"You've reached your storage limit" - iCloud Mail isn't from Apple!

I received an email over the weekend claiming that I had reached my iCloud storage limit. Since I don't have anything transferred automatically and have copied almost nothing else to the Apple cloud, I was very surprised by this mail. In addition, there was no personal salutation (actually common at Apple) and an additional 50 GB was offered for free "as part of your loyalty program" (very unusual at Apple). To do this, click on a large, blue button. This distracts from the many small hints that this is a phishing email. Below you will find all the details.

Content of the iCloud phishing email intended to steal your data

At first glance, the email looks quite official. The sender is indicated as "iCloud", a large iCloud logo under a small Apple logo and the note "You have reached your storage limit" is the first thing that catches the eye. The subject is a bit strange, because a more formal salutation is chosen: "Your iCloud storage is full.. - No. [number sequence]" The body of the email has this clumsily worded text, again with an informal salutation:

Dear Customer,
But as part of your loyalty program, you can now get an extra 50 GB for free before the files on your iCloud Drive are deleted.

Note: The files in the iCloud are not simply deleted just because the memory is full. Of course, your files will be retained when the memory is full. All you have to do then is manually clean up and/or stop the automatic transfer of backups, iPhone photos and the like. In addition, no date is given in the fake mail when the memory is supposed to be deleted. The aim here is simply to provoke panic and quick, thoughtless action. Please don't fall for it.

Apple never asks you for credit card information for validation!

If you don't recognize small letters that well, you should zoom in or put on your glasses. Because right at the top, above the logos and the storage limit notice, you can read the following:

Enter your credit card information for your Apple ID validation, register now

And under the main text it says again:

After signing up, you'll need to enter your credit card information to validate your Apple ID.

We will not collect any amount.

This is all utter nonsense. The Apple ID is the only way you need to sign in to Apple and verify your identity to access your iCloud and other services. Credit card information will not be validated. So if you click any link in the mail and then enter your data (Apple ID, password and credit card information), you will quickly lose your Apple account, all stored data and your money.

Is my iCloud storage really full?

Before you click the link in the email out of panic and the promise of 50 gigabytes, calm down. Take a deep breath and get in touch with the official iCloud website first https://www.icloud.com/ at. Check there how your memory is doing and whether there is an indication that a limit has been reached. If that happens to be the case, take the necessary steps there on the official site. The email is still fake and the people behind it are out to steal your data and money.

The usual clues: How to recognize a fake e-mail

In addition to the inconsistencies mentioned in the text and the reference to the credit card information to be given - which should already ring all the alarm bells - there are also the usual fake indications. If you regularly check the Sir Apfelot blog, you already know them:

  • "iCloud" is mentioned as the sender, but if you take a closer look at the sender address, then there is nothing about Apple or iCloud. Instead, it is reminder-5283@gilt.com.
  • The "reply to" address is a wild string and also ends in @gilt.com.
  • Almost all areas, texts and images in the e-mail have the same link.
  • So wherever you click, you're likely to land on the scam page, which reads variation.bad.mn[string].
  • At the end there is a note on the alleged unsubscribing of the notification emails, which is worded very questionably with "To stop them, please go here or write to [...]" (the link there also leads to the phishing page )

What happens when you click the link?

I wasn't as brave as Jens, who was for them Researching a Google Drive spam email simply opened the linked PDF. I first looked for a website whose server I could run a virtual operating system on and then open the link from there. I then opened the link from the email in this virtual online edition of Windows. Somewhat anticlimactically, only one page was displayed on which you should click the "Get 50 GB" button again. However, if you look at the URL in the address line, you can already see that Apple and iCloud are not involved here.

I have entered my data. What should I do now?

If you clicked on the link in the phishing email and entered both the email address and the password for your Apple ID along with your credit card information, then you should act quickly. The first thing you should do is change your Apple ID password – official instructions from Apple Support. You should then call your bank or credit card company and have the card blocked. If you use your email address in combination with the old Apple ID password somewhere else, change the password there as well.

What are bad.mn and gilt.com?

When I go to variation.bad.mn I get a 404 error. So the page could not be found. If I just go to bad.mn, I'm redirected to a DNS and hosting service (freedns.afraid.org). Apparently, only links on the page that have other character strings work - and they then redirect to completely different pages, as can be seen in the screenshot above. A small note: The top-level domain .mn stands for websites from Mongolia.

GILT is apparently an online shop for fashion and accessories. Visiting gilt.com will take you straight to the /boutique sub-page, which has designer fashion, categories for women, men, and kids, and more. The only thing that I found strange was that the creation of an account was required directly. You cannot look around without entering an e-mail address or without logging in. I found that suspicious again. But it has nothing directly to do with the mail.

What is 616 Corporate Way Ste.2-9092?

At the bottom of the email text is an address that, like everything else, has nothing to do with Apple. Because an alleged address in the US state of New York is given – Apple, on the other hand, is located in Cupertino, California. The address given in the email is 616 Corporate Way Ste.2-9092 Valley Cottage, NY 10959. It is interesting that when you enter it in a search engine, it is already completed if you just enter "616 Corporate". So she is often sought after. The search results indicate various scams in the name of Amazon, REWE, McDonald's, LIDL, PayPal, etc. The address is probably used often.

What should I do if I get a phishing / scam email?

First of all, two things you shouldn't do: reply and click on any link. If you want to report the mail to Apple so the pros there can take the necessary steps, then direct them reportphishing@apple.com further (I did that too). There is more information about this in this support document. You can also send a message to the consumer advice center and to the police hand over. If you don't want to stress yourself out too much over an email, simply delete it. Good luck and don't get fooled!

My tips & tricks about technology & Apple

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership would support.

3 thoughts on "You've reached your storage limit" - iCloud Mail isn't from Apple!"

  1. Hello!
    Thank you for this article, which after a lot of research has put my mind at ease. I'm usually very vigilant, but I fell for it like a beginner and clicked the blue button for 50GB icloud before quickly closing the webpage that opened. Since you did the test, do you think that my PC could have been infected by this action (Macbook)? I checked it with anti-virus logis and found nothing. Thanks in advance for your enlightenment!

    1. Hello LouR! I'll answer for John. Typically, these websites are out to steal your login and credit card information. Therefore, they avoid foisting a virus on you as well, since a virus scanner could then start and warn you. If you ran a scan too, I'm pretty sure you didn't catch anything.

      1. Many thanks for your response! Yes, the search for malware turned up nothing. I'll make a backup just in case and stay alert.
        Have a nice evening!

Post a comment

Your e-mail address will not be published. Required fields are marked with * marked

In the Sir Apfelot Blog you will find advice, instructions and reviews on Apple products such as the iPhone, iPad, Apple Watch, AirPods, iMac, Mac Pro, Mac Mini and Mac Studio.