Robinhood users are being warned of a new phishing attack that exploits Gmail’s native “plus alias” feature and a vulnerability in Robinhood’s account creation process to send malicious emails.
On Sunday, Robinhood users began reporting on social media that they received emails from the platform's mail server warning of logins from unrecognized devices, with a call-to-action button linking to a phishing website.
Source: David Gobaud
Alex Eckelberry, a cybersecurity researcher and CEO of a tech company, said this phishing campaign was not the result of a hack, but rather exploited a native feature of Gmail that ignores dots in email addresses, along with “several serious vulnerabilities” in Robinhood account settings.
Previously, blockchain security company Hacken reported earlier this month that phishing and social engineering attacks dominated cryptocurrency attacks in the first quarter of 2026, resulting in $306 million in losses.
Source: Alex Eckelberry
Hackers created fake Robinhood accounts
Eckelberry said the scam relied on fraudsters creating accounts on Robinhood using email addresses that closely resembled the target's email address.
For example, a Robinhood user’s email address might be “[email protected]”. Scammers, however, will create a new Robinhood account without the middle dot, such as “[email protected]”.
Although Robinhood treats them as completely different accounts, Gmail ignores dots in the username portion of email addresses. This means attackers can trick Robinhood into automatically sending emails intended for their fake accounts directly into the target user’s inbox.
To embed phishing links in automated emails sent during new Robinhood account creation, scammers add HTML instructions to Robinhood’s optional “Device Name” field, which Gmail interprets as formatting commands.
Source: Abdel
“The end result is a legitimate email from "[email protected]" that passes SPF, DKIM, and DMARC verification. It appears completely authentic but now includes injected fraudulent warning text and a functional phishing button. Clicking the button redirects to a fake login site,” said Eckelberry.
This email is dangerous only after information has been added.
Eckelberry stated that merely visiting a fake login website is not enough for hackers to gain account access, but if sensitive information such as a password is entered, malicious actors could succeed.
Robinhood's support account on X posted a statement on Monday confirming that some users received fraudulent emails from "[email protected]" with the subject line "Your recent login to Robinhood," attributing the issue to exploitation of the "account creation process."
They stated, "This phishing attempt succeeded because the account creation process was abused. It was not due to a breach of our system or customer accounts, and personal information and funds were not affected."
If you received this email, please delete it and do not click any suspicious links. If you have already clicked a suspicious link or have any concerns about your account, please contact us directly through the Robinhood app or website.