LastPass: Fraudsters use inheritance feature for perfidious phishing attack

Cybercriminals have developed a frighteningly sophisticated scam: They are tricking LastPass users with fake "inheritance requests" and stealing master passwords in the process. The attackers send emails with shocking subject lines like "URGENT IF YOU HAVE NOT DECEASED," cleverly exploiting the password manager's inheritance feature.

These perfidious messages have been circulating since mid-October, claiming that a family member has requested access to the recipient's account because the recipient is supposedly deceased. LastPass is officially warning of the ongoing threat and urging its users to exercise extreme caution.

The scam goes far beyond conventional password reset fraud: It deliberately plays on fears surrounding digital inheritance to persuade victims to reveal their entire password collection.

How the “inheritance” fraud works

The attack begins with an email designed to shock the recipient into taking immediate action. According to reports and LastPass alerts, the subject line often reads: "Probate Application Opened (URGENT IF YOU ARE NOT DECEASED)."

The message text then incorrectly states: “A death certificate has been uploaded by a family member to regain access to the LastPass account.”

To increase credibility, the scammers fabricate details such as a live case number, an agent ID, the date the case was allegedly opened, and a priority status. The message includes a link that allows the user to "cancel the application."

But this link leads to fraudulent websites like "lastpassrecovery[.]com" – deceptively realistic replicas of the official LastPass login page. Anyone who enters their master password there effectively gives the attackers the keys to their entire digital vault.

Criminals rely on telephone calls

Security researchers suspect the notorious cybercrime group CryptoChameleon, which has previously targeted employees of government agencies like the FCC, is behind the campaign. The perpetrators are particularly aggressive in calling their victims directly.

Posing as fake LastPass support agents, they pressure victims into entering their credentials on the fake website. This combination of targeted emails and manipulative phone calls significantly increases the attack's success rate.

LastPass responds with clear warnings

The company has issued public warnings, emphasizing that LastPass will never request your master password via email or phone . "The email claims a live case has been opened and lists fabricated information... all of which is false," LastPass warns its users.

The most important protective measures: – Never click on links in suspicious emails claiming to be from LastPass – Enter your master password only on the official LastPass.com domain – Enable two-factor authentication for additional protection – Report suspicious emails immediately to [email protected]

Advertisement: Related to phishing and social engineering: Many attacks first hit users on their smartphones – via email, SMS, or messenger. A free guide shows the 5 most important security measures for Android, easy to understand, step by step – without the need for expensive add-on apps. This way, you can reliably protect WhatsApp, online banking, and other apps from data thieves and close frequently overlooked gaps. Request your free Android security package now.

Worrying trend

The inheritance scam is the latest in a series of phishing attacks targeting password manager users. Recently, LastPass customers received fake data breach warnings urging them to download a supposedly "more secure" desktop application—in reality, malware designed to remotely access victims' computers.

The exploitation of features like digital inheritance demonstrates that attackers are continually evolving their methods. Account recovery and inheritance systems are often less well-known and less frequently used—ideal targets for social engineering.

These features can be the weakest point in otherwise secure systems because they are designed to bypass normal login procedures under certain circumstances.

Highest vigilance required

The increasing sophistication of phishing attacks targeting password vaults underscores the importance of user awareness. While attackers refine their social engineering tactics, relying on brand impersonation and psychological manipulation, healthy skepticism toward unsolicited messages remains the first line of defense.

For password manager providers, the incident makes it clear that they must not only protect their core technology, but also the processes surrounding account access, recovery, and inheritance. All LastPass users should generally distrust emails regarding inheritance access.