(Credit :Zain bin Awais/PCMag Composite;jkbowers/fotograzia/via Getty Images)
Check your inbox: If you're a current or former LastPass customer affected by a massive breach in 2022, you may have received an email notifying you about the company's $8,200,000 class action lawsuit settlement. Not so fast. You may also have received emails from scammers jumping on news about a high-profile data breach lawsuit settlement and sending out links to phishing sites. After all, scammers are always looking for an easy payday, and they can use AI to whip up fake settlement claim emails and websites designed to steal private data like your email address, social security number, or banking information. I should know, I made two in less than five minutes using Google's Gemini.
Spotting fakes isn’t always easy, but there are ways to get your money without losing everything else in the process. I'll show you how.
Is The LastPass Settlement Site Legit?
Websites for settlement claims tend to look a bit...sketchy, don’t they? The sites usually have a plain background, a non-descript header, a very suspicious-looking URL, and request fairly benign information up front, such as the settlement claim number you received on a postcard or in your inbox, before requesting much juicier data, like your phone number or social security number.
The current LastPass settlement claim website is no different, with its blue-and-white color scheme, varied font formatting, and simple online claim form.
(Credit: Epiq Legal Noticing/PCMag)Before you click the link in the email, check whether it's a real website or a phishing scam by researching like a journalist. My colleague Michael Kan checked who owns the lastpasssettlement.com domain using the Internet Corporation for Assigned Names and Numbers (ICANN) domain lookup tool.
(Credit: ICANN/PCMag)According to the email, Epiq Legal Noticing is the company behind the settlement claim disbursement, so it tracks that the website is owned by that company. If you can't find out what company is handling the settlement, or if the domain is owned by a person or a different company, don't enter any information about yourself on the website. As I'll demonstrate below, it's incredibly easy to create a fake settlement claim website and send it to lots of people.
Can You Spot a Real Settlement Claim Site?
Pop quiz, hotshot: Which of these sites looks like a legitimate settlement claims website?
Settlement Claim A:
(Credit: Kim Key)Settlement Claim B:
(Credit: Kim Key)Settlement Claim C:
(Credit: Kim Key)If you answered option B, congratulations—you have identified a genuine settlement claims website. If you answered A or C, I’m sorry for deceiving you.
It took me less than five minutes to create the fake websites in the screenshots above using Google’s Gemini chatbot. I don’t mean that the chatbot just generated the images, either. Gemini generated code for two websites in less time than it would take me to give away my personal information on an AI-generated phishing website. If I can do it, a scammer can do it too.
I should note, however, that when I asked Gemini to build me a site that would siphon private data, such as a person’s social security number or bank account details, the chatbot firmly shut down my request and delivered a thorough explanation of phishing. I commend Google for putting these guardrails into its product, though I imagine that, with a little time and effort, an online scammer could find a way to coax another AI chatbot into creating a similar-looking website that gathers users’ private data.
How to Verify Settlement Claim Notices
Always check the Federal Trade Commission (FTC) website for information about settlements filed with that government agency. For settlements involving non-US companies, you’ll need to do a little more research before trusting a claim site. Don’t click any links in the settlement notification email, as they may be phishing attempts. Instead, I advise you to open your browser and do a little sleuthing first.
Start with the domain lookup tool I referenced above, but if your research is inconclusive, there are other ways to get answers. Below are some of my suggestions for how you, armed with a search engine and critical thinking skills, can identify and respond to legitimate settlement claims.
Check With the FTC
As mentioned above, the US government’s consumer protection arm maintains lists of ongoing claims and hosts vetted claim forms on its website. Make sure that if you click on a link to an FTC claim site in an email, it directs you to a .gov URL, as opposed to a .org or a different URL suffix.
Do Your Research
Search news sites, like the one you’re reading right now, for information about your class action settlement. News sites usually have articles detailing the circumstances behind the lawsuit and instructions for filing a claim. You can also search ClassAction’s website for a legit URL for your settlement claim.
Use Snail Mail to File Your Claim
You can’t phish someone who has opted out of sharing their data online. Check the email or postcard you received for a mailing address that you can use to skip the digital minefield and mail in your claim form.
Never Pay to File a Claim
If a claim site requests a processing fee or money to cover “administrative costs,” close the website and forward the offending email to the FTC. That’s a sure sign of a scam.
Take Your Time When Filing the Claim
If a settlement claim form asks for information that is completely unrelated to the settlement, pause, and ensure you’re visiting the correct website. For example, if I received an email about the AT&T data breach settlement, clicked a link to file a claim, and the form asked me for my social security number, my children's names and ages, or other unrelated private data, I wouldn’t fill in that information. Instead, I’d visit the FTC’s website to ensure I clicked a link to a legitimate claim form.
Common Fake Settlement Claim Red Flags
It’s hard to tell if a settlement claims website is legit just by looking at it, so what can you do to avoid a possible phishing situation? The key is to consider what kind of data the website or email requests from you, and how the settlement administrator is contacting you.
While researching for this article, I read several frequently asked questions sections on settlement claim websites. Many of the documents referenced popular techniques that scammers use to trick people. I’ll highlight some of the most common scams below.
Excessive Requests for Private Data
A scammy settlement claim form may request your full Social Security number as part of the administrative process, which is not an ask that you’d find on a legitimate claim form, even if your exposed Social Security number is the reason you can claim part of a data breach settlement. For example, during the settlement claim period following the Equifax breach in 2017, people were instructed to enter the last six digits of their Social Security number on the website to make a claim, but not their full Social Security number.
Requests for Payment
A claims or settlement administrator will never ask you to pay money while submitting a claim or to receive money as part of a settlement. If someone purporting to be a settlement administrator demands payment from you during the claim process, stop communicating with them and report the scam.
Along those same lines, a settlement administrator usually will not estimate your claim payout when you are filing the claim. That amount is determined after the claim period concludes and everything is processed.
Text Message Settlement Claim Notifications
If you received a message via SMS or on a social media platform about a potential settlement claim, block the sender and delete the message because it’s a scam. Legitimate settlement claim information is delivered via email or, in some cases, a postcard.
Don’t Forget to Report Fake Settlement Claims
To keep other people from becoming victims, and to help authorities catch the scammers, it’s vital to report any suspicious settlement claim forms you come across. For more, read my article about how and why you should report scams. In short, it's as easy as contacting the FTC, filing a complaint with the Internet Crime Complaint Center, or contacting the Consumer Financial Protection Bureau.
If you think you may have entered your personal information on a fake settlement claim website, read about how to get your life back after being scammed. If you want to know what scammers do with your data after they steal it, check out my article about my dark web search for information about the company that leaked my email address.