AVOIDING PHISHING SCAMS


Avoiding Phishing Scams


Phishing is a scam where criminals use misleading information to trick you into revealing passwords or other confidential information. Here are eight important rules to help avoid being victimized. We also outline a few realistic phishing scams.

To protect yourself, use LastPass and follow these best practices!


Top 8 rules to protect yourself from phishing scams

  1. Never tell your LastPass master password to anyone for any reason.
    No one at LastPass will ever ask you for your master password. Not by email, phone or fax. No way. Never.

  2. Always use anti-virus, anti-malware, and firewall software.
    Protect yourself on all of your devices. Make sure virus definition files are up to date.

  3. Never click links in emails unless you asked for them.

  4. Be suspicious of incoming emails. Make sure the sender is really who they claim to be.
    Bad guys can easily forge email signatures. An email from 'LastPass.com' may not really be from us. It's best to stay suspicious!

  5. Avoid using untrusted computers or networks
    Bad guys have lots of tricks, and any computer or network you aren't familiar with could be their playground. They install stuff like keylogging, screen capture, and traffic sniffing software. So beware!

  6. Don't trust anyone claiming to be from LastPass who has personal or confidential information about you.
    When you signed up for LastPass, you may have entered personal information, but we have no way of ever reading or knowing such information. The only thing we know about you is your email address.

  7. Use LastPass to fill login credentials for sites you visit.
    LastPass protects you against fake-website phishing attacks by only filling your credentials to actual sites. For example, suppose your bank's website is www.mybank.com. Along comes a scammer who sets up a fake site that's identical on the surface, but with a slightly different address: www.mybank1.com. Let's say you visit the bad guy's site at www.mybank1.com and don't notice it's a fake. You're safe, because LastPass recognizes the difference for you and doesn't fill in your username and password.

  8. Always click on the LastPass browser extension icon to access your LastPass vault.
    If you don't have the extension, always type the address 'lastpass.com' into your browser's address bar. Otherwise you risk visiting a site designed by bad guys to look exactly like our real site.



Phishing scam scenarios

Example Scam #1
You receive an email that appears to be from LastPass.com informing you that your account has been compromised. The email looks real and even includes accurate personal information about you. It asks you to click a link to reset your master password.

Here's how to protect yourself:

  • Never assume an email you get from LastPass.com was actually sent by LastPass.com
  • Never click links in emails unless you asked for them.

Example Scam #2
You get a call from someone claiming to be from LastPass.com. They tell you a server has failed and your data might have been lost. They give you their own employee ID number. They know some personal information about you: your address, your social insurance number, your date of birth, your maiden name, and even your credit card number. They ask you for your LastPass master password so they can safely copy and backup your data. Without your master password, they say, your data will be lost forever.

Here's how to protect yourself:

  • Never believe anyone who contacts you by phone.
  • Be suspicious of anyone who has confidential information about you.
  • Never reveal your LastPass master password to anyone.

Example Scam #3
You receive an email from Jack Haythorn at LastPass.com. He says your account has been compromised. Jack leaves you his number and extension and asks you to reach out. You call the phone number and are greeted by a receptionist saying 'LastPass.com, how may I help you?' You are soon speaking with Jack, who tells you your full address and asks you to verify your identity by providing him the last 4 digits of your credit card number. Jack explains that your account has been compromised and temporarily suspended for your protection. He says he needs your LastPass master password so he can unlock your account.

Here's how to protect yourself:

  • Never assume an email you get from LastPass.com was actually sent by LastPass.com
  • Be suspicious of anyone who has confidential information about you.
  • Never reveal your LastPass master password to anyone.

Example Scam #4
You arrive at an Internet Cafe and find that the homepage for LastPass.com is already loaded in the browser.

Here's how to protect yourself:

  • Avoid using untrusted computers or networks
  • Use the LastPass screen keyboard to log in to your account.
  • For protection in locations you don't trust, use multifactor authentication or LastPass One-Time Passwords