Robinhood Users Targeted by Sophisticated Gmail Alias Phishing Campaign

Robinhood has confirmed a phishing campaign targeting its users through a clever exploit of the platform's account creation flow and Gmail's email handling. The attack utilizes the 'dot alias' characteristic of Gmail, where the service ignores periods in usernames, allowing attackers to create accounts that trigger automated system emails delivered to a target's inbox. According to cybersecurity researchers, scammers create a Robinhood account using a variation of a target's email address—for example, removing a dot from a username. Because Robinhood treats these as separate accounts while Gmail treats them as the same, the platform's official 'noreply@robinhood.com' server sends legitimate notifications to the victim's inbox. To weaponize these emails, attackers inject HTML instructions into the optional 'device name' field during the account setup process. This allows them to insert fake warning text and phishing buttons into legitimate system notifications. Because the emails are sent by the actual platform, they pass SPF, DKIM, and DMARC authentication, making them appear entirely legitimate to the recipient. While visiting the fake login pages does not grant immediate access to accounts, users who enter their credentials risk full account takeover. This incident highlights a growing trend in social engineering; blockchain security firm Hacken reported that phishing and social engineering attacks accounted for $306 million in losses during the first quarter of 2026. Robinhood stated that the incident was an abuse of the account creation flow rather than a breach of its internal systems or customer databases. The company emphasized that personal information and funds remained secure and that no internal systems were compromised.