Attackers are impersonating LastPass support in convincingly staged email threads to trick users into surrendering their vault credentials, a fresh phishing wave that plays on urgency and trust to pry open password manager accounts.
The messages appear as ongoing support conversations, complete with faux ticket numbers and signatures, and urge recipients to take actions like “disconnect devices” or “lock your vault.” Instead of requesting a password in the email itself, the scammers route victims to a counterfeit login page that harvests credentials and, in many cases, two-factor codes.
How the Phish Tricks You with Fake LastPass Support Emails
The campaign hinges on display-name spoofing and forwarded conversation threads. On many email clients—especially on phones—the sender’s display name is prominent while the actual address is buried behind a tap. Criminals exploit this by adopting a believable name like “LastPass Support,” then stitching in a back-and-forth email chain to simulate an active ticket.
Calls to action are designed to look protective: “lock your account,” “verify ownership,” or “unlink a suspicious device.” The embedded button directs to a pixel-perfect replica of a LastPass sign-in page hosted on a lookalike or newly registered domain. Once a user enters a master password and, if prompted, a one-time code, the attackers can replay those details against the real service to seize the vault.
Security teams tracking similar lures note that the infrastructure changes frequently. Domains churn, web hosts shift, and pages are short-lived to stay ahead of takedowns. Some kits even validate credentials in real time, passing victims to the legitimate site afterward to reduce suspicion.
Why Password Manager Accounts Are Prime Targets
Vaults are a jackpot: one successful phish can unlock access to banking, email, cloud storage, and corporate apps. That leverage makes password manager users disproportionately attractive to scammers, who have refined social-engineering playbooks to focus on support impersonation rather than blunt credential harvesting.
Industry data underscores the risk. The Verizon Data Breach Investigations Report has repeatedly found that the majority of breaches involve a human element, with the latest edition attributing 68% to actions like phishing and misuse. The FBI’s Internet Crime Complaint Center continues to rank phishing among the most reported cybercrimes, with losses growing year over year. When attackers combine trusted branding, urgency, and convincing web clones, the hit rate rises.
Red Flags to Spot and Immediate Steps to Take Safely
Expand the sender details before you do anything. If the visible name says “Support” but the underlying domain is unfamiliar or slightly misspelled, treat the message as hostile. Be wary of reply chains you didn’t initiate and ticket numbers you don’t recognize; conversation hijacking is now a standard phish tactic.
Never follow email links to sign in to your vault. Instead, open the official app or type the known address directly into your browser. A padlock icon is not proof of legitimacy—TLS certificates are trivial for scammers to obtain. If you receive a “lock” or “disconnect” prompt, verify account activity from within the app rather than the email.
Enable phishing-resistant multifactor authentication, ideally with a hardware security key using FIDO2. Turn on login alerts and review device access regularly. If you suspect you entered credentials on a fake page, immediately change your master password from a trusted device, revoke sessions, rotate high-value site passwords saved in the vault, and review recovery options.
LastPass advises users to report suspicious emails to phishing@lastpass.com. Submitting samples helps defenders tear down malicious domains faster and improve detections across mail providers.
What LastPass and Defenders Are Doing to Fight Impersonation
According to the company, this wave is a social-engineering campaign, not a compromise of its systems. LastPass says it is working with takedown partners to remove spoofed sites and is tracking a growing list of malicious sender domains associated with the impersonation effort. The company reiterates that support will not ask for a master password via email.
Mail security vendors and incident responders are also flagging the pattern—display-name spoofing, reply-thread fabrication, and lookalike domains—as part of a broader surge in brand impersonation campaigns. The Anti-Phishing Working Group continues to log high volumes of phishing sites each quarter, a reminder that rapid disruption and user education must go hand in hand.
The Bigger Trend: Precision Phishing Targets Identity
Attackers increasingly avoid malware and go straight for identity. They adopt the language and cadence of real support teams, ride the urgency of account protection, and funnel users to well-crafted forgeries. As more logins move behind password managers and passkeys, expect more precision social engineering aimed at the help desk persona.
The defense remains deceptively simple: slow down, verify the sender, and control the path you use to sign in. For a vault that protects the rest of your digital life, those extra seconds are the most valuable security investment you can make.
