Apr 28, 2026
Your phone got a text from your bank. The sender ID looked right. The message warned of suspicious activity and asked you to verify your account. You clicked.
The problem? The text didn't come from your bank. It came from a device in the back seat of a car.
Advertisement
That's not a hypothetical. It's what Toronto police allege happened during a months-long operation involving a portable fake cell tower — called an SMS blaster — that silently pulled tens of thousands of Greater Toronto Area phones off legitimate networks and flooded them with fraudulent texts. These texts appeared to be from legitimate financial institutions or government agencies — they weren't (1).
On March 31, 2026, the Toronto Police Service (TPS) executed search warrants in Markham and Hamilton, ON, arresting three men as part of Project Lighthouse. Police laid 44 combined charges — and more than 13 million network disruptions were recorded in connection with the operation (2).
Police have not confirmed a total dollar figure in losses at this time, and no specific financial institutions were named in the press release. The arrests and charges are believed to be the first of their kind in Canada.
Are you protected against the latest digital threats? Find a bank that offers real-time fraud alerts and multi-factor authentication — and keep your money safe.
What is an SMS blaster — and why is it so dangerous?
An SMS blaster — also called an IMSI catcher or "stingray" — is a portable device that impersonates a legitimate cellular base station. Nearby smartphones automatically connect to it because it broadcasts a stronger signal than real towers in the area. Once a phone connects, the operator can send text messages that appear to originate from a trusted sender — a bank, Canada Post or a government agency — rather than a phone number.
The devices are advertised for sale online for as much as $50,000 and are reportedly capable of reaching phones within a 500-metre to 2-kilometre radius. A blaster driven through a busy urban corridor can sweep up hundreds of devices in minutes — all without the phone owner ever knowing their handset briefly left the real network.
That combination — apparent legitimacy plus invisible interception — is what makes smishing (SMS phishing) attacks launched from a blaster so effective. A text that appears to come from your bank's actual short code is far harder to dismiss than one arriving from an unknown number.
Must Read
- Stop the leak: 5 costs Canadians (still) overpay for every single month. How many are sabotaging your 2026 budget?
- What's your worth? Here are the 3 net worth milestones that change everything for Canadians (and what they say about you)
- Dave Ramsey says this 7-step plan ‘works every single time’ to kill debt, get rich — and that ‘anyone’ can do it
Join 19,000+ readers and get Money.ca’s best stories and exclusive interviews first — clear insights curated and delivered weekly. Subscribe now.
How to tell if your bank text is real — or a trap
The core problem with SMS blaster fraud is that it defeats one of the mental shortcuts most Canadians rely on: If a text looks like it came from my bank, it probably did.
Advertisement
This recent arrest should be a wake-up call for all Canadians who use cellphones: Those text messages may not be legitimate. Here's what to watch for:
Need to click? Pass on it
Your bank will never ask you to click a link and enter login credentials or a one-time passcode in response to an unsolicited text.
If a message creates urgency — "your account has been locked," "verify now to avoid suspension" — that pressure is a signal to stop, not comply.
Validate the sender
Look at what the link actually says before tapping — not the display text, but the raw URL.
Legitimate bank communications route to domains you recognize. A convincing impersonation text often routes to a subtly misspelled or unrelated domain.
When in doubt, pick up the phone
If you are unsure whether a message is real, call the number on the back of your bank card. Do not call the number provided in the text.
What to do if you clicked
If you received a suspicious text and tapped a link — or worse, entered credentials — act quickly:
- Contact your bank immediately to flag potential unauthorized access and change your online banking password.
- Ask about placing a temporary hold or alert on your account.
- Check your Canada Revenue Agency (CRA) My Account for any unauthorized changes to direct deposit information.
- Report the text to the Canadian Anti-Fraud Centre (CAFC) at antifraudcentre.ca or 1-888-495-8501
- Forward the suspicious message to 7726 (SPAM) — a shortcode that works with all major Canadian carriers and feeds into carrier-level fraud detection.
- If you entered personal information, consider placing a fraud alert with Equifax Canada or TransUnion Canada.
The broader warning from Project Lighthouse is that SMS blaster technology is commercially available and cheap enough, relative to potential fraud proceeds, that copycat operations are a real risk.
Article sources
We rely only on vetted sources and credible third-party reporting. For details, see our editorial ethics and guidelines.
Toronto Police Service (1); CBC News (2)
You May Also Like
- Here are 6 simple ways to avoid the stress of living paycheque to paycheque, according to Suze Orman
- If you’re still feeling the pinch this month — don’t panic. Here are 5 easy ways to fix your finances without a total overhaul
- How Warren Buffett’s simple buy-and-hold real estate approach offers a lesson for Canadian homeowners and long-term investors
- Approaching retirement with no savings? Don’t panic, you're not alone. Here are easy ways you can catch up (and fast)
Romana King is the Senior Editor at Money.ca. She writes for various publications, and her book -- House Poor No More: 9 Steps That Grow the Value of Your Home and Net Worth -- continues to be an Amazon bestseller. Since its publication in November 2021, this book has won five awards, including the New York CPA Society's Excellence in Financial Journalism (EFJ) Book Award in 2022.
