Share
BROKERAGE ACCOUNT PHISHING

Questrade email scam: real broker alert or phishing lookalike?

The fake Questrade email copies almost everything about the real thing, right down to Questrade's own "double-check the URL" security tip. Almost.

SafeBrowz Threat Research Security ResearchJuly 10, 20269 min read

Verdict

Verdict: phishing scam. The "renew your form" and "confirm your account" emails in the current Questrade wave are not from Questrade. They rebuild the real login page pixel for pixel, but the button links to an attacker-controlled lookalike domain that harvests your username, password, and 2FA code in real time. Questrade only ever asks you to sign in at questrade.com or inside its app, and it has stopped sending email verification codes altogether. If an email pushes you to a link to verify, treat it as fake.

What the fake Questrade email looks like

Two versions are circulating. The first claims a routine tax form needs renewing, usually the W-8BEN (a genuine Questrade form for US-listed holdings), with a button reading "Renew Your Form W-8BEN." The second is dressed up as a security improvement, telling you to "set up two-factor authentication to protect your account." Both feel like housekeeping rather than an alarm, which is part of why they work.

The wording is calm and on-brand. There is no broken English, no wall of red warning text, no obvious threat. The link text reads "Questrade." The sender name reads "Questrade." Everything you glance at says Questrade. The single thing that does not is where the link actually goes, which is a website the attacker controls rather than one Questrade owns.

Why this one almost got everything right

Security researchers who logged the campaign described the landing page as an excellent replication of the real Questrade site. The layout, the colors, the fonts, the sign-in form, all rebuilt faithfully. The detail that gives the game away is also the detail the attacker copied by accident: the fake page carries the line "Tip: Always double check the URL of log-in pages to keep your account secure." That is Questrade's own advice, cloned wholesale, sitting on the exact page you are being told not to trust.

That is the trap in one sentence. When a phishing page looks perfect, the address bar is the only part the attacker cannot fake. The real Questrade login lives at questrade.com and login.questrade.com. A lookalike has to sit somewhere else, so it leans on shapes that read as "Questrade" at a glance without being it. Illustrative examples of the pattern include questrade-secure[.]com, questrade-verify[.]com, or a "questrade" label buried inside a longer unrelated domain. The brand word is present, the ownership is not.

The trap page: a pixel-perfect Questrade login clone

Click the button and you reach a login form that is indistinguishable from the real one. You type your Questrade username and password, then the page asks for your 6-digit code. This is the moment that matters. Many of these kits run an adversary-in-the-middle proxy: as you type, the attacker forwards your credentials to the real questrade.com in real time, triggers the genuine 2FA prompt on your phone, and captures whatever code you enter next. You believe you finished a verification step. The attacker now holds a live, authenticated session on your brokerage account. This is the same real-time relay pattern explained in our adversary-in-the-middle 2FA bypass breakdown, and it is why an SMS or authenticator code alone no longer guarantees safety.

🛡 LIVE CHECK

Test a suspicious broker link right now

Got an email that claims to be from Questrade, Wealthsimple, Robinhood, or any broker? Paste the link before you click it. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

The sender can even be genuine: the Robinhood lesson

The most uncomfortable part of broker phishing in 2026 is that a clean-looking sender is no longer proof of anything. In late April 2026, thousands of Robinhood customers received warning emails that arrived from the real robinhood.com address [email protected]. They passed every technical check, landed in the primary inbox, and in Gmail even showed a verified brand badge, because Robinhood's own systems technically sent them. Attackers had abused an unscreened device-name field in the signup flow, stuffing HTML into it that rendered inside the email as an urgent security alert linking to their own site. Robinhood removed the vulnerable field after confirming the abuse.

The takeaway is blunt: passing spam filters, a correct sender address, and a brand checkmark tell you the email was delivered cleanly, not that it is safe. The link is what you judge, never the envelope. The same trust-the-real-inbox trick shows up in clone phishing, where a real email is copied and one link is swapped.

Same script at every broker

The "verify or renew your investment account" template is rented across crews and pointed at whichever brand fits the target. The verification rule below is identical for all of them, and the only reliable tell is always the address bar.

  • Wealthsimple. Fake login pages capture the password and 2FA code. The real app login is my.wealthsimple.com on the wealthsimple.com domain. Wealthsimple has also warned about a voice twist where someone phones "to warn you about a scam," and the call itself is the scam, a tactic we cover in the bank phone-scam (vishing) guide.
  • Robinhood. The email lure above plus "account suspended" texts telling you to call a number. Real sign-in is robinhood.com.
  • Fidelity and Charles Schwab. US brokerages get the same "unusual activity, confirm your identity" template. The official sites are fidelity.com and schwab.com.

Crypto exchanges get an almost identical script, which is why the Coinbase "account suspended" email reads like a copy of the Questrade one with a different logo.

How to verify a broker email is real

Treat any account email as informational only. Confirm the claim through a channel you opened yourself, never through the email's own link.

  1. Do not click the button. Adversary-in-the-middle pages start capturing the moment they load. Curiosity is not worth a live session on your account.
  2. Open the broker's app, or type the official address by hand. Type questrade.com, my.wealthsimple.com, or robinhood.com yourself. Do not search for "Questrade login," because paid ads during phishing waves sometimes point at typosquats.
  3. Read the alert from inside the account. A real security event shows up in your in-app notifications and activity log. If the app is quiet and shows nothing, the email is fake.
  4. Remember what a broker will never do. Questrade, Wealthsimple, and the rest will never ask for your password, your 2FA code, or for you to move money. Questrade has gone further and replaced emailed verification codes with mobile Push Approval, so an email asking you to "verify by email link" runs against its current policy.
  5. When unsure, verify the link itself. Paste it into the checker above or the full SafeBrowz scam checker before it ever opens.

Red flags in a broker phishing email

  • The link domain is not the broker's exact domain. Hover without clicking. The real site is whatever sits immediately before the first single slash after https://. Anything with the brand plus a hyphen and a keyword, or the brand buried mid-string, is a lookalike.
  • A "verify," "confirm," "renew," or "restore" button. Real login emails ask you to sign in normally. The action verb is often the tell.
  • Manufactured urgency or a deadline. "Within 24 hours" or "or your account will be restricted" is pressure, not process.
  • A request for your password or 2FA code on a page or a call. No legitimate broker collects these from you. If a page or caller asks, it is an attack, full stop.
  • A perfect-looking page you reached by clicking. The clone can copy every pixel, including the "check the URL" tip. It cannot copy the real domain in your address bar.
  • A sender that looks fine but a link that does not. As the Robinhood case showed, a genuine-looking address is not clearance. Judge the destination.

If you already logged in on the fake page

When a real-time relay is involved, the gap between entering your code and losing control of the account is short. Move quickly.

  1. Open the broker app or type the real domain and change your password now. Use a long, unique password you do not reuse anywhere else.
  2. Turn on the strongest 2FA available and prefer app-based Push Approval or a hardware key over SMS. A hardware key is the one method a relay cannot forward, because its signature is bound to the real domain.
  3. Sign out of all active sessions from the account's security settings, so any session the attacker opened is killed.
  4. Call the broker using the number on its official site or app, not the email. Flag the account for a compromise review and ask them to watch for withdrawals and new linked bank accounts.
  5. Watch the account for at least two weeks. Unexpected withdrawals, asset sales, or a newly added payout destination are the warning signs.
  6. Report it. Forward the email to Questrade at [email protected] (the current reporting address is listed on its official Report Phishing page) with the subject "Phishing." In Canada, report to the Canadian Anti-Fraud Centre at 1-888-495-8501 or antifraudcentre-centreantifraude.ca. In the US, file at ic3.gov.

The stakes are real. The Globe and Mail has reported on Questrade clients losing tens of thousands of dollars to cyber-fraud incidents, a reminder that a brokerage login is a high-value target, not a low-stakes password.

Block the fake broker login before you can type

Email filters catch the clumsy forgeries, but the strongest campaigns rotate domains daily and, as Robinhood showed, can even ride a legitimate sender. The defense that closes the gap sits at the destination, the instant the lookalike login page tries to load in your browser.

SafeBrowz is a free Chrome, Firefox, and Edge extension, with a Safari build on the way and an Android app, that scans every URL before the page renders. Its brand database includes major brokerages, and its content layer flags a Questrade, Wealthsimple, or Robinhood login form served from anything other than the official domain, even on a domain nobody has reported yet.

How SafeBrowz catches broker phishing pages

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns and 550+ brand signatures run inside the extension before the page paints, so the brand-hyphen-keyword and brand-buried-mid-string lookalike shapes that broker phishing relies on are caught client-side, including homograph and Punycode tricks, without a round trip.
  • Layer 2 - API checks: the actual reported attacker domains are matched against Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs the moment they are flagged anywhere in the network.
  • Layer 3 - AI deep scan (Premium): content-aware analysis reads the page itself and recognizes a broker sign-in form that is not on the broker's real domain, catching first-seen clones the blocklists have not seen yet, in 100+ languages.

SafeBrowz works at the destination page and blocks the fake login before any field can be focused. It does not read your inbox or open email attachments, so pair it with the habit of signing in only from the app or a hand-typed address. No tool can reverse funds already moved out of an account, which is why blocking the page beforehand is the whole point. Detection signatures come from threat-intelligence research and brand-database analysis, not from user browsing data. Per-user URL history is never stored.

Install SafeBrowz free

Add the browser extension, or the SafeBrowz Android app, that runs every check in this article automatically, on every page, before it renders. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

Frequently asked questions

Does Questrade ever email asking me to verify my account or renew a form?

Questrade does send legitimate account and tax-form emails, including reminders about forms like the W-8BEN, but a real one directs you to sign in at questrade.com or in the app, not to a verify button that leads off-domain. Questrade has also replaced emailed verification codes with mobile Push Approval, so an email asking you to verify by clicking an email link runs against its current policy. If you are unsure, ignore the link and log in the way you normally would.

The email came from a real broker address and passed spam checks. Can it still be a scam?

Yes. In April 2026, phishing emails reached Robinhood customers from the genuine [email protected] address by abusing an unscreened device-name field, and they passed authentication and showed a brand badge in Gmail. A clean sender and a checkmark tell you the email was delivered without being blocked, not that it is safe. Always judge where the link goes, not who the email appears to be from.

How do I tell the fake broker login page from the real one?

The address bar is the only reliable tell, because a good clone copies everything else, including the brand's own "double-check the URL" tip. The real pages are questrade.com and login.questrade.com for Questrade, my.wealthsimple.com for Wealthsimple, and robinhood.com for Robinhood. If the domain is the brand plus a hyphen and a keyword, or the brand buried inside a longer address, it is a lookalike. Type the official address yourself instead of clicking.

I entered my password and 2FA code on the page. What should I do now?

Assume the attacker relayed your code and may hold a live session. Open the broker app or type the real domain and change your password immediately, then turn on the strongest 2FA available and sign out of all sessions from the security settings. Call the broker using the number on its official site, not the email, and ask them to flag the account and watch for withdrawals. Report the email to the broker and to your national fraud centre.

How do I report a Questrade phishing email?

Forward it to Questrade at [email protected] with the subject line "Phishing." In Canada, also report to the Canadian Anti-Fraud Centre at 1-888-495-8501 or through antifraudcentre-centreantifraude.ca. In the United States, file the report at ic3.gov. Reporting the lookalike domain helps get it taken down faster and shortens the campaign for everyone else.

Does this affect Wealthsimple, Fidelity, and Schwab too?

Yes. The "verify or renew your investment account" template is reused across brokers, so Wealthsimple, Fidelity, Charles Schwab, and others see near-identical emails. The defense is identical every time: do not click the email link, open the app or type the official domain yourself, and never enter your password or 2FA code on a page you reached by clicking a link.

Related reading

Bottom line: the fake Questrade email is convincing because it copies the real thing almost perfectly, including the security tip that tells you to check the URL. The one thing it cannot copy is the domain in your address bar. Do not click the button, open the app or type questrade.com by hand, never hand over your password or 2FA code on a page you reached from a link, and add a browser-layer scanner like SafeBrowz so the fake login never gets a chance to load.

Related reading