Robinhood users are being warned about a phishing campaign that combinesGmail’s “dot alias” handling with weaknesses in Robinhood’s account creationsystem. The result is emails that appear legitimate but are designed to trickusers into visiting fake login pages.SingaporeSummit: Meet the largest APAC brokers you know (and those you still don't!).Users reported on social media that they had received messages thatlooked like routine security alerts from Robinhood. The emails claimed that alogin had occurred from an unrecognized device. They also included a buttonurging users to review the activity.PhishingUses Gmail Dot Alias AbuseCybersecurity expert Alex Eckelberry analyzed the scheme. He said thereis no evidence of a breach of Robinhood’s systems. Instead, he pointed to abuseof Gmail’s handling of email addresses with dots and weaknesses in Robinhood’saccount registration flow.The attack starts with the creation of a fake Robinhood account. Theattacker uses an email address that closely resembles the victim’s but removesdots. For example, john.doe@gmail.com is entered as johndoe@gmail.com.Robinhood treats these as different accounts. Gmail treats them as the sameinbox.As a result, system emails sent by Robinhood for the fake account aredelivered to the real user’s inbox. These messages can include login alerts oraccount notifications and appear authentic because they originate fromRobinhood’s infrastructure.Eckelberry said attackers then exploit optional fields during accountcreation, such as the “device name” field. HTML code is inserted into thesefields. Gmail processes this as formatting rather than plain text. This allowsattackers to embed fake warning text and a malicious button inside a legitimate Robinhood email.EmailsPass Checks, Content Manipulated OnlyThe emails pass standard authentication checks, including SPF, DKIM, andDMARC, because they are sent through Robinhood’s servers. Only the injectedcontent is manipulated.Clicking the button redirects users to a look-alike website designed tocollect login credentials. Security experts say the site itself is harmless ifonly visited. The risk arises when users enter personal information.Robinhood said its core systems and customer accounts were not breached.It also said no personal data or funds were affected. The company advised usersto delete the emails and avoid clicking any links. It added that customers whointeracted with the messages should contact support only through the officialapp or website.This article was written by Tareq Sikder at www.financemagnates.com.