EnergyAustralia 'Request a refund' phishing scam

MailGuard is alerting customers to a new phishing campaign impersonating EnergyAustralia, currently being intercepted by MailGuard’s filter network. This scam is designed to look routine and financially appealing, as a “refund” message that many recipients will be tempted to action quickly. It uses a simple HTML email with a single link, then moves victims through a staged data capture process that escalates from basic identity information to payment details, finishing with an SMS code prompt and a redirect to the legitimate EnergyAustralia website to reduce suspicion.

What the scam looks like

The email presents as a refund notification, encouraging the recipient to click a prominent button such as “Claim a Refund”.

Sender details observed by MailGuard:

• Display name: EnergyAustralia
• Display address: secure-system-account360sec.master(at)message(dot)com
• Sending address: secure-system-account360sec.master(at)message(dot)com

While the branding and layout may look convincing, the sender domain does not align with EnergyAustralia’s legitimate email infrastructure, which is a key indicator this message is not genuine.

The phishing email claims a refund is available and prompts the user to click ‘Claim a Refund’.”

How the scam works, step-by-step

Once the user clicks the link, they are taken to a phishing site that mimics an EnergyAustralia web experience and collects information in stages.

Stage 1: Identity capture
The first page asks for the victim’s email address and name.

Stage 2: Personal details capture
The second page asks for additional personal details, expanding the identity profile that can be misused for fraud or follow-on attacks.

Stage 3: Payment details capture
The third page asks for credit card details under the premise of processing the refund.

Stage 4: SMS code prompt and redirect
The fourth page requests an SMS security code and then redirects the user to the real EnergyAustralia website. This is a deliberate tactic. The redirect can make victims think the process completed normally, delaying reporting and response.

Why this scam is dangerous for businesses

Refund scams like this are not just consumer nuisances. They are designed to harvest a blend of identity and payment data that can be used for:

• Financial fraud using captured card details
• Identity misuse using personal details provided in the staged forms
• Follow-on phishing and targeted impersonation, where attackers use known details to craft more convincing messages
• Operational risk, when staff use work email addresses and business devices to complete the steps

For security leaders, the key issue is that the attack relies on trust and workflow familiarity, not technical complexity. A staged, believable journey can outperform obvious “too good to be true” scams.

What to tell staff and customers to watch for

Share these practical indicators with teams:

• Refund emails that do not address the recipient by name
• Messages urging action via a single button, especially “Claim a Refund”
• Sender addresses that do not match the organisation being impersonated
• Refund processes that request credit card details to “issue” a refund
• Any page requesting an SMS security code immediately after payment details, particularly when reached via an email link
• Sudden redirects to a legitimate website after entering details, which can be used to disguise the scam

Recommended actions for IT and security teams

If an organisation suspects a user clicked or entered details:

• Encourage the user to report immediately, even if they were redirected to a legitimate site afterwards
• Review mail logs for similar messages, then quarantine or block related senders and URLs
• If payment details were submitted, advise the user to contact their bank immediately
• Consider reinforcing layered protections that reduce reliance on user judgement at speed

Stay Safe, Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

• Aren’t addressed to you personally.
• Are unexpected and urge immediate action.
• Contain poor grammar or miss crucial identifying details.
• Direct you to a suspicious URL that isn’t associated with the genuine company.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters!  Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.