I got an email indicating that I’ve run out of email storage quota on my site, but I don’t have a quota. I’m confused; should I verify my ID so I find out what’s going on, or is it some sort of spam or phishing scam?
Email scammers are getting more sophisticated as our computers are getting faster and as smarter software appears on the scene. Generative AI might be great for exploring concepts and discussing historical data, but it’s also remarkably power in its ability to synthesize information and create content that’s dangerously believable. But hackers don’t even need that level of sophistication to trick enough people that they can send a thousand messages and obtain a dozen logins that they can then exploit.
One of the warning signs is therefore the presence of a link or button that’s encouraging you to click. Legit email from companies that should know better – like banks – often include these links too, but they should all be looked at with a highly skeptical eye. The general approach is something bad has happened, you have a short amount of time to respond, click here. It’s no wonder people get anxious and proceed without actually asking themselves if it’s legit or not!
The general solution in all of these cases is to manually type in the URL of the organization, company, or institution, log in, and check for messages or other notifications. Email from Bank of America? Really? Go to bankofamerica.com and find out: If it’s valid it’ll be in your inbox on the site. If it isn’t, 99.99% chance it’s a scam.
The attempt to steal login credentials is known as phishing and it can be darn insidious. Here’s an example I got:
Turns out that I don’t actually have an inbox for my @askdavetaylor.com email so it would be impossible to have a quota, let alone be over quota, but it still seems pretty believable.
A first step is check the sender, which can be done by clicking on the tiny grey triangle adjacent to the recipient in Gmail (other email programs have other ways to check the “original message” or similar):
Looks pretty legit, it’s encrypted and it’s from an @askdavetaylor.com domain, but it’s not “admin” or “support” either, so a bit questionable.
Fortunately, my browser can preview links before I click them, so it reveals that the “Update Quota” button in the message links here:
All of this is highly suspicious, of course, because if anything, it should be from my hosting company since that would be where my email would reside and the quota would have been exceeded. No need to use “ucasvc.com” or “elitagida-tr.net”, for sure.
But let’s assume that I didn’t check and simply clicked on the button. As is typical with both spam and scam messages, it bounces through a variety of redirects (in an attempt to protect them from law enforcement, presumably) and end up here:
loulindsay.top is most assuredly not my Web hosting company so at this point it’s clear that it’s safe to close the tab and delete the email message. Which is good, because the actual page displayed seems somewhat legit too:
There are a couple of broken image links, but that’s not entirely unusual in the modern Web, so it might pass a casual inspection. And that’s the problem; it’s on you to be vigilant about the messages you receive – including text messages, even those from what seem to be legit numbers – and the Web sites you visit. These scams are only going to get more sophisticated so now’s a good time to ratchet up your skeptical inspection of any and all links.
Oh, and if you did enter your password and click on “Log In” it’ll drop you on the bing.com home page, which would hopefully clue you in that something’s gone wrong. Then again, if you have two-factor authentication (you do have that enabled, right?) even having your password wouldn’t be a huge threat, particularly if you’re savvy enough to use a different password on each of the important sites you visit.
The moral of this story is that it’s up to each of us to learn to be extra careful of any messages we receive that ask us to log in to a Web site, validate credentials, share passwords “for an IT audit” or similar. When in doubt, type in the site URL instead of clicking on the URL or button, and make sure you have 2FA enabled everywhere. Good luck!
Pro Tip: I’ve been writing about online scams for many years. Please check out my spam, scams and security help area while you’re visiting for more informative articles on how to stay safe online. Thanks!