Thousands of Robinhood users received a convincing security alert this weekend from what appeared to be Robinhood's official email address. Here's what actually happened, what to do if you got it, and why it was so hard to spot.
What to Do If You Got the Robinhood Phishing Email
Before anything else - do not click any links in the email, even now.
If you didn't click anything: delete the email. Your account was not compromised.
If you clicked the link but didn't enter any information:
Change your Robinhood password immediately by going directly to robinhood.com - not through any link in the email.
Run a malware scan on your device as a precaution.
If you entered your email, password, or two-factor code on the page that appeared:
Change your Robinhood password immediately at robinhood.com.
Change the same password anywhere else you use it.
Enable two-factor authentication on your account if you haven't already.
Monitor your account activity closely over the next several weeks.
If you transferred any assets or funds:
Contact Robinhood support directly through their app or website
File a report with the FBI's Internet Crime Complaint Center at ic3.gov.
To report the email to Robinhood directly: forward it to reportphishing@robinhood.com.
If you're unsure whether a link in the email is safe, you can check it using Haven's free link checker before clicking.
The Robinhood Hack: What Actually Happened
On the evening of April 26, thousands of Robinhood users received an email with the subject line "Your recent login to Robinhood." The email appeared to come from noreply@robinhood.com — Robinhood's actual domain. It had real Robinhood branding. It passed Gmail's spam filters. It passed standard email authentication checks. Many recipients had no reason to doubt it.
The emails varied in their details — different login locations, different device descriptions — but most included a button or link prompting users to review the suspicious activity on their account. Clicking that link led to a fake page asking for login credentials and sometimes two-factor codes.
Robinhood confirmed the attack on April 27, stating that some customers received a falsified email from noreply@robinhood.com and that the phishing attempt was made possible by an abuse of their account creation flow. The company confirmed it was not a breach of their systems or customer accounts.
How Scammers Used Robinhood's Own Email System
This wasn't a standard phishing email with a spoofed domain. It was more sophisticated than that.
According to security researchers and reporting from Help Net Security, attackers manipulated the device and browser information submitted when creating a new Robinhood account, injecting malicious HTML and a phishing link into fields where normal metadata would appear. Robinhood's system stored that data without filtering it, and when it automatically sent a login notification email, it pulled the poisoned content directly into a genuine Robinhood email template.
To reach victims' inboxes, attackers exploited a well-known Gmail behavior: Gmail treats email addresses with and without dots in the username as identical. So an email registered to jo.hn.doe@gmail.com delivers to johndoe@gmail.com. Attackers used dot variations of real users' Gmail addresses to create new Robinhood accounts, triggering real login notification emails that landed in real inboxes.
The result was an email that came from Robinhood's own servers, passed every standard authentication check, displayed Robinhood's real branding, and was functionally indistinguishable from a legitimate security alert — except for the link it asked you to click.
Why the Robinhood Scam Email Bypassed Every Filter
The standard advice for spotting phishing — check the sender's domain, look for bad grammar, watch for suspicious links — did not apply here. The domain was real. The grammar was fine. Most links in the email pointed to legitimate Robinhood pages. The only malicious element was the "review activity" button itself, and by the time many people thought to check the URL behind it, they had already clicked.
This is the structural problem with security tools built on databases of known threats. A phishing page that launched Sunday morning has no threat history. It passes every filter.
It's why Google's filters have a structural limitation against brand new attacks and why antivirus has the same gap.
For a full guide on spotting fake emails, see How to Tell if an Email is Real.
Haven now covers Robinhood
We added Robinhood to Haven's coverage this week. Haven works at the browser level — the exact moment between clicking a link and entering your information. It flags suspicious pages and alerts you before you hand anything over to a site that isn't what it claims to be, including newly launched pages with no threat history.
If you use Robinhood, download Haven free from the Chrome Web Store. It takes about 90 seconds to install.