“Mailbox full” phishing attacks

When you get an email message telling you that your mailbox is full, or that your “quota has been exceeded,” it’s a good idea to double-check before you respond in any way. It might be a phishing attack designed to harvest your login credentials, infect your computer with malware, or both.

Most email service providers have a limit to how much space incoming messages can take up on the server. The size of this limit often depends on whether or not (and how much) the user is paying for the service (free providers give you less than ones you pay for).

If you leave hundreds and thousands of messages unread because you never check your mail, or don’t set up your email program to remove messages from the server after reading, you can reach this limit and new messages won’t get through.

That said, if you get a “mailbox full” message, chances are it’s not from your email service provider at all, and clicking on any links could lead to trouble. Here are a couple things to look for.

Bad spelling/bad grammar: these days, large internet service companies hire people who know how to spell and write to compose official messages. Strange grammatical constructions or misspelled words are an immediate tip-off that the email isn’t legitimate.

Who is it from? If you were really looking at an official message about your iCloud email account, you would think the sender’s address would be “[username]@icloud.com.” Same with att.net, hotmail.com, gmail.com or any of the others. Yet in a majority of cases, phishing emails appear to come from an address that has nothing to do with the service provider. Keep this in mind, though: some more sophisticated and/or targeted attacks might not have this flaw.

Where do the links go? You can see where a link takes you without clicking on it by hovering your mouse over the link and waiting for the little popup window to display the address. On a mobile device, you can hold your finger down on the link (instead of tapping) and a window will pop up showing the address. Again, if it’s from your actual email provider, that link is going to lead somewhere related to the business (and related to the sender’s address). A message about your Gmail account is going to point to something hosted at google.com, for example. Beware of lookalike addresses, though; the architects of these attacks will sometimes set up websites with addresses like “att.net-verification.com.br” where at first glance it appears to point to an att.net site, but the actual address is “net-verification.com.br.”

The best practice is to never interact directly with this type of message in the first place. If you think there might be a real issue with your email account, go directly to the provider’s website to find out if there really is a problem and how to correct it. If you did click on a suspicious link, run a virus scan to make sure you haven’t been infected with malware, and change any affected account passwords immediately.