Robinhood Users Targeted by Callback Phishing Using Fake Sign-In Alerts
Cybercriminals are impersonating Robinhood in callback phishing attacks, using fake sign-in alerts to trick users into calling fraudulent phone numbers for social engineering.

Financial services users are increasingly becoming targets of sophisticated phishing operations, with a recent campaign specifically impersonating the popular investment platform Robinhood. Attackers are employing a "callback phishing" tactic, which deviates from traditional link-based attacks by urging recipients to call a provided phone number. This method aims to leverage social engineering over the phone, where attackers can exert more direct pressure and extract sensitive information.
The campaign, identified by SpiderLabs, begins with fake sign-in alerts designed to create a sense of urgency. These messages suggest unauthorized access to a user's Robinhood account, prompting immediate action. Instead of directing victims to a malicious website, the lure instructs them to dial a specific phone number controlled by the threat actors. This shift from digital to voice-based interaction can be particularly effective, as users may perceive a phone conversation as more secure or trustworthy than clicking on a suspicious link, especially when dealing with financial accounts.
Once a victim calls the provided number, the attackers, posing as Robinhood support representatives, engage in social engineering. They exploit the user's concern for account security to build trust and gather personal details or persuade them to perform actions that compromise their account. This can include asking for verification information that mimics legitimate security procedures, but is actually intended to steal credentials or bypass existing safeguards.
The effectiveness of callback phishing lies in its ability to manipulate victims in real-time. Unlike static phishing emails, a phone conversation allows attackers to adapt their approach based on the victim's responses, increasing the likelihood of successful deception. They may guide users to install malicious software, approve fraudulent transactions, or disclose one-time passcodes received via SMS, all framed as necessary steps to secure their account.
Security researchers emphasize that users should exercise extreme caution with unsolicited account security notifications. Independent verification is crucial. Instead of calling numbers provided in suspicious alerts, users should always access their accounts through official channels—either by opening the official Robinhood app or by manually typing the known website address into their browser. Contact information should be obtained from these trusted sources, not from the suspicious message itself.
Individuals who have already fallen victim to this scam are advised to immediately end any further communication with the attackers. They should then review their account activity through legitimate channels, change their passwords, enable multi-factor authentication if not already active, and contact Robinhood's official support using independently verified contact details. For security teams, these callback phishing attempts serve as a critical warning sign, and saving original messages and associated phone numbers can aid in incident response and the blocking of future attempts.
The campaign highlights a broader trend where threat actors are evolving their tactics to bypass traditional security measures. By moving the interaction to a phone call, they exploit human psychology and trust, making it a potent method for credential theft and financial fraud. The provided indicators of compromise, including a list of phone numbers used in the campaign, offer valuable intelligence for both users and defenders to identify and mitigate these threats.