Scammers are running phishing attacks against Robinhood users through a Gmail loophole. They exploit Gmail's dot alias feature, which treats emails with periods as identical to the original address. A hacker can register support.robinhood@gmail.com and support.robinhood.security@gmail.com as the same account, then use the dotted version to spoof official communications. Users receive convincing fake login pages that look legitimate because the sender address passes basic checks.
Simply visiting the fake site won't compromise accounts. But users who enter passwords or two-factor codes hand attackers the keys directly. The tactic works because most people don't scrutinize email addresses closely, and Gmail's dot convention remains poorly understood outside tech circles.
This hits traders hard. Robinhood users already hold sensitive assets on the platform. One phishing success means stolen passwords, drained accounts, and potential crypto liquidations. The attack requires no special hacking skills. Just basic Gmail knowledge and basic HTML. It's the kind of low-effort scam that works at scale because human attention is scarce.
Crypto users should treat any login email with extreme skepticism. Never click links in unsolicited emails. Go directly to Robinhood through your browser bookmark or app instead.