Robinhood Warns Customers of Tax-Season Phishing Scams

Attackers are impersonating the stock-trading broker using fake websites to steal credentials as well as sending emails with malicious tax files.

Attackers have targeted customers of stock-trading broker Robinhood with a phishing campaign aimed to steal their credentials and spread malware using fake tax documents, the company has warned.

Robinhood, which aims to make it easy for people to trade stocks online but has faced a number of regulatory and legal challenges along the way, sent an email to customers Thursday warning of a phishing scam “that may have reached some of our customers.”

Attackers targeted customers in two ways, according to the email. One attack vector used phishing emails with links to fake Robinhood websites prompting visitors to enter their login credentials, including authentication codes the company uses to help ensure the security of people’s accounts.

Other emails saw attackers taking advantage of tax season, asking potential victims to download fake tax files—such as Form 1099—that included malware, according to the email.

“There tends to be an increase in these types of emails around tax season, so we ask that you be extra careful about how you access your Robinhood account,” according to the email.

Robinhood Phishing Email

Click to Enlarge

Indeed, tax season is often an active time for online scammers, with cybercriminals taking advantage of the flurry of online activity as people scramble to file their IRS declarations in a process that has gone largely digital.

For any current Robinhood customers who want to avoid falling victim to the phishing scams, the email recommended that people only download the company’s mobile app from Google Play or the Apple App Store, and use only the app or Robinhood.com to access their accounts or access tax forms.

Robinhood also suggested people check the strength of security features of the app on their devices, manually removing any devices they don’t recognize from accessing it and resetting passwords if they feel they may be at risk. The company also encouraged customers to reach out to its support team directly from the Robinhood app or its website.

That last option has been a difficult proposition in the past, one of the number of ways Robinhood recently has run afoul of customers and regulators alike, according to a detailed report in Bloomberg, which broke the story last August. Robinhood customers made 473 complaints to the Federal Trade Commission in the first half of 2020—about four times more than competing online trading platforms—which drew regulatory scrutiny and prompted an investigation.

One of the chief complaints among Robinhood customers was that they couldn’t reach the company for support, causing regulators like the Securities and Exchange Commission (SEC) to become de facto customer support for the platform’s customers.

Other missteps by the company and its CEO, Vlad Tenev, included a platform outage around the time of the coronavirus outbreak last March, causing customers who wanted to move their stocks during a time of market volatility to lose the opportunity to do so, and thus potentially thousands of dollars.

Robinhood also was a part of a massive trading debacle that involved GameStop in January, spurring a regulatory investigation and a customer class-action suit against the company earlier this year.

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:

 

Suggested articles