Overview
- Robinhood said late Sunday that some customers received a fake “Your recent login to Robinhood” alert sent from noreply@robinhood.com through abuse of its sign-up flow.
- Scammers registered new Robinhood accounts using dot-altered versions of victims’ Gmail addresses, which Gmail delivers to the same inbox even though Robinhood treated them as different accounts.
- During account creation, the email’s device-name field accepted HTML, so the automated login notice rendered attacker code and showed a real-looking “Review Activity Now” button while still passing SPF, DKIM, and DMARC.
- BleepingComputer confirmed Robinhood removed the Device field from account-creation emails, and the phishing site at robinhood.casevaultreview.com is now offline.
- The company reported no breach or loss of funds and told customers to delete the message and avoid clicking links, as researchers warned the campaign may have used old customer email lists during a broader rise in phishing losses this quarter.