Fake Google One subscription expired or Google One AI Premium payment failed with 2TB storage full, Google Photos backup stopped, and Gemini Advanced suspended phishing

Phishing emails impersonating Google One claiming the subscription has expired, the Google One AI Premium payment has failed, 2TB storage is full and Google Photos backup has stopped, Gemini Advanced features are suspended, or Google Drive and Gmail sync have been paused — directing victims to renew or update billing through a credential-harvesting portal. A distinct attack category separate from generic Google account phishing, targeting Google One's 200M+ subscribers through service-specific urgency. Key facts: (1) Google One is a paid subscription service with 200M+ subscribers at tiers from $1.99/month (100GB) through $9.99/month (2TB) to $19.99/month (AI Premium with Gemini Advanced + 2TB + Google Meet premium + VPN) — a 'Google One subscription expired, your 2TB storage is full' email is distinct from a generic 'Google account suspended' phish because it targets the specific Google One service and its storage/AI bundle; (2) The multi-service suspension hook creates compounded urgency: Google One storage affects Google Drive (all documents and files), Gmail (email storage), and Google Photos (photo backup) simultaneously — a single subscription expiry email that claims 'Drive sync stopped, Gmail storage full, Photos backup paused, Gemini Advanced suspended' implies catastrophic data loss across every Google service the user depends on daily; (3) The Google One AI Premium tier is very new (launched 2024) and bundles Gemini Advanced, making a 'Gemini Advanced features are no longer active' hook novel and credible — users who recently upgraded to AI Premium for Gemini access are particularly vulnerable because they know exactly what they lose if the payment fails; (4) Google's legitimate storage notification system sends warnings at 75%, 90%, and 100% storage capacity — attackers copy this format precisely, including the storage percentage and the 'Google Photos backup has paused' language that Google genuinely uses; (5) The attack differs fundamentally from generic Google account phishing: generic Google phish steals login credentials by claiming 'your account is suspended'; Google One phish steals billing credentials and payment information under the more specific and plausible 'your storage plan expired' narrative, making it harder for security awareness training to detect; (6) Google One subscribers often have sensitive data in Google Drive and Google Photos that creates emotional urgency — family photos, business documents, and irreplaceable files all appear threatened by 'storage full and backup stopped' language. Warning signs: sender not google.com or one.google.com; genuine Google One billing at one.google.com; Google account storage at myaccount.google.com/storage.