Employees in dense urban areas can receive phishing SMS messages that appear to originate from trusted senders, with no carrier filter to intercept them, meaning corporate credentials, MFA codes, and sensitive data can be harvested without any network-side warning. An attacker who captures an SMS-delivered MFA token has a brief window to access email, financial systems, or SaaS platforms, creating direct risk of unauthorized access, data loss, and financial fraud. Organizations relying on SMS-based authentication for compliance with access control requirements under SOC 2, PCI-DSS, or similar frameworks should note that this attack class specifically targets that control, potentially creating an audit exposure if the MFA factor is documented as SMS.
You Are Affected If
You have corporate-managed or BYOD Android devices with 2G radio support enabled operating in the Greater Toronto Area or other dense urban environments
Your organization uses SMS OTP as an MFA factor for any application, VPN, or identity provider
Employees use personal or corporate mobile numbers registered with Canadian carriers for authentication
Your MDM/UEM does not enforce a policy prohibiting 2G network association on managed Android devices
Your mobile threat defense tooling does not alert on radio access type downgrade events or rogue cell detection
Board Talking Points
Attackers in Toronto used vehicle-mounted radio equipment to send phishing texts directly to employee phones, bypassing all carrier spam filters — this is a confirmed, arrested operation, not a theoretical risk.
We recommend immediately disabling legacy 2G network access on company phones via our device management platform and replacing SMS-based login codes with app-based authentication within 30 days.
Organizations that take no action leave employees vulnerable to credential theft with no carrier-side safety net, increasing the likelihood of unauthorized account access and the regulatory exposure that follows.
PCI-DSS — if SMS OTP is used as an MFA factor for access to cardholder data environments, this attack class directly targets that control and may create a compensating control gap requiring documentation
SOC 2 (CC6.1 / CC6.3) — logical access controls relying on SMS-based MFA are demonstrably bypassable by this technique; auditors may question control effectiveness if SMS MFA is the documented mechanism
