Fake Cloud Storage Alerts
'Your storage is full' or 'shared file' messages that phish your cloud or email login.
Last reviewed: 1 June 2026
What this scam is
Fake cloud storage alert scams send messages impersonating email providers, file-storage services, and workplace platforms — warning that your storage is full, a payment has failed, a shared document is waiting, or your account will be suspended. The goal is to direct you to a fake login page and capture your credentials.
Email and cloud storage accounts are among the most valuable targets for credential theft. Your email account is the recovery method for most of your other accounts — whoever controls it can reset passwords for your bank, social media, shopping accounts, and more. Capturing your email password can therefore cascade into a broad account takeover affecting many services simultaneously.
Cloud storage accounts also hold sensitive personal and professional documents. Access to these can enable identity fraud, business email compromise, or blackmail. For professionals and employees, the consequences of an account takeover extend beyond personal impact to organisational risk.
How it works
The message arrives via email, SMS, or in-app notification, using the visual design of a service you recognise — your email provider, a file-sharing platform, or a workplace productivity suite. The message states a problem that requires immediate action: your storage is nearly full and incoming messages are being blocked; a payment for your subscription failed; someone has shared an important document with you; or your account has been flagged and access will be suspended.
A button or link labelled 'Verify Account', 'Free Up Storage', 'View Document', or 'Update Billing' leads to a webpage that looks like the login page for the service. The domain is close to the real one but contains a variation — a different top-level domain, an extra word, or a slightly different spelling.
You enter your email address and password. These are captured. The page may then redirect you to the real service, perhaps with a 'thank you for verifying' message, to reduce immediate suspicion. By the time you notice something is wrong, the attacker may have already accessed your account and changed the recovery email or phone number to lock you out.
In workplace targeting, the shared document lure is particularly effective because receiving a document share notification is a normal part of professional life. The sense of urgency is lower, and the action of clicking to view a document is habitual.
Why this scam works
Cloud storage and email notifications are a normal part of daily life. Receiving a message about storage limits or document shares triggers a routine response — click to see what it is. The urgency framing accelerates this response by suggesting negative consequences if you delay.
The credential value of email accounts is exceptionally high, which is why they are frequent targets. Attackers understand that owning an email account is equivalent to owning the front door to many other services.
For professionals receiving dozens of document share notifications per day, distinguishing a fake from a real one requires a level of attention that is difficult to sustain consistently.
A typical pattern
A professional receives an email saying a colleague has shared a document with them. The message uses the logo and formatting of the file-sharing service they use at work. They click the link and reach what looks like a login page for that service. They enter their work email credentials. The page shows a brief 'loading document' screen, then an error. Over the next hour, the attacker uses the captured credentials to access their account, download files, and send phishing emails to their contacts from the now-compromised account.
Common red flags
- Urgent storage or billing alert with a link to log in
- Shared document notification from an unknown sender or unexpected contact
- Login page on a domain that is not the official service
- Request for your password or a verification code via an emailed link
- Notification claiming your account will be suspended if you do not act
- Message using familiar service branding but arriving from an unusual sender address
- Email about a payment failure for a service you do not pay for
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Your cloud storage is full and incoming emails are being blocked. Verify your account to restore service: [fake link].
Someone has shared a document with you. Click to view: [fake link].
Your subscription payment failed. Update your billing details to avoid account suspension: [fake link].
Action required: Unusual sign-in activity detected. Confirm your identity to protect your account: [fake link].
Your account will be deactivated in 24 hours due to a storage policy change. Verify to keep your data: [fake link].
You have been invited to view a shared file. Open it securely: [fake link].
Common variations
- Storage full alert — account approaching or at limit, must verify to restore service
- Shared document lure — file-sharing notification from unknown or impersonated sender
- Failed payment — subscription billing problem requiring card or login update
- Account suspension notice — policy violation or inactivity requiring urgent verification
- Workplace suite impersonation — mimics Microsoft 365, Google Workspace, or similar
- Two-for-one attack — captures email login, then uses that access to attack other accounts
How to verify before you act
Never use a link in an email or notification to log into your cloud or email account. Instead, type the service's address directly into your browser or use the official app.
If you receive a storage full or billing alert, check your storage usage by logging in directly. The alert will be visible on the service's own dashboard if it is genuine.
For a shared document notification, contact the person who supposedly shared it through a separate channel (call, separate email, message) to verify they actually sent it before opening it.
Check the sender's email address in full. Display names can say anything; the underlying address typically reveals a domain unrelated to the genuine service.
Payment methods used
- Account takeover leading to downstream financial fraud or identity theft
Who is usually targeted
- Email and cloud service users
- Professionals and employees
- Anyone who uses file-sharing services
What to do immediately
- Do not click the link — check storage by logging into the service directly via its official address
- If you entered your credentials on a linked page, change your password immediately on the real site
- Review your account recovery settings and remove any unrecognised recovery addresses or numbers
- Enable or upgrade two-factor authentication on the affected account
- Check for any unauthorised access, password changes, or new forwarding rules in the account
- If a workplace account was involved, alert your IT security team
How to prevent it
- Never use links in emails to log into cloud or email services — type the address yourself
- Enable app-based or hardware two-factor authentication on your email account above all others
- Use a unique, strong password for your email account
- Check the sender's full email address, not just the display name
- Verify unexpected document share notifications with the sender via a separate channel
- Review your account recovery settings and remove any unfamiliar recovery addresses or phone numbers
Evidence to preserve
- The full message including sender address
- The URL of the fake login page
- Screenshots of the message and page
- Any account activity logs showing recent access
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Why are cloud and email accounts such valuable targets?
Your email account is the recovery point for most other accounts. If attackers control it, they can reset passwords for your bank, shopping, and other services. Protect it with a strong unique password and app-based 2FA.
How can I tell a real storage alert from a fake one?
Log into the service directly by typing its address in your browser. If the storage alert is genuine, you will see it on the dashboard. If the alert was fake, you will see your account is fine.
Is it safe to open a shared document link in an email?
Treat any document share notification from an unexpected sender with caution. Verify with the sender through a separate channel before opening the link. Navigate to the file-sharing service directly rather than using the link.
I entered my password on what I now think was a fake page — what do I do?
Change your password on the real service immediately. Enable two-factor authentication if you have not already. Review your account for any unauthorised changes. Check other accounts that use the same password — change those too.
Can attackers access my account even if I have 2FA?
Some phishing pages relay your login and one-time code in real time, bypassing SMS-based 2FA. App-based 2FA and hardware security keys are harder to bypass. Enabling any form of 2FA is still significantly better than none.
My email was compromised — how do I get it back?
Use the service's account recovery process immediately. Change the password from a clean device and revoke access for any unfamiliar applications. Check for email forwarding rules that the attacker may have set up. Contact the service's support if you are locked out.