Large-Scale Phishing Campaign Using Fake Payment and Storage Warnings
Over the past few months, a large-scale cloud storage scam has flooded inboxes worldwide with phishing emails claiming accounts are about to be blocked or deleted due to failed payments.
Based on numerous reviewed samples, the campaign has intensified, with some recipients now receiving multiple versions of the scam every day. While the wording varies, the core message is always the same: your cloud storage is full, your payment failed, and your data will be deleted unless you act immediately.
How the Emails are Sent
The phishing emails originate from a variety of randomly generated domains and sender addresses, indicating the use of automated spam infrastructure. Examples include:
Despite the different sender addresses, the emails are clearly part of the same campaign and often arrive in clusters. Subject lines are crafted to create urgency and appear personalized, often including the recipient’s name, email address, or a specific date.
Some examples include “Immediate Action Required. Payment Declined”, “Cloud Storage 1TB: Payment Overdue”, and “[Name], Your Account Has been Blocked!”. Many emails also use made-up account IDs or subscription numbers to make the messages appear legitimate.
What the Emails Claim
The messages typically state that a cloud storage renewal failed or that a payment method has expired. Recipients are warned that backups may stop syncing and that their personal data will be deleted unless the issue is resolved.
One example reads: “Your Cloud Subscription Is at Risk. We couldn’t process your most recent payment. If not resolved, your Cloud storage and backups may be paused.”
While another states: “Immediate Action Required. Please verify or update your payment method to avoid losing access to your photos, files, and device backups.”
All emails in this campaign contain a link pointing to https://storage.googleapis.com/, which is part of Google Cloud Storage. Instead of hosting the scam pages directly, attackers use Google Cloud Storage to host small static redirector files. When clicked, the link forwards victims to phishing sites hosted on random domains.
Inside the Phishing Pages
The landing pages impersonate legitimate cloud service portals and prominently display cloud-themed branding, including Google-style logos and layouts.
Victims are told their storage is full and that:
- Photos and videos are no longer uploading.
- Contacts and documents are no longer syncing.
- Device backups are no longer protected.
After clicking “Continue,” users are shown a fake “storage scan” that always reports all services as full. They are then offered a limited-time “loyalty” upgrade at an 80% discount.
Clicking the “upgrade” button does not lead to any legitimate cloud provider. Instead, victims are redirected to affiliate marketing pages promoting unrelated products, including VPN services, unknown “security” tools, and subscription-based utilities.
These pages eventually lead to checkout forms that collect credit card details, generating affiliate revenue for the attackers.
What Legitimate Providers Actually Do
Real cloud providers do not operate this way. For example, Google states that if a Google Drive plan is canceled, users lose access to additional storage, but files are not deleted for up to two years. Microsoft OneDrive follows a similar model and may delete files only after six months if the account exceeds its storage limits.
They don’t send emails that perform “storage scans”, redirect to third-party products, or offer massive discounts through external links. Anyone receiving these emails should delete them immediately without clicking any links or purchasing anything.
If there are concerns about storage or billing, users should log in through the official website or mobile app of their cloud provider and check their account directly.
