Email Phishing – Actions to Take

For users,
the most important rule is not to click on links or attachments in messages. Subscription or correspondence status should always be verified directly in the official app or on the service provider’s website. Suspicious messages should be reported as phishing—in Poland, this is done by submitting a form to CERT.PL or reporting via SMS to 8080. A wealth of information can be found on the government website , which directs users to CERT, where they can report various types of incidents and threats related to data theft. If payment card details are provided, immediate action is necessary: ​​contact your bank, block or replace the card, monitor the transaction, and—if necessary—initiate a chargeback.

Organizations
are advised to implement anti-phishing rules targeting specific themes, such as “lack of cloud space” or “payment failure,” incorporating relevant phrases, time pressure, and account identifiers.
URL redirect chain analysis is also crucial, including sandboxing, link detonation, and reputation assessment of target domains, which are often new or randomly generated. Payment processes should require additional verification beyond the email channel, especially for “urgent” requests—e.g., through the provider’s official portal or a ticketing system with the appropriate level of authorization.
Equally important are user education and regular phishing simulations, supplemented by simple procedures for following suspicious links and rapid incident reporting channels to SOC/IT teams.

Actual supplier practices

In the case of Google services (Google One / Drive), when a subscription expires, the user only loses the additional storage space. Data is not deleted immediately; this process occurs only after a significant period of time (up to about two years) in which the limit is exceeded.

Email Phishing - Actions to Take

In Microsoft OneDrive, however, exceeding the limit results in limited functionality (e.g., read-only mode). Data deletion is only possible after approximately six months without user action.
In practice, this means that actual procedures are extended over time and give the user time to react—unlike false warnings that promote the idea of ​​immediate data loss.

Summary/Key Takeaways:

The campaign described is an example of mass phishing combined with affiliate mechanisms. Its effectiveness relies on a combination of time pressure, fear of data loss, and the use of seemingly trustworthy elements, such as links leading through the infrastructure of large providers or fake system “scans.”
The best defense is consistently following a simple procedure: avoiding interactions with links in emails, self-verifying through official channels, and reporting suspicious messages.
Messages suggesting immediate data deletion (e.g., “today” or “tomorrow”) should be treated as a clear warning sign—actual provider policies are much less drastic and provide for longer transition periods.

Sources/Bibliography
The analysis was based on materials describing the phishing campaign (BleepingComputer), consumer warnings published by the Federal Trade Commission, GOV.UK guidelines on reporting phishing, and support documentation from Google and Microsoft on data retention policies and the consequences of exceeding limits.