Staying Safe from Phishing Attacks

Think phishing is an outdated attack? Think again. Despite smarter email spam filtering, Anti-Phishing Working Group reports an 18% increase in unique phishing reports in the final quarter of 2014, and security experts predict it will only continue to rise as we head into 2016.

Phishing remains a popular tactic for stealing sensitive information like passwords, security codes, and credit card numbers, as well as for sneaking malware onto personal devices and company systems. Even a LastPass account may be the target in a phishing attack. Protecting against phishing takes both smarter detection by the software we use, and better individual preparation as the first line of defense in an attack.

Here’s how LastPass is fighting phishing, and what you can do to boost your phishing detection abilities and protect your most sensitive information when you’re caught unaware.

What Is Phishing?

Phishing attacks come in many forms. There’s the emails impersonating your bank that are requesting confirmation of account activity. Or the fake invoices that ask you to download the attached document to confirm your purchase. It may be in the form of malicious ads or links on social media. Attackers may go so far as to direct you to a login page that’s a near-clone of a well-known, trusted website you use.

Spear-phishing gets even more personal. Attackers will send emails that may pretend to be coming from a coworker or boss, or even your IT department. They make the request appear legitimate using what they’ve learned about you to solicit more information or get you to download a malicious file or wire money.

How to Spot Phishing Attacks

Many phishing attacks are simple and easy to spot, but some are much more sophisticated, so it takes a healthy dose of skepticism to identify suspicious emails, links, and notifications. Here’s how to spot a basic phishing attack:

  • Check the URL: Look in the address bar of the website you’ve opened or hover over a link to see the URL in the bottom left of your browser to confirm if it’s a trusted URL or an imposter, before you launch. For example, with LastPass you’ll always see https://lastpass.com or https://subdomain.lastpass.com. A phishing URL, however, might looks like http://lastpass.otherdomain.com. In this case, the domain is actually “otherdomain.com” and should be avoided.
    Image credit: Lifehacker

    Image credit: Lifehacker

  • Check who it’s addressed to: Be skeptical of emails sent to “Dear customer” or with no salutation. Most retailers these days will address you by name. Spear-phishing attacks, though, are often targeted to you specifically, so this isn’t always a fail-safe.
  • Launch a website yourself: If you’re not sure, just open up a new tab or window in your browser, type the URL in directly (or launch from your password manager) and you’ll know you’re going to a legitimate site.Screen Shot 2016-01-20 at 9.14.38 AM (2)
  • Check if your password manager shows a matching login: LastPass can help protect you from phishing by not autofilling your login on a fake site. Since the domain doesn’t match the one LastPass has stored, it won’t fill your data. Check the URL if you see that happen.
  • Slow down when you see urgent language: Anything that gets you to act quickly or else could be trying to manipulate you into doing something without thinking first.
  • Ask yourself questions: Did I ask this person to send me an attachment? Is this something that is uncharacteristic of the other person? When in doubt, remain skeptical and just ask.
  • Check for HTTPS:// and the padlock: When you’re on a website, always check in the URL bar that you are connecting via HTTPS for a secure connection and that the padlock icon is present, meaning that the website has been verified by a third party security firm. Screen Shot 2016-01-20 at 9.16.41 AM (2)

When Phishing Targets Your Password Manager

Phishing attacks are no longer limited to malicious emails, ads, or links on social media. Some phishing attacks could even try to target the extensions you use in your browser, including impersonating a password manager.

For example, it’s possible for a malicious website to impersonate your browser extension by showing notifications that request information such as your username, password, and two-factor authentication code. It may be difficult to tell that the notifications are in fact coming from the malicious website rather than your browser extension.

How LastPass Protects You from Phishing Attacks

  • Warning that the master password was entered on a non-LastPass page: LastPass pops a strong warning, even before you submit your master password to a page, anytime you attempt to enter your LastPass master password on a non-LastPass page. You would know immediately that your master password may have been compromised and can change it.
  • Requiring verification for logins from unknown locations or devices: LastPass has a verification process that is required whenever you attempt to login from an unknown location or device. So if you unwittingly enter your master password and two-factor data, any attempt by the attacker to use that data would be thwarted by the email verification steps. The attacker would need to gain access to your email account as well, which could also be mitigated by two-factor authentication for your email account. Should you see a verification request you did not initiate, you can safely ignore it and update your master password in the LastPass Vault Account Settings.
  • Preventing logoff: Even though a malicious page could display a fake LastPass notification saying you’ve been logged out and need to login again, you should check to see if you are still logged into the LastPass extension, and only login via that extension.

In addition to these safeguards, we’re also encouraging Google and other browsers to help us further protect users by offering secure ways to show notifications outside the browser viewport.

How You Can Help Protect Your LastPass Account

On top of the security measures we have in place, you can also keep your vault safe with the following best practices:

  • Always login through the LastPass extension. The safest way to login to LastPass is by clicking the extension icon in your browser toolbar. Screen Shot 2016-01-20 at 9.24.22 AM (2)
  • Don’t ever re-use your master password. Reusing your master password increases the risk of someone stealing your vault. Always use a unique master password for LastPass, and heed our warning if you type your master password anywhere other than to login to LastPass.
  • Be careful where you download LastPass. Only ever download LastPass from LastPass.com or from the addon stores provided by your browser or device. Never use 3rd party download sites, and even in the addon stores be wary of listings that look like LastPass but actually have a different publisher name, and no ratings.
  • Don’t ever share your master password. The LastPass team will never ask you for your master password. Be wary of anyone claiming to be from LastPass who is asking for your master password. Do not disclose your password, ever.
  • Add two-factor authentication. Good security is all about layers of protection that mitigate risk. Two-factor authentication requires another piece of information before your account can be accessed. While it’s not a silver bullet, it goes a long way towards protecting your account.
  • Protect your email with a strong password & two-factor authentication. Your email account often holds the keys to your kingdom. Protect it like your digital life depends on it, because it just might. LastPass can generate a strong but “pronounceable” password for your email that you can still commit to memory if you prefer. And always turn on two-factor authentication if your email provider offers it.

Staying safe online must be an ongoing commitment on all our parts. Just as LastPass is committed to improving our product as new threats emerge and working with the security research community to fortify our product. We, as users, also need to remain committed to following security best practices.

17 Comments

  • ScottH says:

    To further protect the LP browser extension, consider placing a rotating graphic, number, letter in the corner of the popup window. Also add a LP Windows tray icon (similar to the icon used for LP for Applications) and ask users to check the icon graphic and match the rotating graphic. A spoofed popup graphic would not match and since the Windows tray is outside the browser, it should offer a decent way to protect from fake popups.

  • Kami Evarts says:

    This article claims that LastPass will warn when entering my LastPass password on a non-LastPass site. I tried to test that, and saw no warning, only an offer to save the password. In Firefox I did see a tiny black warning triangle on my LastPass extension, but when I clicked it, I just got a blank gray window.
    So far, it doesn’t look like I can rely on that bit of protection.

  • Joseph says:

    >Check for HTTPS:// and the padlock

    This usually creates a false sense of security for users. Sure, it is indeed verified by a third party, but no one really knows how well that third party is doing. The cert issue is a very big one in Internet security. Perhaps the thing more dangerous than no security is a false sense of one.

  • Chris Simms says:

    All the info provided is good. But I find this blog post to be rather disingenuous. Recently, a security researcher made public the code to launch a serious phishing attack against LastPass, especially when people use the Google Chrome browser. This article, which was obviously written in response to that event, fails to disclose this essential and pertinent information. By not being forthright, it concerns me that LastPass is not acting in a trustworthy manner.