Throughout 2024, Fortra identified a steady increase in attacks targeting brokerage accounts. Year-over-year, attacks targeting these accounts experienced a growth of more than fivefold in the second quarter of 2025 compared to the same quarter of 2024. With content patterns resembling those of the Chinese Phishing-as-a-Service (PhaaS) groups known as the 'Smishing Triad,' these attacks are primarily executed by using malicious text message campaigns and false branding to trick victims into providing access to their brokerage account.
Once compromised, attackers manipulate stock market prices using 'ramp and dump' tactics. These methods leave almost no paper trail, further heightening the financial risks that arise from this threat. Fortra has been tracking the increase in brokerage attacks, observing the landscape grow by over three-and-a-half times between Quarter 1 and Quarter 2 of 2025.
Brokerage Threat Landscape Q1 2024-Q2 2025
Tactics, Techniques, and Procedures
The threat actors targeting brokerage providers in this attack are utilizing phish kits that not only obtain banking credentials, but also intercept one-time passcodes (OTPs). These phishing kits primarily rely on text messages, also known as smishing, to trick the victim into entering their account credentials and convincingthem to click on a malicious link resembling a brokerage firm.
Smishing Triad
The kits being utilized in this phishing scheme heavily correlate with content patterns associated with Chinese Phishing-as-a-Service (PhaaS) groups referred to as the ‘Smishing Triad.’ Historically, these groups create phish kits that mimic well-known brands within the toll road operating and courier industries, such as USPS. Fortra has observed this group shifting to target global financial institutions, commonly utilizing the hosting providers Tencent Building, Cheapy, and Alibaba.
After the victim’s account has been compromised, a tactic commonly referred to as “ramp-and-dump” is put into play. In these scenarios, the threat actor will liquidate any existing investments made by the victim and reallocate the funds to low-liquidity stocks, often penny stocks or initial public offerings (IPOs). Then, they will artificially inflate the stock price by purchasing large amounts and, once at a profitable level, sell off the holdings to gain a financial profit before withdrawing any earnings using mobile wallets.
Conclusion
The threat landscape targeting brokerage firms is not slowing down. Support from international law enforcement and vigilant monitoring from security teams are crucial to deterring threat actors from targeting brokerage accounts and platforms. Additionally, Fortra recommends the implementation of physical security keys. Options such as Universal 2nd Factor keys (U2F), which utilize a physical device in the multi-factor authentication method, will also negate the risk of smishing attacks.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
