Robinhood Phishing Scam Uses Gmail Dot Trick to Send Real Emails

Robinhood users are being targeted by a sophisticated phishing scam that leverages Gmail's "dot alias" feature and vulnerabilities in Robinhood's account creation process. Scammers create fake Robinhood accounts using email addresses that, due to Gmail ignoring dots (e.g., "[email protected]" vs. "[email protected]"), appear identical to legitimate user emails. This allows them to trick Robinhood's system into sending automated emails, such as unrecognized device login warnings, to the actual user's inbox. By embedding HTML instructions in the "device name" field during account setup, scammers inject fake warning text and phishing links into these emails, which originate from Robinhood's legitimate "[email protected]" address and pass security checks like SPF, DKIM, and DMARC. While simply receiving the email or visiting the phishing site is not dangerous, entering sensitive information on the fake login page could compromise user accounts. Robinhood has confirmed the issue, stating it was an exploit of the account creation flow, not a system breach, and that personal information and funds were not impacted.

(Source：Cointelegraph)