Fake Robinhood / Fidelity / Schwab / E*TRADE / TD Ameritrade / Webull brokerage suspension lure — "account suspended, verify within 24 hours or positions liquidated" targeting US retail investors (23M+ Robinhood, 30M+ Fidelity, 34M+ Schwab); credentials + 2FA + SSN harvest enables ACH pull from linked bank, position sell + withdraw, pump-and-dump coordination
fake-robinhood-brokerage-suspension-lure
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
Fake "your Robinhood / Fidelity / Charles Schwab / E*TRADE / TD Ameritrade / Webull / Public.com / SoFi Invest brokerage account has been suspended pending identity verification — complete within 24 hours or positions will be liquidated" email targeting US retail investors (23M+ Robinhood, 30M+ Fidelity, 34M+ Schwab users as of 2026). Harvests brokerage credentials, 2FA codes, and SSN. Post-compromise attackers: (1) initiate ACH pull from the victim's linked bank account; (2) sell the victim's positions and withdraw proceeds via ACH to attacker-controlled accounts; (3) use the compromised account for pump-and-dump coordination — buying a nanocap stock with the victim's money, then dumping the attacker's pre-held position into the rally; (4) extract SSN / DOB / address from KYC records for identity theft resale. The lure converts because US brokerages genuinely DO suspend accounts for real compliance reasons (unusual-activity flags, FINRA pattern-day-trader rules, failed W-8/W-9 filings). Proofpoint and FINRA Fraud Center documented sustained 2024-2025 campaigns. Fires when body references Robinhood / Charles Schwab / Fidelity / E*TRADE / TD Ameritrade / Thinkorswim / Webull / Public.com / Cash App Investing / SoFi Invest / Interactive Brokers / Vanguard brokerage / brokerage account / trading account / stock portfolio AND contains suspension / position-liquidation / unusual-activity / compliance-verification / verify-identity urgency. Excludes robinhood.com, schwab.com, charlesschwab.com, fidelity.com, fmr.com, etrade.com, tdameritrade.com, thinkorswim.com, webull.com, public.com, cashapp.com, cash.app, squareup.com, sofi.com, interactivebrokers.com, ibkr.com, vanguard.com. Auto-classified as danger via the `-lure` suffix.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started