Toronto Police uncover a fake base station SMS scam.
Vehicles line the streets of downtown Toronto, Ontario on March 24, 2020. (Photo by Geoff Robins / AFP)
In November 2025, a cybersecurity partner quietly alerted Toronto police to an unusual occurrence on the streets of Canada’s largest city: a suspected rogue device operating in downtown Toronto, mimicking a legitimate cell tower and pushing fraudulent text messages to anyone nearby.
By the time search warrants were executed in Markham and Hamilton last month, investigators had documented tens of thousands of mobile devices connecting to an SMS blaster, along with more than 13 million network disruptions.
On April 23, Toronto police announced the arrests of three men, aged 21 to 27, on 44 combined charges, including fraud and mischief. They called it Project Lighthouse, the first investigation of its kind in Canada.
What’s an SMS Blaster?
An SMS blaster is also called a “portable rogue base station,” similar to an IMSI catcher, or a “Stingray.” It’s a device small enough to fit in a backpack or a car trunk and impersonates a legitimate cell tower. When switched on, nearby mobile phones detect it as a strong network signal and connect to it automatically, much like how a laptop connects to the nearest Wi-Fi access point.
The typical cellphone user has no idea it is happening.
Once the phones are connected, the device sends fraudulent text messages directly to them that can appear to come from a bank, a government agency, a service like Canada Post, or a toll highway like the 407 ETR. Because the messages bypass normal carrier SMS routing, many standard spam filters never see them.
The message arrives looking legitimate, with no warning flags from your phone or service.
The mechanism that makes this possible is a forced downgrade to legacy 2G connections. In modern 4G or 5G cellular networks, authentication and encryption are strong and robust. However, when a phone falls back to a 2G connection, its protections become much weaker. SMS blasters take advantage of this vulnerability by signalling to nearby phones that 2G is the best available connection. Once the phone is downgraded, its security protections are largely lost.
Security researchers have documented cases where the connection offers what is called a null cipher—effectively no encryption at all.
These devices are not exotic. The underlying technology was originally developed for law enforcement, used to track suspects by harvesting their mobile subscriber identities. In recent years, a rebranded consumer version has emerged, sold openly online, with prices reported under US$5,000.
Why Normal Filters Don’t Stop Them
Carrier-level fraud filters are designed to screen messages travelling through the cell network. But a blaster-injected message doesn’t use that network. It arrives through a fake tower signal that the phone thinks is real.
From the phone’s perspective, the message appears local and authoritative, which can make it seem as though it’s coming from a trusted source. Because the message is injected before it ever reaches the carrier’s network, it can be made to display virtually any sender name—your bank, the Canada Revenue Agency, a courier service, or other familiar organizations—making it especially convincing.
In addition, the phone has no way to verify it.
A challenge in preventing the criminal use of SMS blasters is how compact and portable they are, easily concealed in backpacks in shopping malls, stashed in car trunks moving through residential neighbourhoods, or carried through busy city centres to maximize their reach.
Canada Not the First
Rogue SMS blasters were rarely reported outside mainland China before 2022. Since then, the spread has been rapid. Arrests linked to SMS blaster operations have been made in the United Kingdom, France, the Philippines, Malaysia, Thailand, Brazil, and Japan.
Recent research into online banking fraud in the Philippines indicates that phishing incidents have surged by an alarming 423 percent, with “smishing” (SMS-based phishing) now identified as the dominant threat.
Europe has seen a wave of smishing cases in recent years. In the UK, police arrested two people in 2024 over a homemade device used to send fake bank texts. Greek police reported a similar case in Athens in 2026, and broader industry data suggests a large share of global smishing attacks now target EU users.
The Toronto incident, according to Project Lighthouse, followed the same pattern. Police said the device was mobile, operated from a vehicle, and moved throughout the Greater Toronto Area over several months before detection. They also said they recorded more than 13 million network disruptions, and that those disruptions could at times affect access to legitimate cellular networks, including emergency services such as 911.
What You Can Do
There’s a little-known setting that can significantly reduce exposure: disabling 2G connectivity.
On iPhone (iOS 16 and later), go to Settings > Cellular > Cellular Data Options > Voice & Data, then select LTE or 5G to prevent most fallbacks to 2G.
On Android, navigate to Settings > Network & Internet (or Connections) > SIMs or Mobile networks > Preferred network type, and choose an option that excludes 2G—if your device supports it.
Note that disabling 2G may affect connectivity in rural areas where older networks still operate. For most urban Canadians, the trade-off is probably well worth it.
Beyond these setting changes, there are some standard behavioural rules to follow:
- Never click links in unexpected text messages, regardless of how familiar the sender’s name looks.
- Any SMS containing a URL delivered over a 2G connection should be treated as highly suspicious.
- Legitimate organizations like banks, the CRA, Canada Post, toll authorities won’t request payment or login credentials through an SMS link.
- Access any of your online banking by using the official app or typing the address directly into your browser—never link from a text.
- If you clicked a link: change your passwords right away, contact your bank, and report the incident to the Canadian Anti-Fraud Centre.
Where Canada Stands
Phishing and smishing scams tend to work better when people are less aware of the tactics and warning signs.
Toronto police have got the ball rolling in terms of bringing this scam to the public’s attention—they’ve held a press conference, created a dedicated project to tackle the problem (Lighthouse), and published public warnings about the scam.
As of publication, no federal government or Canadian Radio-television and Telecommunications Commission statement specifically addressing fake base station fraud could be found, nor any public announcement outlining import controls targeting SMS blasters.
That matters because the threat is still not well-known in this country.
France and Norway have already seen high-profile cases, and the Philippines has said it is working with telecom partners to stop imports. The latest case in Toronto suggests Canada is now confronting the same pattern of crimes.
Scams of this type tend to spread faster than public awareness. The device is portable, cheap enough to be attractive to criminals, and effective enough to create a trail of victims before authorities or the public fully understand what is happening.