Brokerage Accounts Under attack: New ‘Ramp and Dump’ Phishing Scheme Emerges
A new wave of cybercrime is targeting customers of brokerage services, with criminals employing increasingly sophisticated phishing techniques to manipulate stock prices in a scheme known as “ramp and dump.” This evolving threat,detailed in recent research,represents a critically important shift from previous tactics focused on stealing credit card data and converting it into mobile wallets.
The ‘Ramp and Dump’ scheme Explained
The “ramp and dump” scheme borrows its name from the classic “pump and dump” scams. However,instead of relying on social media hype to inflate stock prices,fraudsters are leveraging compromised brokerage accounts to artificially increase demand for specific stocks,especially those traded on foreign exchanges. Once the price reaches a predetermined level, they quickly sell their shares, leaving other investors with substantial losses. The Financial Industry regulatory Authority (FINRA) warns that the outcome for investors is a “catastrophic collapse in share price” (FINRA, 2024).
In February 2025, the FBI announced it was seeking data from victims of these schemes (FBI, 2025), highlighting the growing concern surrounding this type of financial fraud.
The Role of Mobile Phishing Kits
Security researcher Ford Merrill of SecAlliance, a CSIS Security Group company, has been tracking the activity to a thriving Chinese-language community actively selling advanced mobile phishing kits on Telegram.These kits are becoming increasingly sophisticated, allowing criminals to easily create convincing fake login pages for brokerage platforms.
“They will often coordinate with other actors and will wait until a certain time to buy a particular Chinese IPO stock or penny stock,” Merrill explained, noting the rapid growth of this China-based phishing community over the past three years.
The process involves using compromised accounts to purchase large volumes of the targeted stock, then selling it off once the price is inflated. Victims are left with devalued shares, and brokerages face potential disruptions.
Did You know?
The earliest iterations of these phishing kits, between 2022 and 2024, frequently enough spoofed the U.S. Postal service or toll road operators to steal payment information.
From Postal Spoofs to Brokerage Takeovers
Previously, these phishing groups focused on tricking individuals into providing payment information by spoofing legitimate organizations like the U.S. Postal Service. Victims were lured into entering their card details on fake websites, then prompted to share one-time codes sent via text message. this allowed the fraudsters to enroll the stolen card details into mobile wallets on Apple or Google devices, which were then sold to other scammers for fraudulent transactions.
The evolution to targeting brokerage accounts represents a strategic shift, driven by vulnerabilities in multi-factor authentication protocols. Many financial institutions rely on SMS-based one-time codes, which are easily intercepted through phishing attacks.
| Phase | Target | Phishing Method | Goal |
|---|---|---|---|
| Early (2022-2024) | General Public | Spoofing USPS, Toll Roads | Steal Payment Card Data |
| Current (2025) | Brokerage Customers | Phishing Brokerage Login Pages | Manipulate Stock Prices |
The outsider: A Key Player in the Phishing Ecosystem
A prominent figure in this criminal landscape is “Outsider,” a Mandarin-speaking phishing kit vendor operating on Telegram. Previously known as “Chenlun,” Outsider was profiled by KrebsOnSecurity in October 2023 for her role in a global phishing campaign targeting postal services (KrebsOnSecurity, 2023). Her latest kits include templates specifically designed to phish brokerage account credentials and one-time codes.
Outsider’s kits are easily adaptable to target various brokerage platforms, exploiting weaknesses in their multi-factor authentication systems. For example, schwab offers clients the option to receive one-time codes via text message, a method easily compromised through phishing.
schwab has acknowledged the threat and has been communicating with clients about the risks, actively monitoring for suspicious activity and implementing measures to mitigate the attacks. Fidelity and Vanguard also offer similar authentication options, all of which are potentially vulnerable to phishing.
Pro Tip:
Consider enabling hardware security keys for your brokerage account, as these offer a more robust form of multi-factor authentication that is resistant to phishing.
Why is this happening now?
Merrill believes the success of this scheme lies in its ability to decouple the fraudulent activity from the perpetrators. They can purchase shares on Chinese exchanges, inflate the price, and profit without leaving a clear trail back to themselves. The use of artificial intelligence and large language models is also accelerating the development and deployment of these phishing kits.
“These guys are vibe coding stuff together and using LLMs to translate things or help put the user interface together,” Merrill said.”It’s only a matter of time before they start to integrate the LLMs into their development cycle to make it more rapid. The technologies they are building definitely have helped lower the barrier of entry for everyone.”
What steps can investors take to protect themselves from these evolving threats? How can brokerage firms strengthen their security measures to prevent these attacks?
Evergreen Context: The Evolving Landscape of Cybercrime
The shift in focus from credit card fraud to brokerage account manipulation highlights a broader trend in cybercrime: criminals are constantly adapting their tactics to exploit new vulnerabilities and maximize profits. The increasing sophistication of phishing kits, coupled with the widespread availability of tools like large language models, is lowering the barrier to entry for cybercriminals and making it more challenging to detect and prevent attacks. This underscores the importance of ongoing vigilance and proactive security measures for both individuals and financial institutions.
Frequently Asked Questions
- What is a ‘ramp and dump’ scheme? A fraudulent investment practice where criminals artificially inflate the price of a stock and then sell their shares for a profit, leaving other investors with losses.
- How are brokerage accounts being targeted? Through sophisticated phishing kits that steal login credentials and one-time authentication codes.
- Is my brokerage account safe? Brokerage firms are working to improve security, but vulnerabilities exist, particularly with SMS-based two-factor authentication.
- What is multi-factor authentication (MFA)? An extra layer of security that requires more than just a password to log in, such as a code sent to your phone.
- How can I protect myself from phishing? Be wary of unsolicited messages, verify the legitimacy of websites before entering your credentials, and consider using a hardware security key.
- What should I do if I suspect my account has been compromised? promptly contact your brokerage firm and change your password.
We hope this article has provided valuable insight into the emerging threat of ‘ramp and dump’ schemes targeting brokerage accounts. Stay informed, stay vigilant, and protect your investments.
