Over the past few months, scammers have launched a large-scale cloud storage subscription campaign that targets users worldwide and floods inboxes with repeated emails falsely warning that photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure.
Based on numerous emails reviewed by BleepingComputer, the campaign has steadily escalated during this period. As a result, victims now receive multiple versions of the scam every day, with all messages appearing to originate from the same group of scammers.
Although the email wording varies slightly, every message aggressively creates a sense of urgency. Specifically, the emails claim recipients must immediately resolve a payment or storage issue or risk having their files deleted or blocked.
Phishing Emails Use Randomized Domains
Meanwhile, the phishing emails originate from a wide range of domains. In most cases, the attackers appear to randomly generate these domains specifically for the spam campaign, as shown in the sample list below:
[email protected]
[email protected]
[email protected]
At the same time, the emails rely on alarming subject lines designed to scare recipients into opening them.
Subject Lines Designed to Create Panic
According to examples collected by BleepingComputer, the campaign uses a wide range of fear-driven subject lines, including:
- Immediate Action Required. Payment Declined
- Cloud Storage 1TB: Payment overdue
- [personal name]¸Your Account Has been Blocked! Your Photos and Videos will be Removed Fri,30 Jan-2026. take action!!
- We’ve blocked your account! Your photos and videos will be deleted . Renew your subscription for free now!
- [personal name] – Your store is full , click to check and save 80% , ID#88839
- [personal name], Your Cloud Account has been locked on Mon,26 Jan-2026. Your photos and videos will be removed!
- Sorry [<personal email address>], We Have To Suspend Your Account Today ! Sat,24 Jan-2026
- [name] – Your store is full , click to check and save 80%
- Cloud Storage 1TB: Payment overdue
Notably, many of these subject lines personalize the message using the recipient’s name or email address. In addition, they include specific dates or identifiers to heighten urgency and make the emails appear legitimate.
Fake Payment Failures and Data Loss Warnings
The emails reviewed by BleepingComputer claim that a cloud subscription renewal failed or that a payment method expired. Consequently, the messages warn recipients that backups may stop syncing and that photos, videos, documents, and device backups could be lost unless the issue is resolved immediately.
One of the many cloud storage lockout emails being sent worldwide
Source: BleepingComputer
To reinforce the deception, the scammers frequently insert fabricated account IDs, subscription numbers, and expiration dates.
“Your Cloud Subscription Is at Risk. We couldn’t process your most recent payment. If not resolved, your Cloud storage and backups may be paused,” reads an email seen by BleepingComputer.
“Immediate Action Required Please verify or update your payment method as soon as possible to avoid losing access to your photos, files, and device backups.”
Redirect Links Hosted on Google Cloud Storage
Every spam email in this campaign includes a link to https://storage.googleapis.com/, a legitimate Google Cloud Storage domain. However, threat actors abuse this service to host static redirector HTML files.
When a victim clicks the link, the URL redirects them to a scam or phishing site hosted on random domains. Importantly, all links tested by BleepingComputer ultimately lead to the same group of fraudulent pages.
Once redirected, victims encounter phishing pages that impersonate cloud service portals and prominently display cloud-themed branding, including the Google Cloud logo. These pages falsely claim that the user’s cloud storage is full and warn that photos, videos, contacts, files, and private data are no longer being backed up and will soon be deleted.
“Because you’ve exceeded your storage plan, your documents, contacts, and device data are no longer backing up to Cloud and your photos and videos are not uploading to Cloud Photos. Cloud Drive and Cloud-enabled apps are not updating across your devices,” reads the phishing site shown below.
“Your data will be lost without security protection if no urgent action is taken.”
Phishing page warns that your cloud storage is full
Source: BleepingComputer
Fake Storage Scans and Discounted Upgrades
After clicking the “Continue” button, victims see a fake storage scan that always reports Photos, Cloud Drive, and Mail as completely full. The page then warns that data loss is imminent unless the user upgrades their cloud storage.
To increase pressure, the scammers claim the recipient qualifies for a limited-time “loyalty” upgrade at an 80% discount.
However, clicking the update storage button does not lead to a legitimate cloud provider. Instead, the page redirects users to affiliate marketing sites promoting unrelated products.
Products promoted through this campaign include VPN services, obscure security software, and other subscription-based offerings that have no connection to cloud storage.
Ultimately, the pages funnel victims toward checkout forms designed to collect credit card details and generate affiliate revenue for the threat actors behind the operation.
Unfortunately, many recipients may not recognize the scam and may purchase unnecessary products, believing they are resolving legitimate cloud storage issues.
How Legitimate Cloud Providers Actually Handle Payments
It is important to understand that these emails and landing pages do not represent legitimate cloud service notifications. Legitimate cloud providers do not send emails that trigger storage scans or redirect users to third-party VPNs or security products to fix billing issues.
In addition, most legitimate cloud storage services block access to additional storage after a missed payment rather than immediately deleting files.
For example, Google states that if a Google Drive plan is canceled, users lose access to their additional storage until they make a payment again, and Google only deletes files after two years.
Microsoft OneDrive follows a similar model but notes it may delete files after six months if the account exceeds its allocated storage.
Users who receive these spam emails should delete them immediately without clicking any links and avoid purchasing anything promoted through the messages.
Because the campaign relies on fear to drive unnecessary purchases, ignoring the emails remains the safest response.
If users have concerns about cloud storage or billing, they should manually check their account by visiting the official website or app of the legitimate cloud service.
Source: BleepingComputer, Lawrence Abrams
Read more at Impreza News
