Fake LastPass Support Emails Are Phishing for Your Vault Password—Here’s How to Spot Them

What the fake LastPass support email scam is trying to do

A new phishing campaign targeting LastPass is built around a simple goal: get you to hand over the details that protect your vault. The scam uses fake support email threads designed to look legitimate enough that, in a rushed moment, you might treat them like a real LastPass support interaction.

The key danger here is what the emails are ultimately after: your vault password and related account details. And once an attacker has the right “keys,” the whole point of using a password manager—keeping everything locked behind one strong barrier—gets turned against you.

How the phishing emails are designed to look believable

Fake email chains that simulate a real support thread

This campaign uses a tactic where attackers forward fake email chains so it feels like you’re stepping into an existing conversation—often framed as if someone else is trying to take over your account. That “ongoing thread” vibe lowers your guard. It’s not a random cold email anymore; it looks like an active incident.

Display-name spoofing that hides the real sender

Attackers also rely on display-name spoofing, impersonating LastPass support staff in a way that can trick you at a glance.

LastPass points out the uncomfortable truth that makes this tactic work so well: many email clients—especially on mobile—show only the display name, not the real sending address, unless you expand it. In other words, the attacker is counting on your inbox UI to do some of the deception for them.

The “urgent action” hook: disconnecting or locking your vault

A hallmark of this campaign is the push for fast, emotional decision-making. The emails suggest urgent action is needed to protect the account. Examples of the kinds of actions these messages may request include:

• Disconnecting your vault
• Locking your vault

These actions are presented as protective steps, but they’re really just a pretext to move you toward the attacker’s endgame: getting you onto a page where you’ll be asked to log in.

Why the email doesn’t ask for your password directly (and why that matters)

Here’s a subtle detail that makes this scam more effective: the email typically doesn’t directly prompt you to enter a password inside the email.

Instead, it links to a fake website and tells you to log in there to complete the requested action. That’s important because it mimics what users are trained to see as “normal” behavior—click a link, sign in, confirm something.

But in this case, those links lead to a phishing site built specifically to harvest vault details, which can then be used to access the real password manager.

How stolen vault details can be used against you

The scam isn’t just about collecting random credentials. The site is designed to capture vault-related information that can be used to attempt access to your real LastPass account.

That’s what raises the stakes: a password manager vault is high-value because it’s a central repository of credentials. If attackers can gather what they need to authenticate to the real service, the potential impact isn’t limited to one login—it can ripple outward into many accounts tied to that vault.

What LastPass says to do: never share password manager credentials

The clearest operational takeaway from LastPass’s warning is blunt for a reason: never share your password manager credentials with anyone—and that includes people claiming to be support staff.

If a message is trying to steer you into revealing vault access details, treat it like a red flag, not a routine support workflow.

Where these phishing emails come from

Another practical indicator: the emails can originate from various addresses and domain names. The campaign isn’t tied to a single obvious sender pattern, which helps it evade quick “block one domain and you’re safe” thinking.

LastPass has detailed the addresses and domain names it has found so far, specifically to help users identify suspicious messages when they encounter them.

Why this campaign matters: it follows a previous LastPass phishing wave

LastPass noted it observed this malicious social engineering campaign in early March, and it follows a significant—but different—phishing campaign that targeted LastPass earlier in the year.

That context matters because it signals persistence: attackers iterate. When one lure stops working, they try another—often with more polish, more “support-like” framing, and more UI-aware tricks like display-name spoofing.