How do I protect myself from phishing scams?
Phishing is a scam where a criminal uses fake or partial information to try and trick someone into revealing passwords or other confidential information. To avoid falling prey to such scams, it is critical to understand what phishing is and what you can do to protect yourself.
Phishing has long been a popular tactic for trying to steal valuable information from users. The most successful phishing emails are typically disguised to look like they come from a known or reputable source. These emails usually contain attachments or download links to malicious software.
While we emphasize that using LastPass makes your stored data safer, there are still best practices to follow in order to further help protect the safety of your confidential information.
NEVER share your LastPass master password with anyone
LastPass representatives will never ask you to provide your master password by email, phone, fax, or any other channel for any reason.
Always use anti-virus, anti-malware, and firewall software
Additionally, make sure that you run these types of security software as often as possible on all computers that you use, and ensure that your virus definition file lists are up to date.
Never click on any links within emails that you did not specifically request be sent to you
If you receive an email with a link requesting that you reset your password or log in to a website (which you did not specifically request), do not click on any links within the email.
Never assume that any email you receive was actually sent by the listed sender
Watch out for generic-looking requests for information. Fraudulent emails are often not personalized.
However, it is very easy for attackers to forge email signatures. Even if you receive an email from LastPass, there is no guarantee whatsoever that the email was actually sent by LastPass – it could just as easily have been sent by a criminal posing as LastPass.
As a security measurement, LastPass identifies the IP address of the sender that made the request at the bottom of every security email notification sent from firstname.lastname@example.org.
You can also look up the IP address reputation of the sender through the Return Path's Sender Score at the http://www.senderscore.org website. The lower the score, the more likely the email is a phishing attempt.
Look for telltale signs in emails that seem suspicious
There are common traits and tactics used by spammers in fraudulent email scams, such as:
- The whole message body is an image so as to track the user and evade spam filters.
- Bad spelling and/or grammar within the email message. Some of these messages have been poorly translated from other languages, or use letters from the alphabet to substitute certain symbols (which is a common tactic meant to evade spam filters).
- Hover your mouse over a link within the email (without actually clicking on the link) to reveal whether the real website address matches the URL that was typed in the message. If the link reveals the real web address that the user will be routed to, then the URL string in the text will look nothing like the web address to which the user will be directed.
- Phishers like to use scare tactics, and may threaten to disable an account or delay services until you update certain information. Most phishing campaigns include a call to action. If the content places any kind of urgency as far as “you must click into your account now”, it is potentially a scam.
Avoid using untrusted computers or untrusted computer networks
Untrusted computers may have keylogging, screen capture, or traffic analyzing software pre-installed without your knowledge.
Do not be impressed if someone claiming to be LastPass has any personal or confidential information about you
The only information LastPass has to identify you is your username (account email address).
LastPass follows a zero-knowledge security model in password management – this means that even though you store confidential information in your LastPass vault (e.g., payment cards, bank accounts, social security numbers, address information, etc.), LastPass will never have any way of viewing your stored data.
Always use LastPass to automatically fill login credentials for websites you visit
Using LastPass helps protects you against fake-website phishing attacks, as LastPass will only automatically fill your credentials for the actual site. For example, suppose your bank's website is located at www.mybank.com and a criminal's fake website that looks identical to your bank's website is at www.mybankcriminal.com. If you are victimized by a phishing scam and are unknowingly directed to www.mybankcriminal.com, then LastPass will NOT automatically fill in your bank website's credentials.
Always log in directly via the LastPass browser extension or directly into the LastPass website at https://www.lastpass.com
If you are using a web browser or computer that does not have the LastPass web browser extension installed, you can log in to an online version of your LastPass vault by navigating directly to the LastPass website at https://www.lastpass.com and clicking Log In. If you have arrived at the LastPass website through any other means, then it's possible that you may be visiting a criminal's website that has been designed to look exactly like the LastPass website.