Hackers always try to prey on end-users’ fear, uncertainty, and doubt. It’s all about tricking end-users into doing something they don’t want to do–namely, handing over money or credentials.

Hackers will find creative ways to do that. A great way is to threaten the person with some sort of expiration. If you don’t do something now, you will get charged or have data deleted.

In this attack brief, researchers from Avanan, a Check Point Software Company, will look at how hackers are using the threat of deleting personal files to get money and credentials from end-users. 


In this attack, hackers hope to convince users to add more storage to their cloud storage account, but instead, they will be redirected to a credential harvesting page. 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Social Engineering, URL Redirect
  • Target: Any end-user

Email Example #1


In this attack, hackers are sending a notice that the storage limit of cloud files has been reached. But if you act now, you’ll get 50GB for free. The catch? The URL does not go to any sort of cloud file storage site. The URL is a SendGrid URL. That’ll redirect to a malicious page. As noted, the only way to “validate'' that it’s your account is to enter your credit card number. But, of course, that won’t validate anything. It’ll just charge your card. 


In this attack, hackers hope to trick users into giving over their credit card information.

They do this by claiming that cloud file space has been reached and that you risk those files being deleted if you don’t act now. 

To do that, you can easily claim free storage space as long as you give over credit card details.

Of course, the credit card number is what they will steal from you. 

A variation of these emails can be legitimate. Let’s say you have google Drive. There are limits to how much storage you can have; when you’ve reached that, you must pay to upgrade. 

The difference? They won’t delete your data.

There are some telltale signs that this attack is an attack. The sender address doesn’t come from a legitimate cloud file storage site. The URL is a SendGrid link, not a link to a cloud file storage site.

Take these cues and use them to not fall under attack. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Double-check all URLs before clicking
  • Check the sender address to see if it matches