AVOIDING PHISHING SCAMS


Avoiding Phishing Scams


Phishing is a scam where a criminal uses fake or partial information to try and trick someone into revealing passwords or other confidential information. To avoid falling prey to such scams, it is critical to understand what phishing is and what you can do to protect yourself.
Below we present a list of 8 important rules to follow to avoid being victimized by phishing schemes. Also presented are three hypothetical but realistic phishing scams that would be avoided by following the 8 rules.

We want to emphasize that using LastPass makes you safer and that following the below 8 best practices will further help to protect your safety.

Top 8 Rules To Protect Yourself From Phishing Scams

  1. NEVER tell your LastPass Master password to ANYONE for ANY REASON.
    We will NEVER ask you for your password by email, by phone, by fax, or for ANY reason whatsoever.

  2. ALWAYS use anti-virus, anti-malware, and firewall software.
    Further, make sure that you run such software on all computers you use and that the virus definition files are up to date.

  3. NEVER click on any links in emails unless you specifically requested that the email be sent to you.

  4. NEVER assume that any email you receive was actually sent by the recipient listed as the sender.
    It is very easy for attackers to forge email signatures. If you receive an email from 'LastPass.com', there is NO GUARANTEE WHATSOEVER that the email was actually sent by us. It could just as easily have been sent by a criminal.

  5. AVOID using untrusted computers or untrusted computer networks.
    Untrusted computers could have keylogging, screen capture, or traffic sniffing software pre-installed on them without your knowledge.

  6. DO NOT be impressed if someone claiming to be from LastPass has any personal or confidential information about you whatsoever.
    Although you might have entered information such as credit card numbers, social security numbers, and address information into LastPass, we have no way of ever reading or knowing such information. The ONLY piece of identifying information we have of yours is your email address.

  7. USE LASTPASS to automatically fill login credentials for websites you visit.
    Using LastPass helps protects you against fake-website phishing attacks as LastPass will only automatically fill your credentials for the actual site. As an example, suppose your bank's website is located at www.mybank.com and a criminal's fake website that looks IDENTICAL to your bank's website is at www.mybankcriminal.com. If you are victimized by a phishing scam and are unknowingly directed to www.mybankcriminal.com, then LastPass will NOT automatically fill in your bank website's credentials.

  8. ALWAYS click on the LastPass browser plugin star icon to access your LastPass vault.
    If you are on a PC or browser that does not have the plugin, then visit LastPass by directly typing the address 'lastpass.com' into your browser's address bar. If you arrived at our website through any other means, then you may be visiting a criminal's website that has been made to look exactly like our website.



Hypothetical Phishing Scams

Example Scam #1
You receive an email that appears to be from LastPass.com informing you that your account has been compromised. The email may even contain personal information about yourself to help convince you it's legitimacy. The email contains a link to a website and informs you that you must click on the link and immediately reset your password.

To protect yourself:

  • Never assume any email you get from LastPass.com was actually sent by LastPass.com
  • Never click on any links in emails unless you specifically requested that the email be sent to you

Example Scam #2
You receive a phone call from an employee at LastPass.com. The employee informs you that there has been a server failure at the company and that your data might be lost. The employee tells you their employee ID number and provides you personal details about yourself to try to convince you that they are who they say they are. They provide you with information such as: your address, your social insurance number, your date of birth, your maiden name, and even your credit card number. The employee then tells you that the only way to save your data is for you to give them your LastPass master password so they can safely copy and backup your data.

To protect yourself:

  • Never believe anyone who contacts you by phone: we do not know your phone number
  • Never believe anyone who has confidential information about you: we only know your email address
  • Never reveal your LastPass master password to anyone: we will NEVER ask you for it

Example Scam #3
You receive an email from Jack Haythorn at LastPass.com informing you that your account has been compromised. Jack leaves you his phone number and extension and asks you to contact him. You call the phone number and are greeted by a receptionist saying 'LastPass.com, how may I help you?'. You ask to be forwarded to Jack's extension and are soon speaking with him. Jack tells you your full address and then asks you to verify your identity by providing him the last 4 digits of your credit card number. Jack then explains to you that your account has been compromised and that it has been temporarily suspended to safeguard it against future theft. To unlock your account, he requires that you tell him what your LastPass master password is.

To protect yourself:

  • Never assume any email you get from LastPass.com was actually sent by LastPass.com
  • Never believe anyone who has confidential information about you: we only know your email address
  • Never reveal your LastPass master password to anyone: we will NEVER ask you for it

Example Scam #4
You arrive at an Internet Cafe and find that the homepage for LastPass.com is already loaded in the browser.

To protect yourself:

  • Avoid using untrusted computers or untrusted computer networks
  • Use the LastPass screen keyboard to log into your account
  • Use LastPass One Time Passwords, or a multifactor authentication solution such as a YubiKey, LastPass Sesame, or Google Authenticator when in untrusted environments