cousin had lost 85,000 rupees to a SIM swap scam. The police had said it started with an “unexpected code.”

She called PakNet’s official helpline directly—not the number in the SMS, but the one printed on her old bank statement.

The next morning, a local news alert flashed: “Widespread SMS spoofing reported in Punjab. Do not reply to any verification codes.”

The ringleader, a 22-year-old who had learned spoofing from YouTube tutorials, had chosen “56789” simply because it was easy to remember.

That night, she did more. She called her sister in Islamabad, who worked in cybersecurity.

“Madam, we detected suspicious activity. Please confirm the 56789 code sent to you so we can block the transaction.”

It was a humid Tuesday evening in Lahore when Fatima’s phone buzzed with a message that would tilt her world sideways.

“56789? That’s too clean,” her sister said. “Scammers use random numbers, but this… this looks like a test. Someone might be mapping active numbers for a bigger attack.”