False emails pretending to be LWS: how to recognise them and what to do

Procédure

Purpose of this article

False e-mails impersonating LWS are regularly circulating.
Their aim is to make you click on a fraudulent link or to get you to disclose sensitive information.

In this article, you will learn how to :

• recognise a fake e-mail pretending to be LWS ;
• check whether the message you have received is legitimate;
• know what to do depending on your situation;
• react quickly if you have clicked, entered your password or made a payment.

Services concerned

This documentation concerns all LWS customers using one of the following services:

• domain name
• web hosting
• mail service
• LWS customer account
• services requiring renewal or action from the customer area

Prerequisites

Before following this procedure, you must :

• have access to the email you received
• be able to log in to your LWS customer area;
• not have deleted the message if you wish to have it checked by support.

Background: why are you receiving this type of email?

Fraudsters regularly send emails that use the LWS name, logo or tone to sow doubt.

Their method is simple:

• create an alarming message;
• make you think that a service is about to expire, be suspended or deleted;
• get you to click on a link quickly;
• then retrieve your login or bank details.

These fraudulent messages do not pass through the LWS infrastructure.

It is important to note thatno data leakage has been observed at LWS.
Fraudsters mainly exploit :

• public information ;
• e-mail addresses found on the Internet
• invented scenarios to create a sense of urgency.

When these campaigns are reported, blocking requests are made to the service providers concerned, although they are not always successful.

What types of bogus e-mail have been identified?

The bogus e-mails observed can take several forms.

For example, you may receive a message announcing :

• a fake service renewal notice ;
  
• a false contract cancellation notice
• an alleged deletion of your customer account
  
• a malfunction in your e-mail service;
  
• an expired password for an email address;
  
• an expired password for your customer account;
  
• a suspended e-mail address
  
• a deleted e-mail address;
• a mailbox that is almost full, for example 95% or 98% full;
  
• a request for identity verification;
• confirmation of your e-mail address after so-called maintenance;
• an urgent request for payment to avoid a service interruption.
  

Even if the subject changes, the aim is always the same:
to get you to click on a fraudulent link or enter personal information.

How can you spot a fake LWS e-mail?

There are several things that should alert you.

The message does not contain your customer ID.

All e-mails sent by LWS contain your customer ID in the format :

LWS-XXX depending on the case.

If you receive a message that :

• asks you to click on a link ;
• asks you to pay; or
• asks you to verify your account
• asks you to confirm your details ;

but does not contain your customer ID, you should consider it fraudulent.

The shipping address is incorrect.

LWS only communicates :

• with the e-mail address registered in your customer area ;
• and sends its messages from noreply@lws.fr.

If the message comes from another address, it should be considered suspicious.

Example of a suspicious e-mail:

The message tries to get you to act urgently.

Fraudsters often use wording such as:

• "Your service will be suspended today."
• "Your account will be deleted."
• "Your mailbox is almost full."
• "Your password has expired."
• "Last reminder before cancellation"

This alarming tone is used to push you to act without checking.

The message contains a link or a payment button.

An email asking you to :

• pay a bill ;
• renew a service immediately
• confirm your identity
• reactivate an email address;
• update your password ;

via a link contained in the message, should be treated with caution.

If in doubt, never click on the link and contact LWS support from your customer area.

The content is vague, unusual or incoherent

A fraudulent email may also contain :

• unusual wording
• mistakes ;
• requests that are too vague
• exaggerated threats
• inconsistency between the advertised problem and your actual services.
• an inaccurate price

How can I check that the email has been sent from an @lws.fr address?

You can reply to the e-mail you receive, to see which address sent the e-mail, if you have, for example :

For example, for this email, it is SPAM, do not ignore it.

Emails related to LWS services are sent from an @lws.fr address.

If you have any doubts about an email telling you that your domain needs to be renewed, please go to your customer area to check the expiry date of your domain.

How should I react to phishing?

If you have received this email or one like it, do not click on the link.

• Check your LWS customer area for the expiry date of your domain/hosting space.
• You do not need to contact our customer support, which has already taken steps to stop this type of email being sent.

On a site imitating LWS, did you enter your login details?

Your password must have been recovered by malicious persons as a result of the information provided.
Please change your password as soon as possible to access your LWS customer area.

Have you made a payment on the website mentioned in these emails?

Please contact your bank immediately to request that your bank card be blocked.

Your bank will also be able to advise you of the next steps to take, in particular the need to lodge a complaint for fraudulent use of a means of payment on the Internet.

To counter these phishing campaigns, our technical teams, like other email and hosting providers, deploy countermeasures to limit the impact on our customers.

As these counter-measures are put in place, attackers evolve their own phishing campaigns by regularly modifying the sending email addresses, the content of the message and/or the websites used.

As a reminder, we recommend that you check your LWS account at https://panel.lws.fr each time you receive a payment request.