MailGuard Blog — Breaking alerts, news and updates on cybersecurity topics

Scam Targets Brokerage Clients with “W-8BEN renewal” for Non-U.S. Citizens

Written by MailGuard | 16 October 2025 06:11:00 Z

Cybercriminals targeting non-U.S. investors by sending well-designed emails impersonating U.S. brokerage firm, Interactive Brokers, urging recipients to “renew” their W-8BEN tax status. The message links to a counterfeit login page that harvests usernames and passwords, and is being intercepted in real time by MailGuard's AI-powered email security filter network.

How it works

The email presents as a “Mandatory Renewal: Certification of Non-U.S. Tax Status (W-8BEN).”

A single call-to-action link takes the victim to a phishing site that imitates the Interactive Brokers login.

Unique tracking token: each link includes a per-recipient URL parameter. The phishing site uses this token to filter and validate attempts.
Credential capture:

  • If you enter a random address and password, the site returns a generic “username or password error,” which looks plausible.
  • If you enter the recipient’s actual email address with a random password, the site redirects to a genuine Interactive Brokers help-centre article on tax forms, creating a false sense of legitimacy after the theft.

What to watch for 

  • Sender naming: “Interactive Brokers” display name with many mailbox variations such as `notification`, `info`, `login`, `onlinebank`, `it-support`, `system`, `noreply`, `support`, `verify`, `alerts`, `welcome`, `payment`, `helpdesk`, `finance`, `auth`, `billing`, `order`, `notify`, `customer-service`, `banking`, `invoice`, `service`, `no-reply`, `security`, `update`, `admin`, `account`, `transaction`, `reset`.

    Suspicious domains used: `@tnssp.com`, `@nlcfd.com`, `@rwsry.com`, `@rwplj.com`, `@sxnrd.com`, `@jdsshw.com`, `@rwdkgc.com`, `@aenxz.com`, `@qhxioq.com`, `@xhbggw.com`, `@ygtps.com`, `@emwwvg.com`, `@bsxdt.com`, `@xbvdsi.com`, `@ezuci.com`.

    Sample “From” lines observed:

    • Interactive Brokers `<alerts(at)bsxdt.com>`
    • Interactive Brokers `<login(at)rwdkgc.com>`
    • Interactive Brokers `<customer-service(at)sxnrd.com>`
    • Interactive Brokers `<no-reply(at)qhxioq.com>`
    • Interactive Brokers `<security(at)xhbggw.com>`
    • Interactive Brokers `<order(at)rwsry.com>`

    Language cues: compliance urgency, references to W-8BEN renewal, and a single “Renew Certification Now” link.

    URL cues: a non-IBKR domain with a tokenised parameter. The genuine domain is interactivebrokers.com, not look-alike hostnames.

Technical advice for your team

The message is HTML with one link to the phishing site.

Each link carries a unique token used by the attacker to validate the session and throttle credential testing, which can reduce detection and increase believability.

Behavioural cloaking: the site returns a realistic error to junk credentials and may redirect to legitimate IBKR content** after receiving the target’s real email identifier.

Risk to organisations

  • Compromised brokerage credentials can expose linked emails, personal data, and potentially downstream financial systems.
  • Reused passwords or shared SSO patterns increase the blast radius across corporate accounts.
  • The campaign’s tokenisation and credible redirect tactics make standard “hover and inspect” checks less effective for end users.

Red flags checklist for your team

  • Compliance or tax renewal requests that arrive unexpectedly.
  • “From” addresses at non-brand domains, even if the display name looks correct.
  • A single button or link where all paths funnel to a login demand.
  • Landing pages that are light on navigation, support links, or account-switch options.
  • Any page that asks for credentials before showing account context.

Stay Safe, Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

  • Aren’t addressed to you personally.
  • Are unexpected and urge immediate action.
  • Contain poor grammar or miss crucial identifying details.
  • Direct you to a suspicious URL that isn’t associated with the genuine company.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters!  Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

 
View full post