Popular password manager LastPass has issued a warning about a new phishing campaign that began on January 19. These emails ask you to follow a link to make a backup of your password vault. The company has made it clear that it is not sending these emails and will never ask for your master password.

The scam

Nothing new here

The scam is pretty straightforward. LastPass users are receiving emails that claim scheduled maintenance is coming. The emails then recommend making a backup of your password vaults “in the unlikely event of any unforeseen technical difficulties or data discrepancies.” Finally, users are warned to make those backups in the next 24 hours, adding a sense of urgency. It all sounds super reasonable, and even comes with a list of instructions.

Naturally, these instructions involve following a link, where you can choose to export your vault. Upon clicking the link, you’ll be asked to input your credentials, and bam — your vault is compromised.

How to spot phishing emails

Don’t get fooled

The example email shared by LastPass looks pretty legit (which may be why so many people fall for phishing scams). However, there’s always one way to catch phishing attempts — check the email address. While the subject and sender might check out at first glance, hovering over the sender will reveal their actual email address, and from that point, it’s usually pretty obvious what’s going on.

The subject lines for the emails look good, with examples like “Your Data, Your Protection: Create a Backup Before Maintenance” or “Don’t Miss Out: Backup Your Vault Before Maintenance.” However, checking the sender reveals these email addresses:

• support@sr22vegas[.]com
• support@lastpass[.]server8
• support@lastpass[.]server7
• support@lastpass[.]server3

Needless to say, any LastPass official email is going to come from a lastpass.com domain. You can also catch phishing attempts by checking the addresses of links prior to clicking them. LastPass shared some known malicious domains associated with the scam:

• “group-content-gen2.s3.eu-west-3.amazonaws[.]com/5yaVgx51ZzGf”
• “mail-lastpass[.]com”

Links in the example email take users to the first address above, which then redirects to the second. Needless to say, if you hover over a link or button and see a destination URL that seems even remotely suspicious, don’t click it. That said, scammers are getting better, and checking the URL may not be enough anymore.

LastPass claims that it’s working to take down the offending domains. The company also says that if you’re ever unsure about an email you receive, you can submit it to abuse@lastpass.com for verification or to report it.