<p>You might have seen <a href="https://www.gartner.com/en/newsroom/press-releases/2023-03-28-gartner-unveils-top-8-cybersecurity-predictions-for-2023-2024">this shocking prediction from Gartner</a>: <em>by 2027, 75% of employees will acquire, modify or create technology outside IT's visibility &ndash; up
from 41% in 2022.</em></p>
<p>Last year, LastPass launched the beginning of our evolution beyond password management to a secure access solution. Now, we've sharpened our focus to deliver
what lean teams truly need to operate securely.</p>
<p>We know that these teams only want the essentials when it comes to protecting their teams and their business. While other security tools present expensive,
cumbersome solutions built for orgs with dedicated security teams and large budgets, LastPass Secure Access Essentials is built for you.</p>
<p>It's <em>the</em> solution for resource-strapped IT organizations and businesses who don't have the budget, time, or technical resources to deploy those complex
tools.</p>
<div class="button-container"><a href="https://www.lastpass.com/solutions/secure-access"><button class="lp-button lp-button--primary">Try for free</button></a></div>
<h2>The Modern Access Challenge</h2>
<p>Your employees rely on more SaaS tools than ever, and not all of them are on your radar.<br />
From cloud apps and browser extensions to AI tools, today's workplaces move fast. And when anyone can implement a new app with little more than a credit card and
a dream, you can be sure that very few of them are thinking about secure access or credential management. Consider this:</p>
<ul>
    <li><strong>Risk is rising</strong>: <a href="https://cloudsecurityalliance.org/artifacts/state-of-saas-security-report-2025">CSA reports</a> 55% of organizations say employees adopt SaaS tools without Security's involvement, and 56% report sensitive data being
    uploaded to unauthorized apps &mdash; blind spots that lead to real security incidents.</li>
    <li><strong>Productivity is slipping</strong>: <a href="https://deepstrike.io/blog/password-statistics-2025?utm_source=chatgpt.com">Up to 50%</a> of IT help desk tickets are for password resets, and employees spend roughly 11 hours per year dealing with access
    issues instead of doing their jobs.</li>
    <li><strong>Costs are compounding</strong>: The average company now uses <a href="https://deepstrike.io/blog/password-statistics-2025">~106 SaaS applications</a>, each adding overhead &mdash; and every password reset can cost around $70 in support
    time.</li>
</ul>
<p>Single sign-on (SSO) can help with your core apps &mdash; the ones that you know about &mdash; but it doesn't cover everything, especially those smaller, hidden apps. And
for small and mid-sized businesses, controlling those can get expensive and time-consuming, fast.</p>
<p>That's where the security gaps start. Without a simple, customizable way to manage access, secure credentials, and monitor app usage, it's easy to lose
control. And that opens the door to risk from old accounts that still have access to sensitive info, to apps no one remembers signing up for.</p>
<p>It's no longer enough to secure passwords alone. Businesses need an approach to secure access management that's as flexible, efficient, and user-friendly as
the tools their employees actually use.</p>
<h2>What is Secure Access Essentials?</h2>
<p>Secure Access Essentials is the LastPass answer to the growing access management crisis, delivering core capabilities that work together to secure your
organization. These capabilities scale across the LastPass product, so you can start where you are and expand as your security needs grow.</p>
<p>With Secure Access Essentials, you can:</p>
<ul>
    <li><strong>Discover SaaS and AI tools</strong>: Gain visibility into which apps and AI tools your team is using, including unseen or unapproved apps. Spot risks early and
    maintain control across your SaaS landscape.</li>
    <li><strong>Control Access for Everyone</strong>: Ensure the right people have access to the right apps, systems, and data based on your policies. Easy to configure and adjust
    as your business evolves.</li>
    <li><strong>Simplify Secure Access</strong>: Securely manage how your team stores and uses passwords, with support for passkeys for faster and safer authentication.</li>
</ul>
<h2>Why does Secure Access Essentials matter?</h2>
<p>Enterprise solutions require dedicated IT teams, months of deployment, and ongoing maintenance that lean teams simply can't sustain. The cost and complexity
put security out of reach when you need it most.</p>
<p>And the stakes are high. <a href="https://deepstrike.io/blog/data-breach-statistics-2025">The average cost of a data breach</a> is $4.4 million, which can devastate small businesses. Unapproved tools lead to wasted spend and
duplicate or unused applications, while compliance violations can result in fines that put a serious dent in already constrained budgets.</p>
<p>LastPass brings together the essentials that cut complexity, strengthen protection, and make secure access effortless. Our capabilities are:</p>
<ul>
    <li><strong>Easy to manage, easier on your budget</strong>: Manage all access from a single place and skip the cost and chaos of multiple systems.</li>
    <li><strong>Designed for stronger protection with fewer roadblocks</strong>: Get strong, straightforward security that keeps your business safe and makes compliance
    easier.</li>
    <li><strong>Simple for your team + build stronger habits</strong>: When security fits naturally into the day, people actually follow it &mdash; reducing risk and boosting
    productivity.</li>
</ul>
<h2>Building on a Strong Foundation</h2>
<p>Password management is the foundation of LastPass, and it remains essential to secure access. But as security challenges mount, those challenges demand more.
That's why we've evolved beyond credentials to deliver the visibility and control modern businesses need.</p>
<p>Now organizations can also use LastPass to uncover risky SaaS and AI tools and enforce safe‑usage policies with SaaS Monitoring and SaaS Protect. And this is
just the beginning.</p>
<p>As secure access challenges expand, so will we, delivering the essentials you need to protect your business at every stage of your journey. Thanks for coming
along with us so far, and we're excited to build the future together.</p>
<p><a href="https://www.lastpass.com/solutions/secure-access"><button class="lp-button lp-button--primary">Try for free</button></a></p>

Beyond Password Management: Secure Access Essentials from LastPass

LastPass Secure Access Essentials gives resource-strapped IT teams the tools to discover SaaS apps, control access, and simplify security without the complexity.

Introducing Secure Access Essentials: Beyond Passwords to the New Reality of Work

Get LastPass Free

Create and store secure passwords for yourself, your team or business.

Why LastPass?

Remember fewer passwords and log in faster with our browser extension.

How LastPass works

LastPass zero-knowledge security model keeps your data private even from us.

Security Architecture

Compare LastPass competitors, plans, and features in one place

Compare LastPass

Overview

Password management

Save and autofill

Password generator

Password sharing

Passkeys

Dark web monitoring

Security dashboard

Key Features

Free LastPass Premium trial, no credit card required.

Free LastPass Business trial, no credit card required.

Let our experts help you find the right plan and successfully deploy LastPass.

Sync passwords across all devices, monitor password health, data breaches and much more.

Personal

Premium password management for family or group of 6 people.

Families

Personal Plans

Password vault

Save & autofill

Automatic device sync

Emergency access

Personal password sharing

FOR INDIVIDUALS

30-day free LastPass Premium trial, no credit card required.

30-day free LastPass Families trial, no credit card required.

Limited to 1 device type and basic password management features.

Designed for businesses of all sizes, from small startups to enterprises.

Business

Simplify secure access straight from the browser with more admin control.

Business Max

For single teams just getting started with password management.

Teams

Designed to keep your clients' credentials protected and private.

Business Plans

User management

SaaS Monitoring

SaaS Protect

Business sharing

Multifactor Authentication

Integrations

Single Sign-on

Identity management

For admins

Marketing teams

Legal teams

HR teams

Business leaders

IT admins

Solutions by role

Case studies

Webinars

Product demos

Events

Trust Center

Compliance Center

Security architecture

LastPass University

Resource Center

Pricing

Join the LastPass Partner Program to provide even more value to your customers.

Partner program overview

Managed Service Providers

Resellers

Cloud marketplaces

Technology Alliance Partners

LastPass Partner Program

Grow new revenue streams by meeting customer's security needs.

Looking for help or interested in becoming a LastPass partner? Get in touch with our partner team.

Connect with trusted LastPass Partners to support your security needs.

Partners

Self-service library of resources and guides for all LastPass products.

Support Center

Community forum

System status

Help

Personal support for all LastPass’ subscribed customers.

Support

Get LastPass free

Submit sales inquiry

Chat with sales

Request a demo

Find a partner

Contact sales

Log in

<p>LastPass continues to set the standard in secure access, earning 63 badges across 186 categories in <a href="https://research.g2.com/market-reports">G2's Spring2026 Grid Reports</a>. This latest achievement reinforces our position as a leading provider of the essential tools any
business needs to protect itself from the risks associated with credential misuse and unapproved apps and AI.</p>
<div class="button-container"><a href="https://www.lastpass.com/trial/business?max=true"><button class="lp-button lp-button--primary">Try Business Max</button></a></div>
<p>G2 releases quarterly reports that spotlight industry-leading software based on verified customer feedback. These
accolades reflect authentic experiences from real LastPass users who share their insights through detailed G2 reviews,
making this recognition a true testament to our product's value.</p>
<div id="calloutcontent1">&nbsp;</div>
<p>Our users consistently praise <a href="https://www.lastpass.com/">LastPass</a> for its ease of use, seamless browser integration, reliable support, and
access management features. </p>
<h2>Here's what customers are saying about their LastPass experience:</h2>
<p><em>I really like how LastPass allows us to easily add team members on the fly ... This makes it simple to allocate
resources and perform quick audits on who has access to which resource. I also found the initial setup very easy,
since we were able to bulk upload passwords once our accounts were created</em>. - <a href="https://www.g2.com/products/lastpass/reviews/lastpass-review-12394089">Graham M.</a></p>
<p><em>I like the continuous updates that are provided to keep the application always at the top. I think LastPass already
works particularly well. Once you understand the management of folders and more, it is very easy to use.</em> - <a href="https://www.g2.com/products/lastpass/reviews/lastpass-review-12307569">Gian LucaF.</a></p>
<p><em>I really like LastPass for the convenience it offers. Specifically, I love being able to launch a website directly
from the app and access all logins for a website when I'm on the login page. It's great to just navigate to the item
from the search bar, click 'Launch,' and be taken to the website where I'm logged in automatically. In our company,
it's super convenient because each person has their own login, and we can easily see all logins for a specific
website. I also appreciate the 'Help' feature, which has resolved my problems whenever I've used it.</em> - <a href="https://www.g2.com/products/lastpass/reviews/lastpass-review-12395435">Shirley D.</a></p>
<h2>Ready to see why thousands of users trust LastPass?</h2>
<p><a href="https://www.g2.com/products/lastpass/reviews">Visit our G2 profile</a> to read more reviews and share your own experience with the LastPass community, and read about
why LastPass was recently named in <a href="https://www.lastpass.com/company/newsroom/24500a8e-1421-42bf-9e9f-33b62ea7369c">G2's list of top security software in 2026</a>.</p>
<p><strong>About G2:</strong> G2 is the world's largest and most trusted software marketplace. More than 80 million
people annually &mdash; including employees at all of the Fortune 500 &mdash; use G2 to make smarter software decisions based on
authentic peer reviews.</p>
<p><a href="https://www.lastpass.com/trial/business?max=true"><button class="lp-button lp-button--primary">Try Business Max</button></a></p>

LastPass Leads G2's Spring 2026 Grid Reports with 63 Badges

<ul class="ul1" style="color: #000000;">
    <li class="li1" style="margin: 0px;">Grid Leader: Overall&nbsp;</li>
    <li class="li1" style="margin: 0px;">Best Est. ROI: SMB&nbsp;</li>
    <li class="li1" style="margin: 0px;">Momentum Leader: Overall&nbsp;</li>
    <li class="li1" style="margin: 0px;">Best&nbsp;Usability: Overall&nbsp;</li>
    <li class="li1" style="margin: 0px;">Easiest to do Business With: Mid-Market</li>
</ul>

Key achievements from G2’s Spring 2026 Grid Reports

LastPass earned 63 badges across 186 categories in G2's Spring 2026 Grid Reports, including Grid Leader Overall and   Best Usability. See what real users are saying.

LastPass Dominates G2’s Spring 2026 Grid Reports as the #1 Password Manager

<p>Social engineering attacks don't rely on complex code or sophisticated hacking tools. Instead, they target the most vulnerable part of any security
system: human psychology. Attackers manipulate people into handing over sensitive information, clicking malicious links, or granting unauthorized
access.</p>
<p>These attacks work because they exploit trust, urgency, and authority. A well-crafted phishing email can fool even the most cautious employee, while a
convincing phone call can bypass layers of technical security. That's why training your team to recognize these tactics is your first line of defense.</p>
<p>In this article, we'll walk through 8 of the most common social engineering tactics and show you how to protect your organization from each one.
Combined with a password manager like <a href="https://www.lastpass.com/">LastPass</a>, your business can enforce stronger security practices company-wide.</p>
<div id="calloutcontent1">&nbsp;</div>
<p id="calloutcontent1"><a href="https://www.lastpass.com/trial/business"><button class="lp-button lp-button--primary">Try Business</button></a>&nbsp;</p>
<h2>8 social engineering attack types and how to protect your business</h2>
<h3>1. Phishing emails disguised as trusted sources</h3>
<p><a href="https://blog.lastpass.com/posts/phishing">Phishing</a> is one of the most common forms of social engineering. Attackers send emails that appear to come from trusted organizations like banks,
software vendors, or internal departments. These messages often include urgent language designed to pressure employees into acting quickly.</p>
<p>Common phishing examples include fake password reset requests, fraudulent invoice notifications, and alerts about suspicious account activity. The
emails typically contain links to counterfeit login pages that capture employee credentials.</p>
<h4>How to prevent it:</h4>
<p>Train employees to verify sender email addresses carefully. They should hover over links before clicking to see the actual destination URL. If
something feels off, employees should contact the organization directly through the official website rather than using any links in the email.</p>
<p>A password manager like LastPass adds another layer of protection. Its <a href="https://www.lastpass.com/features/autofill">autofill</a> feature only works on legitimate websites, so if an employee lands on a
fake login page, LastPass won't offer to fill in their credentials. That pause can be the warning sign that something's wrong.</p>
<h3>2. Pretexting with fake scenarios to extract information</h3>
<p>Pretexting involves creating a fabricated scenario to trick employees into revealing sensitive information. An attacker might pose as a bank
representative, IT technician, or auditor who needs specific details to "verify an account" or "resolve an issue."</p>
<p>These attacks succeed because they establish a believable context. The attacker does research beforehand, learning names, job titles, and company
details to make their story convincing. They might reference real projects or recent company events.</p>
<h4>How to prevent it:</h4>
<p>Establish verification procedures across your organization. Train employees to ask for callback numbers and verify them independently. Be wary of
anyone requesting sensitive information, even if they seem to know details about the company or specific employees.</p>
<p>Using <a href="https://www.lastpass.com/features/password-generator">unique passwords</a> for every account limits the damage if an attacker does extract credentials. With LastPass, employees can generate strong,
unique passwords without having to remember them all.</p>
<h3>3. Baiting with infected USB drives or free downloads</h3>
<p>Baiting exploits curiosity and the appeal of getting something for free. Attackers leave infected USB drives in public places like parking lots,
lobbies, or coffee shops. When someone plugs the drive into their computer, malware installs automatically.</p>
<p>Digital baiting works similarly. Attackers offer free software downloads, movie files, or game cheats that contain hidden malware. Once installed,
these programs can <a href="yhttps://blog.lastpass.com/posts/credential-theft-prevention">steal credentials</a>, log keystrokes, or give attackers remote access to company systems.</p>
<h4>How to prevent it:</h4>
<p>Establish clear policies: employees should never plug unknown USB drives into work computers. Software downloads should only come from approved
sources. If an employee finds a random USB drive, they should turn it in to the IT department rather than investigating what's on it.</p>
<h3>4. Tailgating to gain physical access to secure areas</h3>
<p>Tailgating, also called piggybacking, targets physical security rather than digital systems. An attacker waits near a secured entrance and follows an
authorized person through the door. They might pretend to be carrying heavy boxes or fumbling for their badge.</p>
<p>Once inside, attackers can access computers, plant devices, or steal physical documents. They often dress professionally and act like they belong,
making them difficult to spot.</p>
<p>It's worth noting that although many use these two terms interchangeably, there is a slight difference, according to <a href="https://www.linkedin.com/posts/hemantsajwan_cissp-aspirants-heres-a-tiny-difference-activity-7425212275613052929-ssKi">ISC2</a>.</p>
<ul>
    <li>Tailgating = unauthorized person follows authorized person in without the latter knowing</li>
    <li>Piggybacking = unauthorized person enters with authorized person's knowledge</li>
</ul>
<h4>How to prevent it:</h4>
<p>Train employees to always badge in themselves, even when holding the door would seem polite. Staff should politely ask unfamiliar faces to use their
own credentials. Encourage reporting of anyone who seems to be wandering or asking unusual questions about building layout or security systems.</p>
<h3>5. Vishing phone calls impersonating IT or executives</h3>
<p>Vishing, or <a href="https://blog.lastpass.com/posts/vishing">voice phishing</a>, uses phone calls instead of emails. Attackers pose as IT support, bank representatives, or company executives. They create
urgency by claiming there's a security problem, a payment issue, or an executive request that needs immediate action.</p>
<p>These calls often come from spoofed numbers that appear legitimate on caller ID. The caller may already know names, departments, and other details that
make them seem authentic.</p>
<h4>How to prevent it:</h4>
<p>Train employees to verify caller identity before sharing any information. They should call back using the official number from the company directory or
the organization's website. Remind staff that legitimate IT departments won't ask for passwords over the phone.</p>
<p>Even if an employee does share a password, enabling <a href="https://www.lastpass.com/products/multifactor-authentication">multifactor authentication</a> through LastPass adds a second barrier. Attackers can't access protected
accounts with the password alone.</p>
<p><a href="https://www.lastpass.com/trial/business"><button class="lp-button lp-button--primary">Try Business</button></a></p>
<h3>6. Spear phishing targeting specific employees by name</h3>
<p><a href="https://blog.lastpass.com/posts/spear-phishing">Spear phishing</a> takes standard phishing to a more personal level. Instead of sending generic messages to thousands of people, attackers research
specific individuals and craft tailored emails. These messages reference real colleagues, projects, or events.</p>
<p>An attacker might impersonate an employee's manager and reference a specific meeting from last week. They could pose as a vendor the company has worked
with before. The personalization makes these attacks far more convincing.</p>
<h4>How to prevent it:</h4>
<p>Train employees to be cautious of unexpected requests, even from familiar names. Staff should verify unusual requests through a separate communication
channel. If a "manager" emails asking for sensitive information, the employee should walk over to their desk or call them directly.</p>
<p>LastPass autofill adds a technical safeguard here too. Even if a spear phishing email links to a convincing fake login page, LastPass won't recognize
the fraudulent URL and won't offer to fill credentials.</p>
<h3>7. Business email compromise from spoofed executive accounts</h3>
<p>Business email compromise, or BEC, involves attackers impersonating executives or senior leaders to request wire transfers, gift card purchases, or
sensitive employee data. These emails often create extreme urgency and stress confidentiality.</p>
<p>Attackers may register domains that look nearly identical to your company's domain, changing just one letter. They study executive communication
patterns and send requests during times when verification is less likely, like late Friday afternoons.</p>
<h4>How to prevent it:</h4>
<p>Implement dual-approval processes for financial transactions. Train employees to verify any unusual executive requests through a phone call or
in-person confirmation. Establish a culture where no one rushes a transaction, regardless of how urgent the email sounds.</p>
<p>LastPass supports this defense by enabling <a href="https://www.lastpass.com/products/multifactor-authentication">multifactor authentication</a> on critical accounts. Even if attackers compromise an executive's email password,
MFA can block unauthorized access to the account.</p>
<h3>8. Quid pro quo offers of help in exchange for credentials</h3>
<p>Quid pro quo attacks offer something valuable in exchange for access or information. An attacker might call claiming to be tech support, offering to
fix a computer problem if the employee just shares their login credentials or installs a "diagnostic tool."</p>
<p>These attacks work because they position the attacker as helpful rather than threatening. The victim feels like they're receiving a service, not being
exploited.</p>
<h4>How to prevent it:</h4>
<p>Educate employees to never share credentials with anyone claiming to offer unsolicited help. Staff should verify tech support calls by contacting the
IT department directly. Remind your team that legitimate support personnel can resolve issues without needing passwords.</p>
<h2>How LastPass helps your business defend against social engineering</h2>
<p>Strong, unique passwords are your safety net when social engineering attacks succeed. If an attacker tricks an employee into entering credentials on a
fake site, using a different password for every account limits the damage to that single account. LastPass generates complex passwords and stores them in
an encrypted vault protected by AES-256 encryption with <a href="https://www.lastpass.com/security/zero-knowledge-security">zero-knowledge architecture</a>, meaning only your employees can access their own data.</p>
<p>The <a href="https://www.lastpass.com/features/security-dashboard">Security Dashboard</a> monitors password health across your organization and alerts admins to weak, reused, or compromised credentials. <a href="https://www.lastpass.com/features/dark-web-monitoring">Dark webmonitoring</a> notifies you when company information appears in data breaches, so you can take action fast.</p>
<p><a href="https://www.lastpass.com/products/business">LastPass Business</a> offers over 120 customizable security policies and integrates with major identity providers like Microsoft Entra, Okta, and Google
Workspace. Admins can manage user access, enforce strong password requirements, and automate provisioning when employees join or leave.</p>
<p>Multifactor authentication adds another layer of defense. Even if attackers obtain a password through social engineering, they can't access accounts
protected by MFA through options like the LastPass Authenticator, YubiKey, or FIDO2 biometrics.</p>
<p>Start your free LastPass Business trial and strengthen your organization's password security.</p>
<div class="button-container"><a href="https://www.lastpass.com/trial/business"><button class="lp-button lp-button--primary">Try Business</button></a></div>

8 common social engineering attacks (and how to avoid them)

<ul class="ul1" style="color: #000000;">
    <li class="li1" style="margin: 0px;">Social engineering attacks manipulate human psychology rather than exploiting technical vulnerabilities in your systems.&nbsp;</li>
    <li class="li1" style="margin: 0px;">Phishing examples include fake login pages, spoofed sender addresses, and urgent requests for sensitive company information.&nbsp;</li>
    <li class="li1" style="margin: 0px;">Attackers often impersonate trusted figures like IT staff, executives, or vendors to manipulate employees quickly.&nbsp;</li>
    <li class="li1" style="margin: 0px;">Training employees to recognize red flags is one of the most effective defenses against social engineering attempts. </li>
    <li class="li1" style="margin: 0px;">LastPass helps employees use unique passwords for every account, reducing the damage if any single credential is compromised.&nbsp;</li>
</ul>

Key Takeaways: 8 common social engineering attacks

FAQs about social engineering attacks

Learn how to recognize social engineering attacks like phishing, pretexting, and vishing. Protect your business with these prevention tips.

8 Common Social Engineering Attacks (and How to Avoid Them) 

<div id="calloutcontent1">&nbsp;</div>
<p>Queensland (QLD) recently released its <a href="https://www.forgov.qld.gov.au/__data/assets/pdf_file/0024/642651/queensland-cyber-security-strategy.pdf">2025&ndash;2027 Cyber Security Strategy</a>, its first-ever dedicated cyber security strategy, signalling that the state is responding to a problem that has outgrown
existing governance.</p>
<ul>
    <li>Queensland accounts for 28% of all cybercrime reports made nationally, the highest of any Australian state or territory, and disproportionate to its population.</li>
    <li>For small businesses, the average self-reported cost of cybercrime hit $56,600 in 2025, up 14% from the year before.</li>
    <li>For medium businesses, it jumped to $97,200, a 55% increase in a single year.</li>
</ul>
<p>This strategy applies to any organisation that stores data, relies on third-party systems, or employs people who log into things. At LastPass, we<strong><em> </em></strong>pay close attention to these strategies
because the problems they name are the problems we help address: Credential theft, unmanaged access, shadow IT, and supply chain exposure.</p>
<div class="button-container"><a href="https://www.lastpass.com/trial/business?max=true"><button class="lp-button lp-button--primary">Try Business Max</button></a></div>
<h2>The threat is basic</h2>
<p>The QLD strategy does not describe a sophisticated, hard-to-defend threat environment. It describes one where "basic attack techniques continue to be effective." Tactics like phishing,
credential theft, misconfigured systems, and unpatched software are some of the most common ones in the region and reflect global attacker trends. The organisations losing ground to cybercriminals
are not failing because their defences are too simple. They're failing because the basics are not consistently in place.</p>
<p>One new cybercrime report was made to ReportCyber approximately every 6 minutes in Australia last year. In Queensland, one in eight of those reports affected state or local government. The
access layer is where most of these incidents began. It is also where they are easiest to stop.</p>
<h2>Priority 1: Resilience</h2>
<p>The strategy defines resilience as the ability to "absorb, adapt, and respond to the changing threat landscape." It calls on organisations to embed cyber security into the foundations of service
delivery, adopt zero trust approaches, and develop supply chain resilience across procurement and vendor relationships.</p>
<h3>Zero trust starts at the credential, not the network</h3>
<p><a href="https://blog.lastpass.com/posts/what-is-zero-trust">Zero trust</a> is often treated as an infrastructure transformation project when it is, at its core, an access management discipline. Most breaches don't start with a sophisticated network
intrusion. They start with a credential. For instance, a phishing campaign that harvested a login, a shared account that was never rotated, or an employee who reused a password across a personal
and work account. Zero trust does not replace your password manager. It depends on one.</p>
<p>LastPass addresses this at the layer that matters: a password vault with enforced MFA covers the authentication baseline. <a href="https://www.lastpass.com/features/saas-monitoring">SaaS Monitoring</a> and <a href="https://www.lastpass.com/features/saas-protect">Protect</a> add visibility into credential-based access
outside your SSO, including the shadow IT and AI tools employees adopt without IT approval. You can operate with zero trust principles without rebuilding your identity infrastructure. You need to
control how people actually log in.</p>
<h3>Supply chain resilience is a credential problem</h3>
<p>47% percent of organisations suffered a supply chain cyber attack in 2024. Supply chain attacks increased 200% between 2022 and 2023. The Queensland strategy responds to this directly, with
explicit objectives to "grow risk and governance capability, including in complex supply chains" and to "promote supply chain cyber resilience for government."</p>
<p>The reason supply chain attacks work is straightforward: organisations grant access to trusted third-parties (i.e., vendors, contractors, and partners), and that access is often under-managed.
Shared logins. Credentials that persist after a project ends and access is no longer required. Third parties who have more access than they need.</p>
<p>The QLD government depends heavily on industry partners to deliver services to citizens. Its strategy acknowledges that those partners are part of the state's attack surface. The same is true
for any organisation with an extended vendor ecosystem.</p>
<p>LastPass addresses this at the credential layer:</p>
<ul>
    <li>Shared credential vaults let contractors access systems without ever seeing the underlying password</li>
    <li>Role-based access control limits what each person can reach</li>
    <li>Access can be revoked instantly, without waiting for manual password changes across multiple systems</li>
    <li>Every access event is logged, so you know who touched what and when</li>
</ul>
<p>If a vendor relationship ends today, can you revoke their access across every system before the working day is over? If the answer is "probably not," then the supply chain risk is already
live.</p>
<h2>Priority 2: Workforce</h2>
<p>Australia needs 30,000 more cyber security workers within the next four years. 74% of organisations already report significant skills gaps. Queensland's response is to embed security awareness
across all levels of the public sector &mdash; not just within dedicated security teams &mdash; on the premise that everyone who logs into a system is part of the security posture.</p>
<p>That only works if the tools support it. If a security control requires specialist expertise to operate, it will not reach the people who need it most. LastPass is built for stretched IT teams
and non-technical staff. The secure behaviour has to be easier than the insecure alternative, or it will not happen consistently.</p>
<p>For government and public sector organisations, the<strong> <a href="https://www.lastpass.com/lp/lastpass-impact"></a></strong><a href="https://www.lastpass.com/lp/lastpass-impact">IMPACT program</a> addresses both constraints the strategy names: limited IT capacity and constrained budgets. Site-wide licensing, included
onboarding, and Essential Eight-aligned security uplift without requiring a dedicated security team to run it.</p>
<p><a href="https://www.lastpass.com/trial/business?max=true"><button class="lp-button lp-button--primary">Try Business Max</button></a></p>
<h2>Priority 3: Governance</h2>
<p>Queensland's IS18 policy sets mandatory information security requirements for state agencies, and the strategy signals it will expand to a broader range of entities. The Essential Eight
dashboard pilot moves compliance measurement from annual reporting to a live view of posture. The direction is clear: the gap between policy on paper and controls in place is where incidents
happen, and government intends to close it.</p>
<p>Essential Eight Maturity Level 1 covers MFA, admin privilege control, and secure credential management as the ground floor, not a stretch target. LastPass addresses all three: password policies
enforced automatically, MFA applied consistently across every vaulted app, and reporting that surfaces access logs, password health scores, and policy adherence in a format auditors can use. When
IS18 requires demonstrated credential hygiene, the evidence is already there.</p>
<h2>AI is changing the credential threat</h2>
<p>The QLD strategy names AI as both opportunity and threat. 47% percent of respondents in the World Economic Forum's 2025 survey said AI-driven adversarial capabilities are their main concern.</p>
<p>The specific risk to the access layer is infostealers: AI-powered malware that silently harvests credentials from compromised devices, browsers, and unsecured password stores. These tools are
getting faster, cheaper, and more accessible to criminal groups. And they are finding their way in through the same channels the QLD strategy describes: shadow SaaS, unapproved AI tools,
browser-based work that IT can't see.</p>
<p>The problem is not just the infostealer. It is the blind spot that makes infostealers effective: employees logging into AI tools and SaaS apps that IT has never approved, using unmanaged
credentials. Shadow IT is not a new risk, but AI has accelerated it dramatically. Every new AI tool an employee signs up for is another credential outside your control, another login IT cannot
monitor, another potential entry point.</p>
<p>SaaS Monitoring and Protect surface exactly this: the approved (and unapproved) apps your team is using, how they're authenticating, and where weak or reused passwords are creating exposure.
<a href="https://www.lastpass.com/solutions/secure-access">Secure Access Essentials</a> closes the gap: credentials managed centrally, access visible across the environment, and risky logins flagged before they become incidents. You can't protect access you
can't see.</p>
<p>The credential layer is where AI attacks land first. It is also where they are most straightforward to stop.</p>
<h2>What this means for you</h2>
<p>The three priorities: Resilience, Governance, Workforce, map to three practical questions:</p>
<ul>
    <li><strong>Resilience: </strong>If a contractor's credentials were compromised today, could you revoke their access across every connected system before it escalates?</li>
    <li><strong>Governance: </strong>Can you demonstrate your Essential Eight or IS18 compliance posture right now, with evidence, not a policy document?</li>
    <li><strong>Workforce:</strong> Are the security controls you have in place something your whole team can actually use, or do they depend on expertise you do not have?</li>
</ul>
<p>If any of those answers are uncertain, the gap is real. But it is fixable, and it does not require starting from scratch.</p>
<h3>Want to learn more?</h3>
<ul>
    <li>Download our eBook, <a href="https://www.lastpass.com/resources/ebook/complete-guide-to-ai-access-governance">The Complete Guide to AI Access Governance: Enable Innovation, Ensure Security</a>.</li>
    <li><a href="https://www.lastpass.com/resources/business-demo">Book a demo</a> to see how LastPass centralises credentials, surfaces shadow SaaS, and enables rapid breach response.</li>
    <li><a href="https://www.lastpass.com/trial/business?max=true">Start a free trial</a> and see the difference in days, not months.</li>
</ul>
<p><a href="https://www.lastpass.com/trial/business?max=true"><button class="lp-button lp-button--primary">Try Business Max</button></a></p>

QLD Cyber Strategy 2026: Why Credential Security Matters | LastPass

<ul>
    <li>Queensland reports the highest cybercrime rate of any Australian state (28% of all national reports) and its new Cyber Security Strategy is a direct response to documented, compounding
    risk that is getting more expensive every year.</li>
    <li>Zero trust is now state policy, but zero trust starts at the access layer: credentials, MFA, and SaaS visibility come before infrastructure transformation.</li>
    <li>Supply chain resilience is a governance mandate, your contractors, vendors, and partners are your extended attack surface, and credential-level control is how you manage it.</li>
    <li>IS18 and the Essential Eight dashboard pilot signal that continuous compliance is the new baseline expectation, not an annual checkbox exercise.</li>
</ul>

Key takeaways

 Australia's highest cybercrime rate drives Queensland's new strategy focused on access control, MFA, and Essential Eight compliance. Discover practical solutions from LastPass.

Queensland Has Australia's Highest Cybercrime Rate — Its New Strategy Points Straight at the Access Layer

<p>Every employee at your company has dozens of logins to manage. Support tickets pile up when people forget credentials, and shared accounts create
security gaps that keep IT teams up at night. The right <a href="https://www.lastpass.com/">password manager for business</a> can solve these problems, but with so many options on the market,
how do you choose?</p>
<p>This guide walks you through the entire process, from assessing your company's needs to planning a successful rollout. You'll learn how to compare
security features, evaluate admin controls, and get your team on board.&nbsp;</p>
<div id="calloutcontent1">&nbsp;</div>
<p><a href="https://www.lastpass.com/trial/business"><button class="lp-button lp-button--primary">Try Business</button></a></p>
<h2>How to select the right password manager for your business</h2>
<h3>1. Assess your business's password management needs and pain points</h3>
<p>Start by understanding where your current setup falls short. Talk to your IT team about how many password reset requests they handle each week. Ask
department heads how their teams currently share login credentials for tools and platforms.</p>
<p>Look at your current security risks too. Are employees storing passwords in spreadsheets or browser autofill? Do shared accounts have passwords that
never get rotated? Understanding these gaps will help you build the case for a password manager and set benchmarks for measuring success.</p>
<p>Consider your company's size and growth plans. A business with 20 employees has different needs than one with 500. Think about how many apps and
systems your team accesses daily, and whether you need features like single sign-on integration or SaaS monitoring to spot unapproved apps and gain
complete control over your SaaS footprint.</p>
<h3>2. Determine your must-have security features</h3>
<p>Most business password managers offer similar core functionality: encrypted storage, <a href="https://www.lastpass.com/features/password-generator">password generation</a>, and autofill. Where they differ is in the
extras, and your job is to figure out which extras actually matter for your company.</p>
<p>Start by listing security concerns specific to your situation. If your team travels frequently or works from personal devices, you might prioritize
features like device trust policies or location-based access controls. If you've dealt with credential leaks before, <a href="https://www.lastpass.com/features/dark-web-monitoring">dark web monitoring</a> becomes more
valuable since it alerts you when employee logins appear in breach databases.</p>
<p>Compliance requirements can narrow your list quickly. Healthcare companies often need audit logs and access reporting for HIPAA. Financial services may
require specific encryption standards. Check with your compliance or legal team early so you don't waste time evaluating tools that can't meet your
regulatory needs.</p>
<p>Recovery options are worth considering too. What happens when an employee forgets their master password? Some password managers offer multiple recovery
paths like admin-assisted resets, one-time recovery codes, or SMS verification. Others leave you with fewer options, which can create headaches down the
line.</p>
<h3>3. Evaluate admin controls and policy enforcement options</h3>
<p>A good business password manager gives IT admins real control over security settings. Look for <a href="https://www.lastpass.com/features/user-management">role-based access</a> that lets you assign different
permission levels to users, helpdesk staff, and administrators.</p>
<p>You'll also want the ability to set rules around password strength, require <a href="https://www.lastpass.com/products/multifactor-authentication">two-factor authentication</a>, and control how employees can share credentials.
LastPass offers over 100 customizable policies, while other password managers have more limited options.</p>
<p>Reporting features help you see who's using the tool and spot potential issues. The best Admin Consoles show you which employees haven't turned on key
security features and keep logs you can use for audits.</p>
<h3>4. Check for integrations with your existing tools</h3>
<p>A password manager that doesn't connect to your other tools makes life harder for IT and employees alike. Look for native integrations with your
identity provider, whether that's Microsoft Entra ID, Okta, Google Workspace, or OneLogin.</p>
<p><a href="https://www.lastpass.com/features/directory-integration">Directory integration</a> is especially helpful because it saves you from manually creating and deleting accounts. When you add someone to your company
directory, they automatically get a password manager account. When they leave, their access gets revoked immediately.</p>
<p>If your company uses <a href="https://www.lastpass.com/products/sso">single sign-on</a>, check whether the password manager lets employees log into their vault with those same credentials. This means one
less password for your team to remember.</p>
<h3>5. Compare pricing models and per-user costs</h3>
<p>Pricing structures vary more than you might expect. Some password managers charge flat monthly fees per user, while others use tiered pricing based on
features. Calculate your total cost by multiplying the per-user price by your employee count.</p>
<p>Watch out for hidden costs. Some password managers charge extra for features like advanced reporting, SSO integration, or priority support. Others
include these in the base price. When comparing two options, make sure you're looking at the same set of features so you get an accurate picture.</p>
<p>Think about value beyond the sticker price. A slightly more expensive option with better admin controls might save your IT team hours each week. A tool
that's easier to use means fewer employees will find workarounds to avoid it.</p>
<p><a href="https://www.lastpass.com/trial/business"><button class="lp-button lp-button--primary">Try Business</button></a></p>
<h3>6. Test the user experience with a pilot group</h3>
<p>A pilot helps you catch usability issues before rolling out company wide. Pick a small group with a mix of roles and technical backgrounds so you get a
realistic sense of how the tool performs for different people.</p>
<p>Pay attention to onboarding time. How long does it take someone to install the browser extension, import existing passwords, and start using <a href="https://www.lastpass.com/features/autofill">autofill</a>?
Tools with a lower learning curve tend to get used more consistently.</p>
<p>Gather feedback on everyday use. Does the autofill work reliably across websites and apps? Is the password generator easy to access? Can people <a href="https://www.lastpass.com/features/password-sharing/business-password-sharing">sharecredentials</a> with teammates easily? Real-world testing reveals issues that demos don't show.</p>
<h3>7. Plan your rollout and employee training</h3>
<p>Getting a single employee set up with a password manager takes just a few minutes, but it's worth planning a phased rollout so you can gather feedback
and adjust as you go. Start with one department, work out any kinks, then expand from there.</p>
<p>Training helps employees get comfortable quickly. Look for password managers that offer documentation, video tutorials, and live support. You might
also host brief sessions for each department and pick a few power users who can help their colleagues.</p>
<p>Be clear about why you're making this change. When people understand how a password manager makes their day-to-day easier, they're much more likely to
use it.</p>
<h2>What security certifications matter when choosing a password manager?</h2>
<p>Third-party certifications show that independent auditors have checked the password manager's security practices. Here are the main ones to look
for:</p>
<ul>
    <li><strong>SOC 2 Type II:</strong> Auditors evaluate security controls over several months, not just at a single point in time. This is one of the most
    important certifications.</li>
    <li><strong>ISO 27001:</strong> Covers information security management and is recognized internationally.</li>
    <li><strong>FIDO2:</strong> Relevant if you want to use hardware security keys or biometric login.</li>
    <li><strong>BSI C5:</strong> A government-backed cloud security standard in Germany, worth looking for if you work with German companies.</li>
</ul>
<h2>How do you get employees to adopt a new password manager?</h2>
<p>Make it easy to get started. If onboarding feels like a chore, people will put it off indefinitely. Look for a password manager that lets employees
install the browser extension, import their existing passwords, and see autofill working in just a few minutes.</p>
<p>Some employees worry about putting all their passwords in one place. Take time to explain how <a href="https://www.lastpass.com/security/zero-knowledge-security">encryption</a> protects their data and why a password manager
is safer than what they're doing now. A quick FAQ document or short video can head off a lot of resistance before it starts.</p>
<p>Give people a reason to open the tool regularly. Letting employees store personal passwords in a separate vault means they'll use the password manager
outside of work too, which builds the habit. The more familiar it feels, the less likely they are to fall back on old workarounds.</p>
<h2>How LastPass helps you secure your business</h2>
<p><a href="https://www.lastpass.com/">LastPass</a> is built for businesses that want strong security and easy admin tools. The Admin Console gives you over 100 customizable policies, so you can
set rules around password strength, mandate two-factor authentication, and control how teams share credentials.</p>
<p>You can also assign role-based permissions to users, helpdesk admins, and super admins depending on what they need access to. If you use <a href="https://www.lastpass.com/features/federated-login/microsoft-entra">MicrosoftEntra ID</a>, Okta, Google Workspace, or OneLogin, LastPass connects directly to your directory. That means new employees get their accounts automatically,
and departing employees lose access right away.</p>
<p>For your team, LastPass keeps things simple. The folder-based layout makes it easy to organize logins, and autofill handles the rest. Employees can
generate strong passwords for new accounts, and dark web monitoring sends alerts if any of their credentials show up in a breach.</p>
<p>On the security side, LastPass is independently audited and holds SOC 2 Type II, SOC 3 Type II, ISO 27001, ISO 27701, BSI C5, and FIDO2 Server
certifications. And if you ever run into issues, business customers get 24/7 live support through phone, email, and chat. <a href="https://www.lastpass.com/products/business">Start a free trial</a> to see how it
works for your team.</p>
<div class="button-container"><a href="https://www.lastpass.com/trial/business"><button class="lp-button lp-button--primary">Try Business</button></a></div>

How to choose a password manager for your business in 2026

<ol class="ol1" style="color: #000000;">
    <li class="li1" style="margin: 0px;">Assess your business's password management needs and&nbsp;identify&nbsp;current pain points.</li>
    <li class="li1" style="margin: 0px;">Determine&nbsp;your must-have security features like encryption and dark web monitoring.</li>
    <li class="li1" style="margin: 0px;">Evaluate admin controls such as policy enforcement and role-based permissions.</li>
    <li class="li1" style="margin: 0px;">Check for integrations with your existing tools like Microsoft Entra or Okta.</li>
    <li class="li1" style="margin: 0px;">Compare pricing models and calculate the total per-user cost for your team.&nbsp;</li>
    <li class="li1" style="margin: 0px;">Test the user experience by running a pilot with&nbsp;<a href="https://www.lastpass.com/"><span class="s1">LastPass</span></a>&nbsp;or another option.</li>
    <li class="li1" style="margin: 0px;">Plan your rollout timeline and employee training program.</li>
</ol>

Quick guide: How to choose a password manager for your business in 7 easy steps

A step-by-step guide to selecting a business password manager, from assessing your needs to planning employee rollout. See why teams choose LastPass.

How to Choose a Password Manager for Your Business 

<div id="calloutcontent1">&nbsp;</div>
<p>Cybersecurity requirements can feel like a moving target. Between customer expectations, industry regulations, and the very real threat of data breaches, it's hard to know
where to start.</p>
<p>That's where cybersecurity frameworks come in. Think of them as blueprints that help you build a solid security foundation without reinventing the wheel. They give you a
clear path forward, whether you're protecting customer data, meeting compliance requirements, or just trying to sleep better at night. Password managers like <a href="https://www.lastpass.com/">LastPass</a> play a key role in many of these frameworks by securing credentials and enforcing strong access controls.</p>
<p><a href="https://www.lastpass.com/trial/business"><button class="lp-button lp-button--primary">Try Business</button></a></p>
<p>In this guide, we'll break down the top 10 cybersecurity frameworks you should know about and explain what each one does in plain terms.&nbsp;</p>
<h2><strong>10 cybersecurity frameworks your business should understand</strong></h2>
<h3><strong>1. NIST Cybersecurity Framework</strong></h3>
<p>The National Institute of Standards and Technology (NIST) created this cybersecurity framework to help organizations of all sizes improve their security posture. It's
voluntary, flexible, and widely respected across industries.</p>
<p>NIST CSF 2.0, the newest version of NIST CSF, offers 6 core functions Identify, Protect, Detect, Respond, Recover, and govern, which includes a discussion of <a href="https://blog.lastpass.com/posts/supply-chain-attacks">supply   chain risks</a>.<strong><em> </em></strong>This structure makes it easier to understand where your security program stands and where it needs improvement. It's also worth taking a look at:</p>
<ul>
    <li><a href="https://csrc.nist.gov/pubs/sp/1300/final">NIST SP 1300</a>: Small Business Quick Start Guide</li>
    <li><a href="https://csrc.nist.gov/pubs/ir/8596/iprd">NIST IR 8596</a>: Cybersecurity Framework Profile for Artificial Intelligence. Note that this is a companion resource, not a finalized update. It's useful for early
    risk prioritization, but not useful unless your small business is deploying SaaS, AI agents, chatbots, etc.</li>
</ul>
<p>What makes NIST particularly useful is its tiered approach. You don't have to implement everything at once. Instead, you assess your current maturity level and work toward
higher tiers as your program develops. Many businesses start with NIST because it offers a common language for discussing security risks with leadership, partners, and
vendors.</p>
<h3><strong>2. ISO 27001</strong></h3>
<p><a href="https://blog.lastpass.com/posts/iso-27001-compliance">ISO 27001</a> is an international standard for information security management systems (ISMS). Unlike NIST, which is a framework, ISO 27001 is a certifiable
standard. This means you can get officially audited and certified, which can be valuable when customers or partners ask about your security practices.</p>
<p>The standard covers everything from risk assessment to access control to incident response. It requires you to document your security policies, implement controls, and
continually improve your program.</p>
<p>Certification involves an external audit and annual surveillance audits to maintain your status. The ISO 27001 Plan-Do-Check-Act (PDCA) cycle to demonstrate continuous
improvement is useful for small businesses.</p>
<p>While the process requires time and resources, ISO 27001 certification signals to customers that you take security seriously. It's particularly common among companies
doing business internationally or in regulated industries.</p>
<h3><strong>3. SOC 2</strong></h3>
<p>SOC 2 (Service Organization Control 2) is an auditing standard developed by the American Institute of CPAs. It's designed specifically for service providers that store
customer data in the cloud. Compared to ISO 27001, SOC 2 is typically more beneficial for small businesses due to:</p>
<ul>
    <li>A requirement for less documentation, which is typically easier for smaller teams.</li>
    <li>The ability to design your own controls.</li>
    <li>A typically easier road to achievement. ISO 27001 applies to an entire ISMS (information security management system), but SOC 2 can focus on a single product or system.
    Also, SOC 2 doesn't require full ISMS.</li>
    <li>Closer alignment to with US SaaS customer preferences, while ISO 27001 is for more mature enterprises needing global compliance</li>
</ul>
<p>The audit evaluates your controls against 5 "Trust Services Criteria": security, availability, processing integrity, confidentiality, and privacy. Most companies start
with security (the only required category) and add others based on their business needs.</p>
<p>There are 2 types of SOC 2 reports. Type I evaluates whether your controls are properly designed at a specific point in time. Type II goes further by testing whether those
controls actually worked effectively over a period (usually 6-12 months). If you're a SaaS company or handle customer data in any capacity, expect your enterprise customers
to ask for your SOC 2 Type II report.</p>
<h3><strong>4. CIS Controls</strong></h3>
<p>The Center for Internet Security (CIS) Controls are a prioritized set of actions that defend against the most common cyber attacks. Originally developed by security
experts analyzing real attack data, these controls focus on what works in the real world.</p>
<p>The current version includes 18 controls organized into 3 Implementation Groups (IGs). IG1 covers the basics that every organization should implement, like inventory
management and access control. IG1 is highly relevant for small businesses, while IG2 and IG3 add more sophisticated controls for organizations with greater resources or
higher risk profiles.</p>
<p>What sets CIS Controls apart is their practicality. Each control includes specific, actionable steps you can take. If you're a smaller business without a dedicated
security team, starting with IG1 gives you the biggest security bang for your buck.</p>
<h3><strong>5. PCI DSS</strong></h3>
<p>The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that processes, stores, or transmits credit card data. It was created by major
credit card companies to reduce payment fraud.</p>
<p>PCI DSS includes 12 main requirements covering areas like network security, access control, and regular testing. The standard specifies controls such as encrypting
cardholder data, restricting access on a need-to-know basis, and maintaining detailed audit logs.</p>
<p>Your compliance level depends on how many card transactions you process annually. Larger merchants face more rigorous requirements, including on-site audits. Smaller
businesses may be able to complete a self-assessment questionnaire instead. Non-compliance can result in fines, increased transaction fees, or losing the ability to accept
card payments altogether.</p>
<ul>
    <li>Smaller businesses with <a href="https://blog.lastpass.com/posts/pci-dss-compliance">fewer than 20,000 ecommerce transactions</a> or one million total card present transactions annually can use simple self-assessment questionnaires
    instead of costly audits.</li>
</ul>
<p><a href="https://www.lastpass.com/trial/business"><button class="lp-button lp-button--primary">Try Business</button></a></p>
<h3><strong>6. HIPAA Security Rule</strong></h3>
<p>The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes national standards for protecting electronic protected health information (ePHI).
If you're a healthcare provider, health plan, or business associate that handles patient data, HIPAA applies to you.</p>
<p>The Security Rule requires 3 types of safeguards: administrative (policies and procedures), physical (facility access controls), and technical (encryption and access
controls). You're required to conduct risk assessments, implement appropriate controls, and train your workforce. <a href="https://www.hipaajournal.com/hipaa-updates-hipaa-changes/">The first major update to the HIPAA Security Rule</a> since the
HIPAA Omnibus Rule of 2013 is expected to be finalized May 2026. It involves removing the "required vs. addressable" distinctions, making all safeguards required.</p>
<p>HIPAA doesn't prescribe specific technologies, which gives you flexibility in how you meet the requirements. However, this flexibility also means you're responsible for
determining what's "reasonable and appropriate" for your organization. Violations can result in significant fines ranging from thousands to millions of dollars, depending on
the severity and whether negligence was involved.</p>
<h3><strong>7. GDPR</strong></h3>
<p>The General Data Protection Regulation (GDPR) is the European Union's data protection law, but its reach extends far beyond Europe. If you collect or process personal data
from EU residents, GDPR applies to you regardless of where your business is located.</p>
<p>GDPR focuses on giving individuals control over their personal data. Key requirements include obtaining clear consent before collecting data, allowing people to access or
delete their information, and reporting data breaches to authorities in 72 hours.</p>
<p>The regulation also requires appropriate technical measures to protect data. This includes encryption, access controls, and the ability to ensure ongoing confidentiality
and integrity of processing systems. Fines for non-compliance can reach up to 4% of annual global revenue or &euro;20 million, whichever is higher.</p>
<h3><strong>8. COBIT</strong></h3>
<p><a href="https://blog.lastpass.com/posts/cobit-framework">COBIT</a> (Control Objectives for Information and Related Technologies) is a framework for IT governance and management developed by ISACA. While broader than pure
cybersecurity, it helps organizations align IT activities with business goals. <a href="https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2021/cobits-value-for-small-and-medium-enterprises">ISACA's COBIT guidance</a> is especially helpful for small businesses, as it aims to dispel the
general sentiment that COBIT is too top-heavy for businesses of their size.</p>
<p>The COBIT framework covers 5 domains: governance, management of strategy, operations, monitoring, and optimization. It's particularly useful for organizations that need to
demonstrate how IT decisions support business objectives and manage risk effectively.</p>
<p>COBIT works well alongside other frameworks like NIST or ISO 27001. Many organizations use it to establish the governance structure that oversees their security program.
If your leadership is asking how security investments tie to business outcomes, COBIT helps you answer that question.</p>
<h3><strong>9. NIST 800-53</strong></h3>
<p>While the NIST Cybersecurity Framework offers a high-level structure, NIST Special Publication 800-53 dives deep into specific security controls. It's the catalog of
controls used by federal agencies and contractors who work with the U.S. government.</p>
<p>The publication includes hundreds of controls organized into families like access control, audit and accountability, incident response, and system integrity. Each control
includes detailed implementation guidance and assessment procedures.</p>
<p>Even if you're not a government contractor, NIST 800-53 serves as a complete reference for building a mature security program. Many private sector organizations use it to
benchmark their controls or prepare for FedRAMP authorization if they want to sell cloud services to federal agencies.&nbsp;FedRAMP is also built on&nbsp;<a href="https://blog.lastpass.com/posts/nist-special-publication-800-53">NIST 800-53</a>.</p>
<h3><strong>10. Zero Trust Architecture</strong></h3>
<p>Zero Trust isn't a standard or regulation, but maps to many of the standards discussed above. It's a security model built on a simple principle: never trust, always
verify. Traditional security assumed that everything inside your network was safe. Zero Trust assumes that threats can come from anywhere.&nbsp;</p>
<p>In a Zero Trust model, every access request is verified regardless of where it comes from. This means strong authentication, least-privilege access, and ongoing monitoring
of user behavior. You grant people access only to what they need, when they need it.</p>
<p>Implementing Zero Trust involves technologies like <a href="https://www.lastpass.com/products/multifactor-authentication">multifactor authentication</a>, network segmentation, and <a href="https://blog.lastpass.com/posts/identity-and-access-management-iam">identity management</a>. It's
particularly relevant as more employees work remotely and access company resources from various locations and devices.</p>
<h2><strong>How LastPass helps you meet cybersecurity framework requirements</strong></h2>
<p>Many of the frameworks we've covered share common requirements around access control, <a href="https://www.lastpass.com/solutions/authentication">authentication</a>, and audit logging. LastPass helps you meet these
requirements through FIDO2 verification, credential security, and SaaS Monitoring, all part of our <a href="https://www.lastpass.com/products/business-max">Business Max tier</a>.</p>
<p>LastPass encrypts all stored credentials using AES-256 encryption with 600,000 rounds of PBKDF2-SHA256 hashing. In simple terms, this means your master password goes
through 600,000 transformations before it becomes the key that unlocks your vault, making it extremely difficult for attackers to crack through brute force. The <a href="https://www.lastpass.com/security/zero-knowledge-security">zero-knowledge architecture</a> means that only you can decrypt and access your data. Not even LastPass can see your master password or vault contents.</p>
<p>For compliance documentation, LastPass holds ISO 27001, ISO 27701, SOC 2 Type II, SOC 3, BSI C5, and FIDO2 Server certifications. This makes it easier to demonstrate that
your <a href="https://www.lastpass.com/password-manager">password management practices</a> meet recognized security standards.</p>
<p>Admins get access to over 120 customizable security policies and role-based access controls. You can enforce password complexity requirements, set sharing permissions, and
monitor security scores through the <a href="https://www.lastpass.com/features/security-dashboard">Security Dashboard</a>. Native integrations with <a href="https://www.lastpass.com/features/directory-integration">directory services</a> like Microsoft Entra ID, Okta, and Google
Workspace automate user provisioning and deprovisioning.</p>
<p>For frameworks that require multifactor authentication, LastPass supports multiple MFA options including authenticator apps, YubiKey, FIDO2-certified hardware keys, and
biometrics like Windows Hello and Touch ID.</p>
<p>Ready to strengthen your security posture? <a href="https://www.lastpass.com/products/business">Try LastPass Business</a> and see how simple compliance-friendly password management can be.</p>
<div class="button-container"><a href="https://www.lastpass.com/trial/business"><button class="lp-button lp-button--primary">Try Business</button></a></div>

Top 10 cybersecurity frameworks every business should know in 2026

<ul class="ul1" style="color: #000000;">
    <li class="li1" style="margin: 0px;">A cybersecurity framework is a structured set of guidelines that&nbsp;helps&nbsp;organizations&nbsp;identify, manage, and reduce security risks.&nbsp;</li>
    <li class="li1" style="margin: 0px;">NIST and ISO 27001 are foundational frameworks that work for businesses of any size, while PCI DSS and HIPAA target specific industries.&nbsp;</li>
    <li class="li1" style="margin: 0px;">SOC 2 compliance has become essential for SaaS companies and service providers who handle customer data.&nbsp;</li>
    <li class="li1" style="margin: 0px;">Zero Trust Architecture is a modern approach that verifies every access request, assuming no user or device is automatically trusted. </li>
    <li class="li1" style="margin: 0px;">LastPass supports multiple compliance frameworks with features like audit logging,<a href="https://www.lastpass.com/features/user-management"><span class="s2">&nbsp;customizable security policies</span></a>, and SOC 2 Type II certification.&nbsp;</li>
</ul>

Key Takeaways: Top 10 cybersecurity frameworks every business should know

Learn about the top cybersecurity frameworks like NIST, ISO 27001, SOC 2, and PCI DSS to protect your business and meet compliance requirements.

Top 10 Cybersecurity Frameworks Every Business Should Know

What cloud IAM gets right and how LastPass Business Max delivers it for Small and Scaling Companies

<ul>                                                                                                                                                                                               
    <li>One misconfigured cloud asset can generate over 165,000 attack paths to your business.</li>                                                                                                  
    <li>78% of organizations have at least one IAM role that has remained unused for 90+ days, giving attackers ready-made access to their system.</li>                                              
    <li>Shadow IT is growing faster than security teams can track it, with 75% of employees projected to use unapproved tools by 2027.</li>                                                          
    <li>Traditional MFA is no longer enough. AI-powered phishing kits can now intercept your 2FA codes, making credential hygiene and SaaS visibility non-negotiable.</li>                           
    <li>Businesses without centralized SaaS control are 5X more likely to be attacked.</li>                                                                                                          
    <li>LastPass Business Max gives small teams enterprise-grade cloud identity security – credential management, SaaS Monitoring, SaaS Protect, and real-time access controls (SSO & FIDO2 MFA) –   
  all from a browser extension.</li>                                                                                                                                                                 
  </ul>

 Key takeaways: Cloud IAM

One misconfigured cloud asset creates 165,000+ attack paths. Learn how LastPass Business Max helps SMBs stop Shadow IT, manage credentials, and control SaaS sprawl with enterprise-grade security.

What Cloud IAM Gets Right and How LastPass Business Max Delivers it for Small and Scaling Companies

<p>LastPass&nbsp;Threat Intelligence, Mitigation, and Escalation (TIME)&nbsp;would like to alert our customers&nbsp;to&nbsp;an&nbsp;active&nbsp;phishing campaign that&nbsp;began on or around March 1, 2026. These&nbsp;phishing emails are&nbsp;being sent&nbsp;from&nbsp;several&nbsp;email addresses&nbsp;with&nbsp;various&nbsp;subject lines that look like forwarded internal messages about unauthorized access to individuals&rsquo; accounts. The known list of email addresses&nbsp;and subject lines can be found below.&nbsp;&nbsp;&nbsp;</p>
<p><strong><em>This is an attempt on the part of a malicious actor to draw attention and generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails.&nbsp;</em></strong></p>
<h3>Campaign Overview</h3>
<p>Attackers are forwarding fake email chains to make it appear as though another individual is trying to take unauthorized action on their LastPass account (i.e., export vault, full account recovery, new trusted device registered, etc.). Attackers use display name spoofing so that the name portion of the sender field is manipulated to impersonate LastPass, while the actual sending email address is unrelated. The attacker relies on the fact that many email clients (especially mobile) show only the display name, hiding the real sender address unless you expand it. The emails instruct targets to take some type of action (i.e., report suspicious activity, disconnect and lock vault, revoke device, etc.) if something looks off via provided links; these links then direct targets to fake SSO login pages via https[:]//verify-lastpass[.]com as the primary URL to collect users&rsquo; credentials (see below).</p>
<h3>Body of Phishing Email Examples</h3>
<p>The below images shows the fake correspondence and personas the threat actor included in emails to targets.</p>
<p><img src="https://www.lastpass.com/-/media/5b579a58cf254b069d6f9abc6b793810.jpg?h=312&amp;w=936" ></p>
<p><img src="https://www.lastpass.com/-/media/2677d3c9576148cd97e6bb42208a574c.jpg" ></p>
<p>The image below displays the landing page that is a fake LastPass SSO login page. </p>
<p><img src="https://www.lastpass.com/-/media/228a483228a6447b8d99bb6397445f6a.jpg" ></p>
<p>&nbsp;</p>
<h3>What to do </h3>
<p><strong>Please remember that no one at LastPass will&nbsp;ever ask for your master password</strong>.&nbsp;Rest assured,&nbsp;we are&nbsp;working&nbsp;with our third-party partners&nbsp;to have these sites taken down&nbsp;as soon as possible.&nbsp;In the meantime,<strong><em>&nbsp;please&nbsp;take the&nbsp;appropriate precautions&nbsp;</em></strong>and,&nbsp;as always,<strong><em> if you&nbsp;are ever unsure whether&nbsp;a&nbsp;LastPass branded&nbsp;email is&nbsp;legitimate, submit&nbsp;it to&nbsp;</em></strong><a href="mailto:abuse@lastpass.com"><strong><em>abuse@lastpass.com</em></strong></a><strong><em>.&nbsp;</em></strong>We would like to thank our customers who have already&nbsp;submitted&nbsp;this email for their vigilance and&nbsp;commitment to keeping our community secure.<strong><em></em></strong>&nbsp;</p>
<p>&nbsp;</p>
<h3>Indicators of Compromise</h3>
<p><strong>Malicious URLs and associated IP addresses at time of publication</strong>:&nbsp;&nbsp;</p>
<p>At the center of the phishing chain is the domain https[:]//verify-lastpass[.]com. Most malicious links redirect to this domain, but the attackers generate many slightly modified versions by adding different trailing numbers. This lets them produce a large set of URLs that all resolve to the same phishing page.</p>
<ul>
    <li><span style="color: black;">http[:]//url6163[.]hancochem[.]at/ls/click?upn=u001.zzKoeZ0KJwWxkAal-2BAEGAVZqjLZ-2Fi-2FvLLleyd0Mrg7G2tDUVYJx-2BwoTtA3VLtDQxDdnbMlSxrd48X2rqT3qjwA-3D-3D4tgO_sO-2BxZceWa0lJwX67h1R3P4373GdGx0dFRW1jYvRsz0zpAChfojQaxq2-2Bkg5LzfoxWNcUnJJfqqvxD7hQYHhN-2FI-2BPE3Xav0OFz-2FYfkten1SK5CpICpFh-2FePosONfhxOeAEuJOM6ptlTgkAjbq7cEdRaO5VlNg1llTkcEPO3z5AI0k9UpvVGTAzLPy2F5XkI2ozYLJlUrGPCZ-2F-2FB-2F1EZpCXWdDXN70q14FYvRYyMptdqWq4DhdemtpUyZ6Bmfl9JRinCHKTAB32JnuxqmjamSwTQ-3D-3D</span>
    <ul>
        <li>Redirects to https[:]//verify-lastpass[.]com/login?13</li>
        <li>Serving IP address:&nbsp;172.67.200[.]82</li>
    </ul>
    </li>
    <li>http[:]//email[.]mg[.]atomicminerals[.]ca/c/eJxszE1SwyAUAODTPJbM4_1AsmBRx8kJ3LgklKQ4IdUEO-rpvUAv8F1j8MLJmRJdCMRevARzizroUhafVa_jQPOsWgRLDqgJacloaiQkj4zOOUYJdhkppJFRWTxiURBsq0393mpudS9H2k6bk9nirffPE_gCNAFNc-12-wWa5KD3t3oBnn4yAvkH8OszAcjvwzr8mSOe3x9px9GRMNDLFwiuLdXN5nszj0j_AQAA__9YskAN?px7ik70&amp;r=salud5i.cl&amp;6
    <ul>
        <li>Redirects to https[:]//verify-lastpass[.]com/login?14</li>
        <li>Serving IP address:&nbsp;172.67.200[.]82</li>
    </ul>
    </li>
    <li>https[:]//u48791940[.]ct[.]sendgrid[.]net/ls/click?upn=u001.ogpCsZrycFMCzfAiwPUWLmFsdkeI0MdEubFNgF3jgfqNQnFF7Sa4GacvI70clegZr1qhygt4EWt2YnP-2FiRMmaw-3D-3D5DWs_J8xRVsYbQP5fs7rIap1JbiZonM0buqGmCHMV-2BEiWHGtUxzu1WAuzO-2F7r3H3eREXp7XzUO3kzMmDj-2FdV-2F-2B4uWrIiJutCCPJ7YwmWdBDCht1WbPrgl1ya8BLo-2FkUCBo2UB47GOty9-2BpwLA0VbNvHAyb0HBKx8PxXXUIXmB-2BtJj5jHoGWLDU-2Fzhub-2F5uJgsSK4tOiGznacs1i4gOiTZYqi69QVYnU0ickYbRu9-2BQYsVwZ3Q-2B9-2Bb-2FidY2lMaojEQ4-2FdBB2GtXwZ6LtDo7p8V7d8WbA-3D-3D
    <ul>
        <li>Redirects to https[:]//verify-lastpass[.]com/login?12</li>
        <li>Serving IP address: 104.21.21[.]204</li>
    </ul>
    </li>
    <li>https[:]//u44889439[.]ct[.]sendgrid[.]net/ls/click?upn=u001.e-2BxTnSnQxOkncC20jNBuK6V4isKkl0XRDY4tivVdQQeqb6mLeZ9KZOFcqWpx39-2BnAE7mTDuZrA1c4CRwWnQJ87meMHF8VOjaNNH6wrLM3tM-3Dy3Wh_R1ZGbWCmLkaPZePSUmyQqgC1d5Ris5WwQ8-2BSDU4d1rdH8zGcPFFH4qlT8e5nEVVXDsX1sxkOVJGJxV2k3mwe-2FKfUVjKWBXPNmt-2BaH9C1gryEyEFxqdI02G0RJDIFrE6Nl4-2FW-2BO2bPI3S5k-2B-2FPb-2FQa5gviNQAk-2BIEXw6VHumTQbE6UHjUDbxJtHf1MonzbXBm5LIlU94C72GVqQpgivP2zmV1UE4e6UHNrQ0EU5kDakI-3D&amp;t3fq0mvk&amp;ref=deepai.cloud&amp;4yo7x
    <ul>
        <li>Redirects to https[:]//verify-lastpass[.]com/login?6</li>
        <li>Serving IP address:&nbsp;52.102.103[.]4</li>
    </ul>
    </li>
    <li>https[:]//u36129518[.]ct[.]sendgrid[.]net/ls/click?upn=u001.-2FOOkSPOOOLb9fpU79r0i5hEcjwfSQiTuVvlEgaG0hdHfvF0xmyV5ce3B4o7gGe0pUsHKDoF5ZYs1K2zEXVW9W-2F-2FdlazaOb4E5L8fdeTHrCk-3DEvrg_VBVoDhnIQxvCgpmdePRMMhkot7dkZlCJbRS3wbJOKNEIgFbdWxk02jlIRoEXWYDG-2Bu4QKAwbK0S7QyfOm51-2BaKSgcUhp9gIwP4JXcoWFOwS0EnG5t4esWxYDCzC0DArn6LAgJii-2F9ue3VcvjeqWEd6mhs3U83u8F7JNRQ94Icqdz466gV-2Fii3l-2B6SoPa9U0nLdiYN8Cfi381AtC6Kbro0T5nqaadfqtHC7xucIF3oGsjsHvz0ciYZ9bzxeP-2F6PpUrJifffYMQ4ROnoVh6uwC1g-3D-3D
    <ul>
        <li>Redirects to https[:]//verify-lastpass[.]com/login?14</li>
        <li>Serving IP address: 104.21.21[.]204</li>
    </ul>
    </li>
    <li>https[:]//u8790117[.]ct[.]sendgrid[.]net/ls/click?upn=u001.orExwStHYFDTU74GY1XA46huRVGl2xzICxrswbVNw6-2FtS6SAKtxwYwh83Ym-2FDWqHZcYQZJ-2FDSlAUAmoE8yFV0g-3D-3D6eeu_M-2Bd3xd1fzoxjC4kCStlaly-2FJia50cDswk4hS8HhdkZh4BaY2qwomdnOk9fz6pJQemyQsO5BiLR7Pcsr-2FFbAJeMmvGC-2FfI6pVbMaYAEYM-2B9xlijEYZ-2FdfUqJ5M4A6yAWTuHXacxHZX1hFEZJbjAKDus-2BqrDAGnOgWsIEabTDSyUaIqjQTLGTQikLOGwG5xj7wL3Wer5kxEXBuSuao3w4vxg-3D-3D&amp;sq9fhcx&amp;origin=fluxstore.io&amp;i
    <ul>
        <li>Redirects to https[:]//verify-lastpass[.]com/login?13</li>
        <li>Serving IP address: 52.102.103[.]12</li>
    </ul>
    </li>
    <li>http[:]//email[.]mg[.]79resources[.]com/c/eJxkzU1OwzAQQOHTjJfR_DjjeOEFFcoJWCA2yLWdNlKsQuxUKqdHwJIDvPfl4P0YJzYlkHMsap2guQaenJRl0ZKTiBKmnEgJeUTKGhnNGhhZUZCIhAkHH_PZeTsVR8tiMYLFehmc30u7HXsqbUi3arZw7f2jgTwBz8Dzee3D9gCebX99e4knkDlV-2VlA9aj1_e_GOT5_wxY24PuZg-H-JFF0QGfSvv8sS81rtsveQ_8HQAA__-ytUM_?ci&amp;tag=yodhafinance.com&amp;vtzlng
    <ul>
        <li>Redirects to https[:]//verify-lastpass[.]com/login?11</li>
        <li>Serving IP address: 104.21.21[.]204</li>
    </ul>
    </li>
    <li>http[:]//email[.]mg[.]redlakegold[.]ca/c/eJxky0FOxSAQANDTDEsCw3ToX7DQmK69Agy0JR_8TYsm9fQewAO8HCinPKEqwXqPjokfpPZgKGUxiT3LTDKjnfL6KKvEKOQFk6oBDbJxxlrrrCNNzgoyz1OcVo6-AJm-6bPkFp9le7WsJaoW9jGOC9wb4AK4pDp0uwEXOsvv8XmDW-QA5AHu478-w12uXr9k_-7PagHfOQGZrcfatLy6-gn4FwAA__9PZD7G?g2fk3tf3&amp;tag=bebran.com&amp;bd
    <ul>
        <li>Redirects to https[:]//verify-lastpass[.]com/login?6</li>
        <li>Serving IP address: 52.102.103[.]50</li>
    </ul>
    </li>
    <li>http://email.mg.redlakegold.ca/c/eJxky0FOxSAQANDTDEsCw3ToX7DQmK69Agy0JR_8TYsm9fQewAO8HCinPKEqwXqPjokfpPZgKGUxiT3LTDKjnfL6KKvEKOQFk6oBDbJxxlrrrCNNzgoyz1OcVo6-AJm-6bPkFp9le7WsJaoW9jGOC9wb4AK4pDp0uwEXOsvv8XmDW-QA5AHu478-w12uXr9k_-7PagHfOQGZrcfatLy6-gn4FwAA__9PZD7G?bwu71&amp;utm_source=bebran.com&amp;2nxq14
    <ul>
        <li>Redirects to https[:]//verify-lastpass[.]com/login?6</li>
        <li>Serving IP address: 104.21.21[.]204</li>
    </ul>
    </li>
    <li>http[:]//email[.]mg[.]bedfordmetals[.]com/c/eJxszUtuwyAQANDTDEuL-TCGBYtWFfcwv8QSKGniWM3tK3XdC7xXoy_sVjIt4roSq6hXc43StInNnXLDECg7rtVTdyVj7pjZ7JEsqWWLiIykS5cSmvMSNtfRFwGx87LkVvvtUWc7tvFcym2aEa_HcX8CfwAloJT3YxlvoCRDbNo34PRd5vvn7EB6An_9pwDp3Tzii4MjVrsCfb4YxF7mto-_5oz0GwAA__-9fkCb?8v&amp;v=itpbusa.com&amp;jat472k
    <ul>
        <li>Redirects to https[:]//verify-lastpass[.]com/login?5</li>
        <li>Serving IP address: 104.21.21[.]204</li>
    </ul>
    </li>
    <li>http[:]//email[.]mg[.]bedfordmetals[.]com/c/eJxszUtuwyAQANDTDEuL-TCGBYtWFfcwv8QSKGniWM3tK3XdC7xXoy_sVjIt4roSq6hXc43StInNnXLDECg7rtVTdyVj7pjZ7JEsqWWLiIykS5cSmvMSNtfRFwGx87LkVvvtUWc7tvFcym2aEa_HcX8CfwAloJT3YxlvoCRDbNo34PRd5vvn7EB6An_9pwDp3Tzii4MjVrsCfb4YxF7mto-_5oz0GwAA__-9fkCb?8v&amp;v=itpbusa.com&amp;jat472k
    <ul>
        <li>Redirects to https[:]//verify-lastpass[.]com/login?5</li>
        <li>Serving IP address: 172.67.200[.]82</li>
    </ul>
    </li>
</ul>
<p><strong>Sender email information:&nbsp;</strong></p>
<p><em>From:&nbsp;&nbsp;</em></p>
<ul style="margin-top: 0in; list-style-type: disc;">
    <li>office@hancochem.at</li>
    <li>admin@salud5i.cl</li>
    <li>no_reply@remstal-praxis.de</li>
    <li>demo@fluxstore.io</li>
    <li>no_reply@kreducationsa.com</li>
    <li>support@yodhafinance.com</li>
    <li>hr@bebran.com</li>
    <li>info@itpbusa.com</li>
</ul>
<p><em>Subjects:&nbsp;</em></p>
<ul>
    <li>Re: the details</li>
    <li>Re: pending approval</li>
    <li>Re: Access request pending</li>
    <li>Re: FYI</li>
    <li>RE: sign-in &mdash; TRZ-2302300</li>
    <li>Fwd: Re: your request</li>
    <li>Re: credential download</li>
</ul>

March 2026 Phishing Campaign Targeting LastPass Customers

LastPass Threat Intelligence, Mitigation, and Escalation (TIME) would like to alert our customers to an active phishing campaign that began on or around March 1, 2026. These phishing emails are being sent from several email addresses with various subject lines that look like forwarded internal messages about unauthorized access to individuals’ accounts. The known list of email addresses and subject lines can be found below. This is an attempt on the part of a malicious actor to draw attention and generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails. 

LastPass Alerts Customers of Fake Email Chains Used in New Phishing Campaign; No Impact to LastPass Systems

<p>Digital squatting and phishing are often treated as separate threat vectors, but they are deeply intertwined. Digital squatting is an umbrella term for various deceptive tactics that aim to capitalize on established brands and differ in their specific techniques. If phishing is the scam message, then digital squatting is the trap.<strong> </strong>Phishing convinces the victim to click. Digital squatting gives them a believable place to land and unknowingly hand over credentials and other sensitive information. </p>
<p>These attacks are indiscriminate and take advantage of a huge attack surface that is nearly impossible to stay ahead of. Especially now that automation and AI have entered the group chat, it&rsquo;s like forcing security teams into a one-on-one defense scenario where the adversary has endless stamina, instant playbooks, and the ability to change tactics in real time.</p>
<p>Together, digital squatting and phishing can form one of the most successful, scalable, and low-cost social engineering attack chains used by cybercriminals. Here&rsquo;s how they connect.</p>
<h3><strong>Digital squatting creates fake websites that look real. </strong></h3>
<p>Fake and lookalike domains are the front end of modern attacks.&nbsp;They&rsquo;re&nbsp;used to deliver phishing, malware, and business email compromise, often bypassing&nbsp;traditional perimeter defenses because the infrastructure lives outside the company&rsquo;s network.&nbsp;</p>
<p>Cybercriminals use fake domains because&nbsp;they&rsquo;re&nbsp;one of the most efficient ways to steal credentials without touching a company&rsquo;s network.&nbsp;Attackers register web addresses that look almost identical to companies&rsquo; real sites&mdash;sometimes with just one letter changed. They then use these lookalike websites to fool employees or customers into thinking they&rsquo;re interacting with your business. Given the massive attack surface, brands cannot defensively register everything, which leaves the doors open to attacks.</p>
<p>Common tactics to make websites appear legitimate include the following:</p>
<ul style="list-style-type: disc;">
    <li>Typosquatting: registering commonly misspelled brand names (i.e, gogle[.]com&nbsp;instead of&nbsp;google[.]com)</li>
    <li>TLD Abuse: substituting top-level domains (i.e., &ldquo;google.co&rdquo; instead of &ldquo;google.com&rdquo;)</li>
    <li>Homograph attacks: character swaps like replacing similar-looking numbers,&nbsp;letters,&nbsp;foreign alphabets,&nbsp;punycode, and more</li>
    <li>Combosquatting: adding keywords like &ldquo;support,&rdquo; &ldquo;secure,&rdquo; or &ldquo;login&rdquo; to the real brand name (i.e.&nbsp;&ldquo;secure-bank.com&rdquo;)</li>
</ul>
<h3><strong>These fake sites make phishing attacks far more convincing.</strong></h3>
<p><span>These attacks are particularly effective because they use social engineering elements to bypass security safeguards.&nbsp;</span>Instead of obvious scam links, attackers send emails or texts that appear legitimate because the link <em>looks</em> like a real domain. Attackers hope victims&nbsp;don&rsquo;t&nbsp;notice misspelled domains that appear similar to trusted brands, or&nbsp;maybe&nbsp;it&rsquo;s&nbsp;difficult to see the entire URL before clicking on it from a mobile device.&nbsp;Employees see what their eyes expect and click without hesitation. If attackers can impersonate your brand, they can target your users without ever touching your systems.&nbsp;</p>
<p>Digital squatting&nbsp;isn&rsquo;t&nbsp;just about tricking&nbsp;computers &ndash;&nbsp;it's&nbsp;also about manipulating human trust at scale.&nbsp;This tactic&nbsp;works because it turns human behavior into the attack surface, taking advantage of our trust in brand credibility and familiarity. Combine a perfect email with a perfect-looking website, and the scam becomes extremely believable.</p>
<h3><strong>It takes only one click to have devastating consequences. </strong></h3>
<p>Even one employee entering credentials into a fake website can give attackers email access, customer and/or corporate data, billing credentials, or cloud platform access. One compromised account can cascade quickly. </p>
<p>For instance, security researchers <a href="https://cybersecuritynews.com/scattered-lapsus-hunters-registered-40-domains/">discovered over 40 typosquatted Zendesk domains</a> such as znedesk[.]com and vpn-zendesk[.]com, crafted to mimic real Zendesk login portals. These fake sites hosted fraudulent single sign-on (SSO) pages specifically designed to steal credentials. Victims were often lured through phishing emails, fraudulent support tickets linking to the fake domains, and login prompts that captured credentials before redirecting. This campaign aligns with earlier Scattered Lapsus$ attacks against Salesforce using similar typosquatted infrastructure.</p>
<h3><strong>How are attackers are using digital squatting to target brands and users? </strong></h3>
<p>This attack&nbsp;generally involves&nbsp;luring victims to a fake&nbsp;lookalike&nbsp;site&nbsp;hosting a cloned real login page. When users enter their usernames and passwords, the&nbsp;attacker&nbsp;captures them in real time, and the victim is often redirected to the real site&nbsp;to avoid raising any suspicions. Modern fake-domain kits now&nbsp;allow attackers to capture MFA tokens or session cookies and proxy logins in real time.&nbsp;</p>
<p>Digital&nbsp;squatting&nbsp;isn&rsquo;t&nbsp;a new tactic, but AI is evolving it faster and at greater scale than ever before.&nbsp;The recent uptick in digital squatting is&nbsp;directly linked&nbsp;to the commodification of cybercrime through Generative AI (GenAI) and autonomous attack agents. These technologies have enabled threat actors to scale the creation and management of malicious domains at an unprecedented rate.&nbsp;AI-driven&nbsp;digital&nbsp;squatting&nbsp;makes it cheap and fast to generate thousands of believable domain variations, create polished phishing sites and emails, and scale attacks.&nbsp;For instance, threat actors are&nbsp;utilizing&nbsp;both legitimate Large Language Models (LLMs) and purpose-built "Dark LLMs" to automate the squatting lifecycle.&nbsp;&nbsp;</p>
<h3><strong>How LastPass can help prevent fall out from these attacks?</strong></h3>
<p>The LastPass TIME team&nbsp;regularly monitors for phishing campaigns&nbsp;leveraging&nbsp;our branding&nbsp;targeting LastPass customers. When it pops up, we work&nbsp;to quickly take down and&nbsp;publicly&nbsp;report&nbsp;this activity as soon as&nbsp;it&rsquo;s&nbsp;detected.&nbsp; </p>
<p>Credential theft rose 160% in 2025, and the fastest-growing tactic behind that surge is deceptively simple. As mentioned, attackers are creating fake versions of legitimate sites with URLs that are engineered to trick your eyes, especially when you're busy or distracted. But here's what makes LastPass your ally: it helps you catch the trick. Via domain binding, LastPass "binds" your credentials to the exact domain where you created them. This means it autofills your information on sites it recognizes.&nbsp;It helps you outsmart digital squatting scams, even if a site looks perfectly familiar to you. LastPass is a defense that helps you stay safe even on your worst, most distracted day. <a href="https://www.lastpass.com/trial/business?max=true">Try LastPass today</a> to start protecting yourself now. </p>
<h3><strong>What practical steps can&nbsp;SMBs take to protect themselves from digital squatting&nbsp;scams?&nbsp;</strong></h3>
<p>The faster organizations&nbsp;identify&nbsp;and disable digital squatting campaigns, the more effectively they can protect credentials and control risk. Here are a few simple steps SMBs can take to better protect themselves against these threats: </p>
<ul style="margin-top: 0in; list-style-type: disc;">
    <li>Register obvious variations of your domain (cheap and effective).</li>
    <li>Enable MFA everywhere (cuts off most credential theft).</li>
    <li>Use email security tools that check for lookalike domains. Tools&nbsp;like DNS firewalls&nbsp;can automatically block employees from visiting risky websites,&nbsp;especially brand-new or suspicious lookalike domains.&nbsp;&nbsp;</li>
    <li>Train employees to hover over links before clicking and check whether they are legitimate.</li>
    <li>Monitor for new domains impersonating your brand. Early alerting and rapid takedown procedures are essential to limit the dwell time of malicious infrastructure.&nbsp;</li>
    <li>Shadow AI visibility is a growing concern.&nbsp;Monitor&nbsp;internal use of AI tools to prevent data leaks that provide attackers with the specific keywords or document naming conventions or system mapping they need to create highly effective impersonation domains. Shadow AI leaks more than people realize by quietly teaching outsiders how your organization works without having to hack systems. If employees paste&nbsp;real internal&nbsp;content into AI tools, that can reveal naming conventions for systems and documents, folder structures, and more that can be&nbsp;leveraged&nbsp;in digital squatting and other social engineering attacks.&nbsp;</li>
</ul>

Why Digital Squatting Still Works in 2026—And Why Defense Is So Hard

Together, digital squatting and phishing can form one of the most successful, scalable, and low-cost social engineering attack chains used by cybercriminals, according to Cyber Threat Intelligence analyst Stephanie Schneider. 

Authentication vs Authorization for MSPs: Stop RMM Attacks

<ul class="ul1" style="color: #000000;">
    <li class="li1" style="color: rgba(0, 0, 0, 0.85); margin: 0px;"><span class="s1">MSPs that nail SSO and MFA are still one over-privileged account away from a Kaseya-style supply chain&nbsp;compromise.&nbsp;Scroll down to learn why.&nbsp;</span></li>
</ul>
<ul class="ul1" style="color: #000000;">
    <li class="li1" style="color: rgba(0, 0, 0, 0.85); margin: 0px;"><span class="s1">When RMMs go blind:&nbsp;SaaS sprawl and Shadow IT are the hidden risk your RMMs are missing.&nbsp;</span></li>
</ul>
<ul class="ul1" style="color: #000000;">
    <li class="li1" style="color: rgba(0, 0, 0, 0.85); margin: 0px;"><span class="s1">LastPass is more than&nbsp;a&nbsp;password manager. As a Secure Access Essentials provider&nbsp;and&nbsp;a&nbsp;2026 G2 winner&nbsp;in the Best&nbsp;Security&nbsp;Software category, our flagship Business Max offering&nbsp;gives&nbsp;you SaaS Monitoring + Protect&nbsp;=&nbsp;full&nbsp;visibility into your SaaS&nbsp;and AI&nbsp;stack.&nbsp;&nbsp;</span></li>
</ul>
<ul class="ul1" style="color: #000000;">
    <li class="li1" style="color: rgba(0, 0, 0, 0.85); margin: 0px;"><span class="s1">Pressed&nbsp;for&nbsp;time? Use our easy, practical&nbsp;six-point list to secure your RMM and SaaS systems.&nbsp;</span></li>
</ul>
<ul class="ul1" style="color: #000000;">
    <li class="li1" style="color: rgba(0, 0, 0, 0.85); margin: 0px;"><span class="s1">The offer that sells itself in QBRs: See the FAQ section for&nbsp;why&nbsp;Shadow IT/SaaS sprawl&nbsp;is&nbsp;a compelling&nbsp;risk your clients will gladly pay to fix.&nbsp;</span></li>
</ul>

Key takeaways: Authentication vs Authorization

Learn how MSPs can secure RMM tools beyond authentication. Discover authorization best practices and how LastPass SaaS Monitoring closes critical gaps.                                                                                                                                               

Authorization vs authentication for MSPs: How LastPass fixes what RMMs miss (2026) 

Why LastPass wins for 2FA reliability in 2026

<ul class="ul1" style="color: #000000;">
    <li class="li1" style="color: rgba(0, 0, 0, 0.85); margin: 0px;"><span class="s1">While Sandia Labs made headlines with their breakthrough 2FA for drones, LastPass quietly engineered one of the most reliable authentication systems for small businesses.&nbsp;</span></li>
</ul>
<ul class="ul1" style="color: #000000;">
    <li class="li1" style="color: rgba(0, 0, 0, 0.85); margin: 0px;"><span class="s1">2025&rsquo;s spike in MFA-bypassing&nbsp;PhaaS&nbsp;kits makes reliable 2FA more critical than ever.&nbsp;</span></li>
</ul>
<ul class="ul1" style="color: #000000;">
    <li class="li1" style="color: rgba(0, 0, 0, 0.85); margin: 0px;"><span class="s1">SIM swapping? Still a threat in 2026&nbsp;with&nbsp;attackers&nbsp;doubling down on&nbsp;SS7 exploitation.&nbsp;</span></li>
</ul>
<ul class="ul1" style="color: #000000;">
    <li class="li1" style="color: rgba(0, 0, 0, 0.85); margin: 0px;"><span class="s1">Free 2FA stops casual attackers but fails when you need it most.&nbsp;Scroll down to see how LastPass protects your business.&nbsp;</span></li>
</ul>

Key takeaways: 2FA 

FAQs: 2FA

When it comes to 2FA security, you need authentication that protects your business and lets your team work efficiently. LastPass delivers both. 

Attention Small Businesses: Why LastPass Wins for 2FA Reliability in 2026

<p>One chapter in the saga of infostealer malware has ended&mdash;at least for now&mdash;after a global law enforcement takedown of Lumma Stealer in mid-May. US, European, and Japanese authorities, with the help of tech companies including Microsoft and Cloudflare, took down, suspended, and blocked approximately 2,300 malicious domains that made up part of the infostealer&rsquo;s backbone. The FBI also seized domains that served as login panels allowing other criminals to access and use the infostealer. Although, this seizure is intended to effectively prevent criminals from being able to access Lumma to compromise computers and steal data, the overall stealer threat will remain prevalent for the foreseeable future. </p>
<p><em>(Interested in learning more about the infostealer threat outlook? Read the LastPass TIME team&rsquo;s threat predictions and analysis on </em><a href="https://blog.lastpass.com/posts/2025-cybersecurity-trends"><em>what direction infostealers and other threats are heading</em></a><em>.) </em></p>
<h2>What is Lumma?</h2>
<p><strong><em> </em></strong></p>
<p>Lumma Stealer, also known as LummaC2, dominated the expanding stealer market with significant campaigns since it emerged as early as late 2022. Since its initial release, Lumma&rsquo;s developers have released multiple upgraded versions of the software. Before the malware-as-a-service (MaaS) platform was dismantled, the FBI linked Lumma to around <a href="https://www.malwarebytes.com/blog/news/2025/05/lumma-information-stealer-infrastructure-disrupted">10 million infections</a> globally. Lumma&rsquo;s follow-on attacks involving stealing credentials, cryptocurrency data, and credit card information have resulted in an estimated <a href="https://cyberscoop.com/lumma-infostealer-widespread-victims/">$36.5 million USD</a> in credit card theft in 2023. The malware hit individuals and a wide range of industries, including Fortune 500 companies, airlines, universities, banks, and hospitals. </p>
<p>What makes this stealer particularly effective is that it continues to evolve to bypass security layers even as defenders are responding to the threat. On top of grabbing browser-stored passwords and cookies, it&rsquo;s also capable of extracting autofill data, email credentials, File Transfer Protocol (FTP) data, and two-factor authentication tokens and backup codes. Using its MaaS platform, its creators sold access to the malware on multiple underground markets and platforms like Telegram. </p>
<h2>What comes next?</h2>
<p><strong><em> </em></strong></p>
<p>This takedown is a major win for law enforcement and will help disrupt the initial access broker ecosystem in the near term. However, this is an ecosystem that has demonstrated its resilience again and again. The number of existing infostealer families, the open access to numerous source codes of previous infostealers, and the constant demand create a lucrative environment with very low barriers to entry. Given the resiliency of this market, other infostealer will likely quickly step in and fill in the gaps left after the Lumma takedown. </p>
<p>A similar pattern previously played out with other similar takedowns. On October 28, 2024, Operation Magnus disrupted the RedLine and META infostealers. RedLine was a significant stealer last year up until the takedown, after which Lumma grew in popularity and took over a portion of the market share previously held by RedLine. Redline infected 9.9 million hosts, or 43% of all infostealer infections observed by Flashpoint in 2024. The next four most-prolific infostealers in 2024, including RisePro, SteaC, Lumma Stealer, and Meta Stealer, infected a <a href="https://cyberscoop.com/infostealers-cybercrime-surged-2024-flashpoint/">combined 7 million hosts</a>. </p>
<p>We expect to see something similar following the Lumma Stealer takedown operation. The disruption effect following takedown is real, but there are still some new infections and logs for sale that were likely stolen before the infrastructure was taken down. Additionally, just because Lumma&rsquo;s infrastructure was dismantled, a lot of the data it stole likely continues to live on the dark web&mdash;thanks to the cybercriminal ecosystem that resells this information. <span>Additionally, <a href="https://blog.checkpoint.com/security/lumma-infostealer-down-but-not-out/">CheckPoint</a> reported Lumma&rsquo;s developers are already trying to rebuild and restart their operations, which may or may not be successful.&nbsp;</span>As SpyCloud&rsquo;s <a href="https://www.linkedin.com/posts/thilligoss_lummatakedown-lummareallynowork-stealc-activity-7332888157480198146-u94p">Trevor Hilligoss shared</a>, daily new Lumma infections have trended downward following the takedown but not as much as expected. Continued monitoring will be necessary to determine the takedown&rsquo;s impact. </p>
<p>Long-standing groups such as Vidar and Stealc are good examples of this, but other newer families, such as Acreed, will also be well positioned to increase their market share. <span><a href="https://www.bleepingcomputer.com/news/security/russian-market-emerges-as-a-go-to-shop-for-stolen-credentials/">ReliaQuests</a> already reported Acreed is rapidly gaining traction following the Lumma takedown. <a href="https://webz.io/dwp/acreed-infostealer-everything-we-know-so-far/">Over 4,000 logs</a> stolen by Acreed were reportedly uploaded to the Russian Market within its first week of operations.&nbsp;</span>Nexus has also gained some traction over the last week in Lumma&rsquo;s absence. Further, former affiliates and/or administrators associated with Lumma itself may split off to create their own offerings.</p>
<p style="text-align: center;">
<img src="https://cdn.lputil.com/-/media/ffef2d4ef9d544babc2169a6d0274059.jpg?h=310&amp;w=624" >&nbsp;</p>
<p style="text-align: center;"><em>Daily new LummaC2 infections (Source: Trevor Hilligoss)</em></p>
<h2>How to protect yourself against infostealers</h2>
<p>The threat from infostealers will remain very real for the foreseeable future and continue to adapt. Oftentimes, stealers are used in indiscriminate campaigns. Additionally, the sheer volume of data that has been dumped on the internet is immense. That means anyone is fair game and should take action to protect themselves following that assumption that they could be targeted. </p>
<ul>
    <li><strong>Use strong, unique passwords for every account.</strong> This will prevent credential stuffing attacks, which is a common tactic where threat actors insert stolen usernames and passwords. That way, if one password is exposed, it won&rsquo;t give access to all your other accounts where you reuse the same password. Also, consider using a password manager to securely and conveniently store them.</li>
    <li><strong>Enable MFA on your accounts.</strong> While this measure isn&rsquo;t failproof on its own, it adds an additional layer of defense and makes you a harder target.</li>
    <li><strong>Be on guard for phishing attempts.</strong> Infostealers often spread through phishing emails and malicious downloads. </li>
    <li><strong>Check HaveIBeenPwned to monitor potential exposure </strong>if you&rsquo;re worried you may have been infected by an infostealer. </li>
</ul>

What the Lumma stealer takedown means for the infostealer market and your personal data

Lumma Stealer, also known as LummaC2, dominated the expanding stealer market with significant campaigns since it emerged as early as late 2022

Dark Side of the Lumma: What the Lumma stealer takedown means for the infostealer market and your personal data

Passkey vs Password: Which is More Secure? | LastPass

Explore the differences between passkeys and passwords. Learn how LastPass enhances security and simplifies access with advanced authentication methods.

Blog

Blog

Recent

News & Insights

Cybersecurity

Product Tutorials

Threat Intel

Product Updates

Tips And Tricks

Introducing Secure Access Essentials: Beyond Passwords to the New Reality of Work

Dark Side of the Lumma: What the Lumma stealer takedown means for the infostealer market and your personal data

Passkeys Explained: Will Passwords Ever Go Away?

LastPass Dominates G2’s Spring 2026 Grid Reports as the #1 Password Manager

8 Common Social Engineering Attacks (and How to Avoid Them)

Subscribe & Save 20% off Premium or Families plans

Queensland Has Australia's Highest Cybercrime Rate — Its New Strategy Points Straight at the Access Layer

Introducing Secure Access Essentials: Beyond Passwords to the New Reality of Work

How to Choose a Password Manager for Your Business

Top 10 Cybersecurity Frameworks Every Business Should Know

What Cloud IAM Gets Right and How LastPass Business Max Delivers it for Small and Scaling Companies

LastPass Alerts Customers of Fake Email Chains Used in New Phishing Campaign; No Impact to LastPass Systems

Why Digital Squatting Still Works in 2026—And Why Defense Is So Hard

Authorization vs authentication for MSPs: How LastPass fixes what RMMs miss (2026)

Attention Small Businesses: Why LastPass Wins for 2FA Reliability in 2026