Sophisticated Callback Phishing Campaign Targets Robinhood Users
A surge in callback phishing attacks is impersonating Robinhood, tricking victims into calling attacker-controlled phone numbers under the guise of urgent security alerts. The campaign, identified by LevelBlue SpiderLabs, leverages fear of account compromise to manipulate users into divulging credentials, two-factor authentication (2FA) codes, or even transferring crypto assets to fraudulent wallets.
The scam begins with unsolicited emails or SMS messages mimicking Robinhood security notifications, warning of "unusual sign-in activity" or "potential theft." Messages include fabricated details such as device names and timestamps to appear legitimate. Instead of directing victims to a phishing site, the attackers instruct them to call a provided support number, shifting the attack to a voice channel where real-time social engineering can extract sensitive information.
Once contacted, scammers pose as Robinhood support agents, often using VoIP spoofing to display a convincing caller ID. They guide victims through a fake "security review," requesting passwords, 2FA codes, or even coercing them into moving funds to attacker-controlled crypto wallets. Some variants inject malicious links into Robinhood’s legitimate automated emails, bypassing SPF and DKIM checks by abusing the account creation flow.
The campaign employs multiple tactics to evade detection, including:
- Fake domains (e.g., www-robinhood.cweegpsnko[.]net, robinhood-securelogin[.]com) that replicate Robinhood’s branding.
- Foreign phone numbers (e.g., +243, Democratic Republic of the Congo) presented as U.S. support lines.
- Urgency-driven language (e.g., "Immediate Action Required") and grammatical inconsistencies common in phishing attempts.
Callback phishing bypasses traditional email security controls by moving the attack to telephony, where voice interactions are more likely to be trusted. Security teams are advised to monitor for anomalous outbound calls to high-risk international numbers and correlate them with phishing telemetry.
The campaign has been active since at least 2025, with recent activity flagged by SpiderLabs on July 8, 2026. Victims who engaged with the scam are urged to rotate credentials, review connected devices, and contact Robinhood through official channels to secure their accounts.
Source: https://gbhackers.com/fake-robinhood-sign-in-alerts/
Robinhood TPRM report: https://www.rankiteo.com/company/robinhood
"id": "rob1783672001",
"linkid": "robinhood",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Fintech, Cryptocurrency, Stock Trading',
'location': 'United States',
'name': 'Robinhood',
'type': 'Financial Services'}],
'attack_vector': 'Callback Phishing (Vishing)',
'customer_advisories': 'Victims urged to rotate credentials, review connected '
'devices, and contact Robinhood through official '
'channels.',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Credentials, 2FA Codes, Crypto '
'Wallet Information'},
'date_detected': '2025',
'date_publicly_disclosed': '2026-07-08',
'description': 'A surge in callback phishing attacks is impersonating '
'Robinhood, tricking victims into calling attacker-controlled '
'phone numbers under the guise of urgent security alerts. The '
'campaign leverages fear of account compromise to manipulate '
'users into divulging credentials, two-factor authentication '
'(2FA) codes, or even transferring crypto assets to fraudulent '
'wallets.',
'impact': {'brand_reputation_impact': 'Likely Negative Impact',
'data_compromised': 'Credentials, Two-Factor Authentication (2FA) '
'Codes, Crypto Assets',
'identity_theft_risk': 'High',
'payment_information_risk': 'High (Crypto Assets)'},
'initial_access_broker': {'entry_point': 'Unsolicited emails/SMS with fake '
'security alerts'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Callback phishing bypasses traditional email security '
'controls by moving attacks to telephony, where voice '
'interactions are more trusted. Urgency-driven language '
'and fake domains increase effectiveness.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring for '
'anomalous calls, user '
'education, and improved '
'detection of fake domains',
'root_causes': 'Social engineering, abuse of '
'legitimate email flows, VoIP '
'spoofing, and fake domains'},
'recommendations': 'Monitor for anomalous outbound calls to high-risk '
'international numbers, correlate phishing telemetry, and '
'educate users on callback phishing tactics.',
'references': [{'source': 'LevelBlue SpiderLabs'}],
'response': {'enhanced_monitoring': 'Monitor for anomalous outbound calls to '
'high-risk international numbers and '
'correlate with phishing telemetry',
'remediation_measures': 'Victims advised to rotate credentials, '
'review connected devices, and contact '
'Robinhood through official channels',
'third_party_assistance': 'LevelBlue SpiderLabs'},
'title': 'Sophisticated Callback Phishing Campaign Targets Robinhood Users',
'type': 'Phishing',
'vulnerability_exploited': 'Social Engineering, VoIP Spoofing, Abuse of '
'Legitimate Email Flows (SPF/DKIM Bypass)'}