As part of our commitment to the security and privacy of our customers, we want to make sure you are aware of recent reports of fraudulent emails being sent to LastPass customers from email domains that purport to be from LastPass but are not.
Yesterday, we discovered that a third-party bad actor attempted to impersonate a LastPass representative via email using the email address, noreply@notice-lastpass.[com]. This was an attempt to lure customers to click a link to update their billing and other information at a fraudulent URL customer-lastpass.[com]/verify, which has since been taken down by our security team.
Please take note this is NOT a LastPass email and NOT a LastPass domain. This email did NOT come from our LastPass team.
So how did your email address get used if it was not from us? Unfortunately, bad actors often harvest email addresses from security breaches where you’ve used your email address as a login credential in order to impersonate other brands in an attempt to convince you to interact with them.
We worked quickly to have these malicious pages removed, but we think this is a good opportunity for us to remind customers of phishing best practices and to never give out personal information, including your master password to anyone, as we will never ask for it, nor do we know what it is.
If you receive a LastPass e-mail that you are unsure about, please send that email directly (in an attachment) to our security team at abuse@lastpass.com, who can verify if it is from LastPass.
To help ensure your LastPass and other online accounts are secure from bad actors or hackers, we recommend you follow the online best practices below.
Make a habit of double-checking a sender’s email address
Many times, malicious threat actors can imitate an email address to look almost identical to the impersonated sender at first glance. Check the domain name (the text following the “@” symbol in an email address) matches what you would expect from the sender. What may look like <janesmith@yourbank.[com]> may actually be <sketchy@dodgycompany.[com]>.
Pro tip: If you receive a suspicious text from a number with only a few digits, that is a sign the message was sent by an automated email and could be a scam. Make sure to be cautious of links sent in phish-y texts too as they can infect your mobile device.
Carefully review messages from all channels
Although email is the primary vector for scams, threat actors are becoming much more comfortable with other methods too. Phishing links, credential harvesting sites, and other forms of social engineering can come through a suspicious text, an odd message through your social media account, or a weird phone call to either your personal or work phone line.
To stay one step ahead, it is important to use the same caution and skepticism regardless of where the message comes from.
Trust your intuition
Cybercriminals look for ways to latch onto already established trust you have in reputable companies, friends, family, and even coworkers. If you receive a message from someone you trust and know, but it seems out-of-character or has an ‘urgent request’, there could be a chance their account was hacked, and someone is fraudulently using their credentials to send messages.
Verify the message by contacting them directly using another form of communication you trust before taking any action. If you are concerned about the security of a co-worker’s account, you should reach out to your Security or IT teams for help.
Use a password manager to help you identify phishing sites
We know that using a password manager to generate and store your unique and long-character passwords are a must for a strong security posture. But did you know your password manager can help flag a phishing website for you too?
Let’s say you receive a well-crafted phishing email that appears to come from your bank. It looks totally legitimate, so you click the link in the email, are redirected to what appears to be your bank’s website and are met with a request for you to login with your credentials. If your password manager typically auto-fills your credentials on that site but fails to do so – that’s a sign your password manager doesn’t recognize the URL and you could be on a phishing site. Paying attention to this detail could make the difference of whether you hand over your account credentials on a silver platter to a hacker.
Be cautious of blindly accepting multi-factor authentication (MFA) prompts
MFA is a second layer of security that provides an additional step to verify your identity. For example, you may have attempted to log into a personal account for online banking. To ensure the login attempt is you and not someone maliciously using your credentials, you would be prompted to enter your username and password, followed by another form of verification – either a code sent to the mobile device phone number associated with your account or from an authenticator app.
If you receive an MFA request but did not log into an application or website that prompted it, you should immediately ignore or deny the request and change your password to prevent further attempts to get into your account.
Remember, if a message looks suspicious, it most likely is. Do not engage with it. Report it and remain vigilant – do not get hooked! -- by using the tips above.