This week, Toronto police made a first-in-Canada arrest that most people didn’t know was even possible: criminals were driving vehicles through city streets with homemade fake cell towers that hijacked passing phones and sent fraudulent bank texts. We have a Canadian telecom giant confirming that nearly a petabyte of its data was stolen, and a reminder from Northern Ontario that even trusted business emails can be weaponized to drain bank accounts. Let’s get into it.
STORY OF THE WEEK
Criminals Were Driving Fake Cell Towers Through Toronto Streets. And It Was Working.
In November 2025, a cybersecurity partner of Telus noticed something unusual: a mobile device was mimicking a legitimate cell tower in downtown Toronto. By the time Toronto Police finished their investigation, the numbers were staggering. Tens of thousands of phones had unknowingly connected to the fake tower. More than 13 million network disruptions were recorded, some of them cutting affected phones off from emergency services, including 911, for minutes at a time.
The device, known as an SMS blaster, works by broadcasting a signal that forces nearby phones to disconnect from their real carrier and connect to the criminal's device instead. Once connected, the phones receive fraudulent text messages that appear to come from trusted organizations, such as a major bank or Canada Post, asking recipients to click a link and enter their login credentials. Victims had no way of knowing their phone had been temporarily hijacked.
Toronto Police dubbed the investigation Project Lighthouse. On March 31, officers executed search warrants in Markham and Hamilton, arresting two men and seizing several SMS blaster devices along with a significant quantity of electronic evidence. On April 21, a third suspect turned himself in. All three now face a combined total of 44 charges. This is the first SMS blaster case ever prosecuted in Canada.
The significance goes beyond the arrests. SMS blasters are not exotic, state-sponsored tools. They are assembled from commercially available hardware and software. Security researchers have been warning for years that this technology would eventually appear on Canadian streets. It already has, and the tools to build one are not expensive or hard to find.
WHY IT MATTERS TO YOU
Your employees carry their work email, banking apps, and business communication tools on their phones. When they walk through a city centre or a mall parking lot, they may have no idea their phone has been briefly swapped onto a rogue network. The fraudulent texts they receive look exactly like real bank alerts. Ask yourself: would your team know to pause before clicking a link in an urgent-looking text message?
WHAT CAN YOU DO RIGHT NOW
Remind your team this week: treat any text message asking you to click a link, enter a password, or confirm account details as suspicious, even if it appears to come from your bank or Canada Post. Forward any suspicious text to 7726 (spells SPAM on most phones), which is free in Canada and sends it directly to your carrier for investigation. This single habit would have protected most victims of the Toronto SMS blaster scheme.
THE RIPPLE EFFECT
Three stories, and what they actually mean for your business
A Third-Party Chatbot Gave Criminals the Keys to Telus’ Entire Data Vault
In March 2026, Canadian telecommunications outsourcer Telus Digital confirmed that the criminal group ShinyHunters had stolen close to one petabyte of data from its systems, which is roughly one thousand terabytes, including customer records, voice call recordings, and source code. The entry point was not a flaw in Telus's own systems. Attackers had compromised a third-party vendor's software integration in 2025, found credentials inside it that belonged to Telus, and used those to quietly move through Telus's environment for months. ShinyHunters has since demanded $65 million to withhold the stolen data. Telus is refusing to pay.
What it means for you:
The breach didn't start at Telus. It started at a chatbot vendor neither you nor most Telus customers would have ever heard of. Every software tool you connect to your business accounts creates a chain of access. Ask your IT provider or each software vendor: what data of ours do you hold, and how do you protect your access to it?
Two Indigenous Organizations in Northern Ontario Lost $350,000 to Fake Email Fraud
The Anishinabek Police Service is investigating two business email compromise scams that cost Indigenous organizations in Northern Ontario a combined $350,000 this spring. In both cases, criminals impersonated trusted suppliers and contractors through spoofed email addresses, then requested updated banking information for an upcoming payment. The organizations updated the payment details in good faith. The money went to the fraudsters. Spear phishing attacks of this kind have already caused more than $30 million in reported losses across Canada in just the first three months of 2026, according to the Canadian Anti-Fraud Centre.
What it means for you:
This fraud works because the emails look legitimate and arrive in the context of a real, ongoing business relationship. The only reliable protection is a rule your whole team knows: any request to change banking information or payment details must be confirmed by phone before acting on it. Not by replying to the email. A phone call to a number you already have on file.
Data Stolen in 2009 Is Still Being Used to Steal Identities in 2026
A data breach at BC's Interior Health Authority in 2009 exposed the social insurance numbers and personal information of more than 28,000 healthcare workers. That stolen data never disappeared. It was put up for sale on the dark web in 2017, has since been purchased thousands of times, and investigators have now linked it to a wave of tax fraud in which criminals used the stolen identities to access CRA accounts, file fraudulent tax returns, and collect bogus refunds. The CRA paid out more than $6 million in fraudulent refunds in 2024 alone from fraud connected to this single seventeen-year-old breach.
What it means for you:
Breached data does not expire. If your business, or an organization you or your employees once worked for, has ever had a data breach, that data may still be circulating and be used against you years later. Encourage your team to monitor their credit reports and check their CRA My Account regularly. If something looks unfamiliar, investigate immediately.
STAT OF THE WEEK
80%
That's the amount cyberattacks targeting Canadian organizations jumped year over year, the highest annual increase ever recorded in the study.
Source: CDW Canada 2026 Cybersecurity Study, published April 1, 2026. Research conducted independently by IDC Canada. Survey of over 700 IT security, risk, and compliance professionals across Canadian organizations.
ONE THING YOU CAN DO THIS WEEK
Do a Five-Minute Audit of Who Has Access to Your Business Accounts
The Telus breach did not begin at Telus. It began at a third-party vendor that had been given credentials to Telus systems. That is the same lesson embedded in the Canada Life breach from last week, the VIQ Solutions breach, and dozens of other major incidents this year: unauthorized access usually starts with authorized access that was never reviewed or removed.
This week, pick one of your main business platforms, such as your email, accounting software, or customer database, and look at its settings for a section called "Connected Apps," "Authorized Applications," "Third-Party Integrations," or "Manage Access." Most modern software platforms have one. You will see a list of every external tool, service, or user account that has been given permission to connect to that platform.
Go through the list and ask yourself three questions: Do I recognize this? Does it still need access? When did we add it? Anything you don't recognize or no longer use should be disconnected. Old integrations, abandoned free trials, and forgotten browser extensions all create access points that attackers can exploit. Removing them costs nothing and closes a door you probably didn't know was open.
"Most business account takeovers don't involve a sophisticated hack. They use access that was already there and never cleaned up."
If you have a small team, make this a five-minute exercise at your next staff meeting. Each person checks their own accounts. You may be surprised at what shows up.
QUICK BITES
Canada’s new cyber security legislation for critical infrastructure is moving through Parliament.
Bill C-8, which would require organizations in Canada's telecommunications, finance, energy, and transportation sectors to meet defined cybersecurity standards and report incidents to the government, is advancing through the House of Commons. If your business serves clients in any of these regulated sectors, their compliance requirements are likely to flow to you as vendor requirements before long. It is worth knowing these rules are coming.
Canada’s cyber agency issued a formal smishing advisory this week.
Working alongside the RCMP, the Canadian Centre for Cyber Security issued a public warning about the rise of sophisticated text message fraud campaigns targeting Canadians. Their guidance: never click links in unexpected texts, regardless of who the message claims to be from. Report suspicious texts by forwarding them to 7726 (SPAM). The advisory follows directly from the Project Lighthouse investigation and confirms that SMS fraud is now being treated as a national-level threat.
Spear phishing already cost Canadian businesses more than $30 million in the first quarter of 2026.
The Canadian Anti-Fraud Centre reports that targeted email fraud campaigns, where criminals research their victims before crafting a convincing message, accounted for over $30 million in reported losses between January and March 2026 alone. Actual losses are estimated to be significantly higher, as most fraud incidents go unreported. If your business has not spoken to your team about how to spot a spoofed email, this week is a good time to start.
The CCCS has flagged a critical vulnerability in web hosting software used by thousands of Canadian websites.
The Canadian Centre for Cyber Security issued an advisory about a serious flaw in cPanel and WebHost Manager, the control panels used by many web hosting providers to manage websites and email. If your business website or email is managed through a hosting company, contact your provider and confirm they have applied the recent security patch. If you manage your own hosting, this is the update to apply this week.
PARTING THOUGHT
There is something almost cinematic about the Project Lighthouse story. A car crawls through downtown Toronto. Inside, a device no bigger than a laptop quietly impersonates a cell tower, persuades tens of thousands of phones to briefly abandon their real carrier, and sends fraudulent bank texts to anyone within range. None of the victims knew it was happening.
What makes the story worth sitting with is not the technology, which is genuinely clever, but the scale. Thirteen million disruptions from one device, in one city, over several months, before it was stopped. And this is the first time Canada has seen it. Security researchers say it will not be the last.
The week's other stories carry a similar thread. A vendor's forgotten credential connecting to Telus's data. A spoofed email reaching an Indigenous community organization. A list of stolen names and SINs, purchased in 2017, being used to file fraudulent tax returns in 2024. The attacks are different in method, but identical in logic: find something that was left open, trusted, or forgotten, and walk through it.
The businesses and individuals who came through these incidents largely unscathed are not the ones who had the most sophisticated technology. They are the ones who made a habit of checking: who has access? Is that email legitimate? Has anything unusual happened recently? Small habits, asked consistently, are more valuable than any single security tool.
see you next Friday and stay
TryberResilent