Hackers Impersonate Robinhood With Fake Sign-In Alerts in Callback Phishing Attacks

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Robinhood users are being targeted with fake sign-in alerts that urge them to call a phone number. The messages are designed to create urgency around an unfamiliar account login, turning a routine security warning into a route for a phone-based scam.

The activity is a callback phishing campaign, meaning the attacker tries to move the conversation away from email and onto a call. Instead of directing a target to a website, the lure presents a support-style number controlled by the criminals.

SpiderLabs identified an increase in this activity and said the campaign impersonates Robinhood. The researchers noted that the fake alerts attempt to lure recipients into calling attacker-controlled numbers, where social engineering can take over.

The campaign shows why a familiar logo or urgent account notice should not be treated as proof of authenticity.

A call can feel more trustworthy than a link, but it also gives an operator the chance to pressure a person in real time and seek information or actions that benefit the fraud.

SpiderLabs said in a report shared with Cyber Security News (CSN) that the callback phishing can be especially effective because it changes the setting of the deception.

A target who ignores unknown links may still believe a phone conversation is safer, particularly when the message appears to concern a financial account.

That assumption lets criminals use confidence, urgency, and repeated instructions to weaken normal caution.

Hackers Impersonate Robinhood With Fake Sign-In Alerts

The lure centers on an alleged sign-in event. By suggesting that someone has accessed a Robinhood account, the message seeks to trigger a fast reaction before the recipient has time to verify whether the alert is genuine.

This approach does not depend on a victim clicking a suspicious link. Its key instruction is to dial the displayed number, allowing the attackers to control the next step and present themselves as a helpful support representative.

Once a target calls, the risk comes from the conversation rather than from the initial message alone. An impersonator may exploit concern about account safety, ask questions that appear to be part of verification, or steer the caller toward a harmful action.

For this reason, recipients should avoid calling a number included in an unexpected account-security message. They should instead open the official app or type the known website address themselves, then use contact details found through that trusted channel.

Verify Before You Call

A real-looking warning deserves independent checking, not an immediate response.

Users who receive a claimed sign-in notification can review their account from a trusted device, look for security notices there, and change credentials only through the service’s established login path if they suspect a problem.

The danger may continue after the call. Attackers can tell a victim to install software, approve a transaction, or disclose a code received by text.

Each request can be framed as a protective measure, even though it could give the criminal access or help them bypass safeguards.

That is why independent verification must come before any account recovery or transfer step. Do not provide passwords, one-time codes, recovery details, or financial information to an unsolicited caller.

Those details can be used to take over an account, and a convincing caller may try to make a request sound urgent or routine.

People who have already called one of the listed numbers should end any further contact and review their account activity through official channels.

They should change affected passwords, enable available multi-factor authentication, and contact legitimate support using details obtained independently.

Teams that handle user reports should treat unexpected sign-in messages containing callback numbers as a phishing warning sign.

Saving the original message and the number can help incident responders compare reports, block repeat attempts, and warn other potential targets.

The published indicators list the phone numbers used in the campaign, giving defenders and users a concrete set of values to watch for.

Indicators of compromise (IoCs):-

Type Indicator Description
Phone number 1 877 228 4295 Callback phishing number associated with the campaign
Phone number 1 877 300 7084 Callback phishing number associated with the campaign
Phone number 1 877 306 1853 Callback phishing number associated with the campaign
Phone number 1 877 848 7740 Callback phishing number associated with the campaign
Phone number 1 877 867 1838 Callback phishing number associated with the campaign
Phone number 1 888 202 5301 Callback phishing number associated with the campaign
Phone number 1 888 237 3125 Callback phishing number associated with the campaign
Phone number 1 888 247 5688 Callback phishing number associated with the campaign
Phone number 1 888 291 6324 Callback phishing number associated with the campaign
Phone number 1 888 417 0225 Callback phishing number associated with the campaign
Phone number 1 888 635 2148 Callback phishing number associated with the campaign
Phone number 1 888 718 5529 Callback phishing number associated with the campaign
Phone number 1 888 910 1062 Callback phishing number associated with the campaign
Phone number 1 888 959 4423 Callback phishing number associated with the campaign

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.