Spoof emails are on the rise: how the “your email will expire” scam really works

Email remains the easiest way for criminals to get a foot in the door. One lure that keeps turning up is the expiry scare. The message claims your mailbox, domain, or hosting account will be disabled today unless you click a link and “verify”. It feels urgent. That is the trick. Below are realistic examples, why they do not stack up, and the steps that actually keep you safe.

What these messages look like

Example 1: “Your mailbox storage is almost full.”

Subject: Final notice: mailbox storage 99% full

From: Mail Administrator <support@secure-mail-notice[.]com>

Body: Your mailbox has reached its storage limit. Emails will stop being delivered in 12 hours. Click below to Upgrade Storage and avoid account deactivation.

Why it does not stack up

Real storage upgrades happen inside your billing portal after you sign in. They do not arrive as a mystery link. The sender domain is not your provider. Storage problems are billing tasks, not something fixed by “IT” with a button in an email.

Example 2: “Your password expires today, keep the same password”

Subject: Microsoft 365 Password Notification

From: System Admin <no-reply@security-update[.]help>

Body: Your portal password expires today. To KEEP THE SAME PASSWORD, click the secure link below. Failure to act now may cause a login interruption.

Why it does not stack up

Password changes happen only after you sign in at the address you already know. Email is not where a provider asks you to keep the same password. The link is the trap, even when the email uses familiar logos.

Example 3: “cPanel quota reached, verify to avoid suspension”

Subject: WARNING: Domain has reached disk quota

From: cPanel Security <cpanel-alert@admin-verify[.]net>

Body: We detected unusual activity and your domain storage is full. To avoid suspension, verify your account and confirm your password.

Why it does not stack up

Genuine cPanel alerts arrive via your hosting company’s brand and helpdesk. “Verify your password” is never required to fix storage. That is either housekeeping or a paid upgrade done in your account, not by email link.

Four 30-second checks that stop most scams

1. Check the real link destination. Hover on a computer or long press on a phone. If the link does not end with the genuine domain you already use, close the email.

2. Check the sender’s full address. Display names like “Mail Administrator” hide throwaway domains.

3. Ignore manufactured urgency. “24-hour deactivation” is theatre designed to rush your decision.

4. Go in the front door yourself. Open the app or site the way you normally do and sign in. If there is a real issue, you will see it there.

Protect your business the right way

Fix your domain so it is harder to spoof

Ask your IT partner or registrar to implement SPF, DKIM, and DMARC, then set a policy. SPF lists the servers allowed to send for your domain. DKIM signs your messages so tampering is visible. DMARC checks that alignment and tells receivers what to do with failures. Start with p=quarantine while you test, then move to p=reject once you are sure all legitimate senders are covered.

Turn on strong sign-in defences

Use multi-factor authentication for email, hosting, and your domain registrar. Where possible, use phishing-resistant options such as passkeys or security keys. Attackers go after owners and shared mailboxes because one set of credentials opens many doors.

Lock down the admin keys

Enable account-level MFA. Turn on auto-renew for domains and use registrar lock. Do not reuse the same email address for customer service and admin recovery. Keep payment and banking changes out of email entirely. Confirm any change by speaking to a known contact on a known number.

Make reporting easy for your team

Switch on the Report phishing button in your email platform. Route reports to whoever handles IT. The goal is a quick, simple action that trains the filters and alerts your team.

Teach one simple habit

Stop before clicking. Check the domain. Choose the safer route by opening the service directly. Send a two-minute reminder once a quarter. More staff reports usually mean your culture is improving.

If someone did click

1. Change the password for that account immediately, and for any other service that used the same password.
2. Enable MFA if it was not on.
3. Run a malware scan and remove any remote access tools you did not install.
4. Check the mailbox rules and forwarding. Attackers often add silent forwarding to watch invoices.
5. Warn your finance person and your bank to expect payment diversion attempts.
6. Report the incident to your email provider and your national cyber authority so takedowns can happen quickly.

Threats that are theatre

Email expiry threats are theatre. Real providers put notices in the official portal and use clear, branded channels. They do not push you through a mystery link with a ticking clock. If something feels off, it probably is. Open the service the way you normally do and check there. If you are still unsure, ask your IT partner before you click.

If you would like help hardening your mail and hosting, Asporea Digital can set up SPF, DKIM, and DMARC, enable multi-factor protection across your accounts, and review your reporting process. You can order a short email security tune up and we will get your domain and inboxes into a safer place quickly.

Download our free guide

You do not need new software to lower your risk. You need a clear message and a repeatable habit. The staff guide gives you both, plus a checklist for owners to keep things tight.

Download the staff guide. Teach the habit. Cut the risk.