Fake Robinhood / Schwab / E*TRADE brokerage investment account phishing — impersonates Robinhood, Charles Schwab, E*TRADE, Webull, or Fidelity claiming suspicious trading activity, unauthorized access, or account restriction — driving to a credential-harvest page enabling full account takeover; IC3 2024: investment account takeover fraud grew 64%, average loss $73,000; Proofpoint 2024: brokerage impersonation surged as retail investing went mainstream with 100M+ new accounts

Phishing emails impersonating Robinhood, Charles Schwab, E*TRADE, Webull, or Fidelity claiming that the recipient's investment or brokerage account has been restricted, suspended, or accessed without authorization — driving to a credential-harvest page that enables full account takeover, position liquidation, and fund withdrawal. Key facts: (1) IC3 2024: investment account takeover fraud grew 64% year-over-year with average losses of $73,000 per victim — the highest average loss of any account-takeover fraud category; as retail investing went mainstream with 100M+ new brokerage accounts opened since 2020, attackers followed with targeted impersonation campaigns against Robinhood, Schwab, and E*TRADE users who may be less security-conscious than traditional institutional investors; (2) The financial damage is uniquely severe: a successful brokerage account takeover allows the attacker to immediately sell all held positions (stocks, ETFs, options, crypto), withdraw the proceeds to an external bank account, and establish margin positions that leave the victim with debt even after the account is emptied — losses of $50,000–$200,000 are common for retail investors; (3) The "suspicious trading activity" pretextual hook is highly effective because retail investors genuinely fear unauthorized trades — the anxiety of potentially losing a retirement account or long-term investment portfolio overrides careful verification of the sender domain; the urgency framing ("your account has been restricted to protect your investments — verify immediately") mimics the exact language used in legitimate brokerage security alerts; (4) Legitimate Robinhood, Schwab, and E*TRADE security notifications arrive only from their verified domains and link directly to the platform's official login page — they never redirect to third-party verification portals or ask users to re-authenticate outside the official app. Warning signs: sender domain not robinhood.com, schwab.com, etrade.com, webull.com, or fidelity.com; urgency about account deactivation or portfolio loss; link to non-official domain; no reference to specific holdings, positions, or recent transaction details.