From left to right: Cloud storage phishing email, Body of cloud storage phishing email, and Scam link from the email. Courtesy images
By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post
If you’ve recently received an email claiming “your cloud account has been blocked”, you’re not alone. This is a growing phishing scam designed to look urgent, official, and just believable enough to trigger a response. Don’t fall for it, it’s just another scam.
These messages usually warn of suspicious activity, multiple failed login attempts, or a locked account that requires immediate action. The wording is intentionally vague. Instead of naming a specific service like Google Drive, iCloud, or OneDrive, scammers use the broad phrase “cloud account,” counting on the fact that most people use multiple cloud services without thinking about it.
One interesting thing I noticed about this message is the “reply to” field is going to a uic.edu email address—this is the University of Illinois Chicago and is a legitimate email domain. Always check out the full email header info so you can see the actual sender email (trying to spoof my email address, but actually a gibberish domain) and if there is a different reply to email.
Why the reply goes to a uic.edu address
One of the biggest red flags in this scam is the Reply-To address. While the “From” field may appear to come from a cloud provider or even your own email address, replies are quietly redirected to a uic.edu inbox. This is not accidental.
Scammers often abuse or compromise real university email accounts because .edu domains are widely trusted and less likely to be blocked by spam filters. A reply sent to a university address can feel legitimate to a recipient, lowering suspicion and increasing the chance of continued interaction. The university itself is not sending these messages. The account is typically compromised or being misused.
What the scam is trying to do
The goal is almost always one of two things:
- Credential theft, by getting you to click a link and enter your login details on a fake page
- Conversation-based fraud, where replying confirms your email is active and leads to follow-up messages requesting verification, payment, or access In many cases, no link is included at all. The scammer wants you to reply first, which allows them to tailor the next step directly to you.
In this case I previewed the link, and my browser warned me it was bad.
How to spot it quickly
These emails often share common warning signs:
- Urgent language like “blocked,” “locked,” or “action required”
- No mention of which cloud service is affected
- Generic greetings instead of your real name
- A mismatch between the sender address and the reply-to address
Legitimate cloud providers do not ask users to reply to emails for account security issues, and they will never route support communication through a third-party university domain. Never click on a link in an email, go directly to your account and check it out.
What to do if you receive one
Do not reply, click links, or open attachments. Instead:
- Open a new browser window, or go to the app you use
- Manually log in to the cloud services you actually use
- Check your account security or alerts there
- Mark the email as phishing and delete it
Receiving this message does not mean your account has been compromised. These scams are mass-sent and rely on fear rather than real account access. Nothing is wrong unless you reply or click the link.
The bottom line
An email claiming your cloud account has been blocked, especially one that routes replies to .edu email address, is almost certainly a phishing attempt. Its power comes from urgency, confusion, and misplaced trust. Slowing down, checking the details, and refusing to engage is the simplest and most effective defense.
If in doubt, always go directly to the service you use. Never let an email rush you into giving up access to your digital life. Stay safe online, don’t panic, and don’t click that link!
Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.