eToro Phishing Scam Emails

by sircles on Jul 22, 2025 in Online Fraud, SPAM, Phishing
Taking you through to:  

This is definitively a phishing scam.

Here's a breakdown of the red flags in this HTML code, which are very similar to the previous phishing attempt you provided:

Red Flags Indicating Phishing

  • Spoofed Sender Address: The email claims to be from "eToro" but the actual sender's email address is [email protected]. This is the strongest indicator of phishing. A legitimate email from eToro would use a domain directly associated with eToro (e.g., etoro.com or an official subdomain like email.etoro.com). The wdtvmb.com domain is completely unrelated and highly suspicious.
  • Urgency and Request for Personal Information: The subject line "Confirm Your Contact Details for Secure Delivery" creates a sense of urgency. The body explicitly asks you to "confirm your registered address to ensure secure delivery of important communications from eToro." This is a classic tactic to get you to click a malicious link.
  • Generic Greeting: "Dear Client," is used instead of your specific name. While not a definitive sign on its own, it's very common in phishing attempts where the attacker doesn't know your name.
  • Suspicious Link: The link provided to "confirm your registered address" is https://etoro-safety.com?token=qpcJXrWrsDcRoHYOm2gY.
    • Notice the domain: "https://etoro-safety.com". While it includes "etoro," this is not the official eToro website domain. Scammers often use domains that sound legitimate but are slightly off (a technique called typosquatting or domain squatting) to trick users. The real eToro website is likely etoro.com.
    • All other links in the footer, such as "View Online," "Customer Service," "www.finra.org," "www.sipc.org," "Disclosure Library," "Customer Agreement," "Customer Relationship Summary," "Privacy Policy," and "FINRA Brokercheck," also point to this same suspicious domain (etoro-safety.com). This means every single clickable element in this email is designed to redirect you to the attacker's fake website.
  • Misleading Footer Information: While the email attempts to add legitimacy by including an address ("221 River Street, 9th Floor, Hoboken, NJ 07030") and a phone number for eToro USA, along with disclaimers about securities and crypto trading, these are simply copied from eToro's real communications to make the scam more convincing. The critical element is the sender's actual email domain and the destination of the links.

How this Scam Works

The attackers want you to click the link to "confirm your registered address." This link will lead you to a fake website designed to look exactly like the real eToro login page. If you enter your login credentials (username, password) or any other personal information on this fake site, the attackers will steal it, giving them unauthorized access to your eToro account and potentially your funds.

Your Best Defense:

  • Always scrutinize the sender's actual email address. Don't just trust the display name.
  • Never click on suspicious links in emails, especially those asking for personal information or urgent action.
  • Verify directly. If you receive an email like this from a company, open your web browser, type the official website address (e.g., etoro.com) directly into the address bar, and log in securely from there. Check your account for any alerts or notifications.
  • Report phishing emails to your email provider and delete them.

This is a very clear example of a phishing attempt.

Thanks for sharing the HTML source. This email is 100% a phishing scam, and it's a prime example of high-fidelity spoofing. Below is a detailed breakdown for educational or protective use:

Phishing Analysis: Fake "Interactive Brokers - Tax Update" Email

Scam Objective:

The goal is to steal login credentials or personal info by tricking the recipient into clicking a fraudulent link that appears legitimate at a glance.

Top Warning Signs

Signal Description
Fake Sender Domain [email protected] is a completely unrelated domain to Interactive Brokers.
Typosquatting URL The link: https://interiakastliveretsbrokers.com?token=... - this is a typo-domain mimicking interactivebrokers.com.
Generic Greeting Uses "Dear Valued User" - real services would use your actual name.
Urgency + Consequences "Failure to complete this could result in restricted access..." - classic manipulation to create panic and override skepticism.
Spoofed Branding Uses legit-looking logos and fonts but hosted on external servers, which is risky.

Fraudulent Link Analysis:

The email is styled to appear like a routine tax notification. But the call-to-action button links to:

https://interiakastliveretsbrokers.com?token=IruU5tpVeHbq0OwdGmRe

This domain is:

  • Fake (note the awkward typo: interiakastliveretsbrokers.com)
  • Likely newly registered
  • Possibly hosting a login page clone to phish credentials

You can test this domain in a sandboxed browser or use a tool like https://www.virustotal.com to verify without risk.

Real Services Never...

  • Ask you to verify tax or security details via email links
  • Use third-party domains
  • Push you with time pressure to take action within hours/days

Safe Action Checklist

  • Do not click on anything in the email.
  • Report the domain to: [email protected]
  • Forward the email to: [email protected]
  • Delete the message
  • Check your Interactive Brokers account manually by visiting https://interactivebrokers.com in your browser.

Add comment