What is this cloud storage phishing scam?

An active phishing campaign impersonates cloud storage service providers by sending emails with fake account blocking warnings and urgent deletion threats. The scam uses weaponized Google Cloud Storage links to bypass email filters and steal user credentials and payment information through fake payment portals.

How can I identify this phishing email?

The phishing email comes from a suspicious sender address, has subject lines about account blocking and photo/video removal, lacks proper platform branding or personalization, and contains links starting with storage.googleapis.com that redirect to fake login or payment pages.

Why do scammers use Google Cloud Storage links?

Scammers use Google Cloud Storage links because they help bypass email filters, appear legitimate when hovering over them, are rarely blocked by enterprise firewalls, and are difficult to remove quickly due to slow reporting mechanisms on Google infrastructure.

What happens if I click the phishing link?

Clicking the link takes you to a fake page claiming your storage has been disabled. If you click Renew, you'll be directed to a fraudulent payment page designed to steal your personal data and payment card information.

How can I protect myself from this scam?

Don't rush to respond to urgent emails, never click links in unexpected account problem notifications, verify account status by manually typing the official website URL directly into your browser, carefully check sender email addresses, and be suspicious of urgent countdown timers and immediate deletion threats.

Scam/Phishing

Expired cloud storage scam using Google Cloud Storage domain to host scam page

published: Nov. 29, 2025

Take action: Don't panic over urgent "account blocked" warnings in unexpected emails. Never click links or open files in these messages. Instead, type the official website address of your cloud provider directly into your browser to check your actual account status.

Learn More

An active phishing campaign tries to scam people by implying a message from a cloud storage service provider. The attack implies urgency tactics and fake "account about to be blocked" warnings to steal user credentials and payment information.

Scam analysis

The email is sent from non-descript sender Payment-Declined.nooreply@hdp.nrhcwftfejgf.us (sent via email from emgjozzsbbnt.lnef.co.za). It has a subject Line: "Your Account Has been Blocked! Your Photos and Videos will be Removed 11-26-2025 . take action!!"

The email has no platform branding or personalization for the recipient suggesting mass-distribution campaign.

All links are weaponized Google Cloud Storage links. Using Google Cloud Storage links which start with storage.googleapis.com help the scam email pass email filters, and if the user hovers the link it looks fairly legitimate.

There's an added benefit that Google infrastructure is rarely blocked by enterprise firewalls or URL reputation systems and it's difficult to remove content quickly from Google infrastructure since reporting mechanisms are quite slow.

Naturally, this link is simply a fake portal or redirect to send the user to the real scam site. The format of the link is as follows:

https://storage.googleapis.com/rightmoves/websiteforpodio.html#[ENCODED_STRING]&[TOKEN]&714943/5139/[RANDOM_STRING].home.php?sq=70476-55602&lk=444258-9&page=[PAGE_ID]

Clicking the link brings the victim to a fake page that says Cloud instead of a name of the service and tries to create panic by claiming that the "storage has been disabled". If the victim clicks on Renew, they will be taken to a fake payment page, where personal data and payment card data will be stolen.

How to stay safe?

Don't rush: It's never that urgent.
Why am I getting this? Never click links in unexpected emails claiming account problems
Verify independently: Verify account status by manually navigating to the official website (type URL directly)
Check sender email addresses carefully
Be suspicious of urgent countdown timers and immediate deletion threats

Expired cloud storage scam using Google Cloud Storage domain to host scam page

Read More
Active "ex-partner left you money" advance fee scam
North Korean hackers deploy malware during technical job …
Phishing attack impersonating Coinbase
Microsoft & Atlassian Impersonation Campaigns through typosquatting
State-sponsored attackers conduct complex Social Engineering campaign targeting …