XTB rolled out a new in-app caller verification feature today (Tuesday), the latest attempt by the Warsaw-listed broker to push back against a wave of voice-phishing scams targeting retail trading clients.
Customers using the XTB app can now request a real-time push notification to verify whether an inbound call is actually being placed by an XTB representative.
Singapore Summit: Meet the largest APAC brokers you know (and those you still don't!)
XTB Rolls Out Push-Based Caller Verification
The tool also lets clients skip standard security questions during support calls by approving a single push notification. The launch lands as the Polish broker juggles aggressive client acquisition with a steady drumbeat of impersonation attempts.
The UK's Financial Conduct Authority has issued repeated warnings in recent years about firms trading under names like "XTB Trading World," "XTB Online" and a near-identical clone site at xtbtrading.org, all of which used XTB branding to solicit UK residents.
XTB cited CrowdStrike's 2025 Global Threat Report, which found that vishing attacks rose 442% between the first and second halves of 2024.
"The safety of our clients' accounts is our top priority," XTB Chief Executive Omar Arnaout said in a statement.
- XTB Signs Two-Year Global Trading Partnership With SSC Napoli
- XTB Becomes FIBA Global Partner, Sponsors 2026 and 2027 Basketball World Cups
- Investors Wave Off Record KNF Fine, Push XTB to New All-Time High
He added that financial institutions should "lead with innovation and responsibility" as cyber threats evolve, and that he wants every client to feel "fully confident" during every interaction with the team.
This is another security update following the addition of a kill switch to the investment app in March, and a response to an alleged hack that cost a Polish client $38,000 and forced the company to overhaul its security policies.
Clone Sites and Cold Calls Hit Brokers Beyond XTB
The pattern is industry-wide. Tallinn-based broker Admirals had its branding lifted by a fake crypto-trading site called AdmiralsFX last year, while Cyprus-headquartered Exante was cloned in a US scam that involved fraudsters opening a real JPMorgan Chase account in 2025 to collect victim deposits, according to the firm's compliance team.
Push-based authentication has spread quickly through retail banking, with PNC, U.S. Bank and a long list of European lenders running similar approval flows for logins and card transactions.
Adoption among CFD brokers has lagged. Hong Kong's Securities and Futures Commission has spent the last year pressuring brokers there to adopt SMS verification and has banned broker text links following a string of phishing attacks targeting retail traders.
A Nasdaq Verafin report published in March pegged 2025 cyber-enabled fraud losses at $14.3 billion globally, with investment scams topping the list of authorized push payment fraud categories for the first time.
The XTB feature, which sits inside the existing app rather than as a standalone authentication product, slots into a market segment that retail banks have been building out for several years and that brokers are only now starting to address.
Security Push Lands Mid-Expansion
The verification tool arrives during one of the most expansive periods in XTB's 22-year history. The broker added 864,286 new clients in 2025, a 73% increase that took its total client base past 2.16 million, and management has guided for at least one million new accounts in 2026.
That growth has come at a cost. Marketing spend climbed close to 70% last year to PLN 584.9 million, pushing full-year net profit down 25% to PLN 644.2 million despite record revenue.
The caller verification tool sits alongside a broader product roadmap that includes margin trading, 24/5 trading hours, options and cryptocurrency, as XTB positions itself to compete with Robinhood, Interactive Brokers and Trade Republic for European retail accounts.
