'We've made a mistake', the subject line alone is enough to make you click, but don't be too hasty. MailGuard's threat detection network is currently intercepting a sophisticated phishing campaign impersonating Origin Energy that uses a clever psychological hook to steal login credentials, payment card details, and SMS verification codes.
The Scam: How It Works
This multi-stage attack begins with an email claiming Origin Energy has made a billing error and accidentally charged customers twice for the same service period. The email promises a refund of $403.56 and directs recipients to click a link labeled "Set up direct" to complete a refund form.
What makes this scam particularly dangerous is its psychological approach. Rather than creating urgency through threats or warnings, it leverages a different emotion entirely: the appearance of corporate accountability and customer service. The subject line "We've made a mistake" immediately positions the sender as honest and apologetic, lowering the recipient's defenses. The promise of a refund, money you're supposedly owed, creates a sense of entitlement that makes clicking the link feel like claiming what's rightfully yours rather than responding to a suspicious solicitation.
This is social engineering at its most insidious. The scammers understand that people are more likely to engage with messages that offer them something they deserve than those that threaten consequences.
The Three-Stage Credential Harvest
Once a victim clicks the link, they're taken through a carefully designed sequence of pages that systematically extract sensitive information:
Stage 1: Account Credentials
The first page presents a convincing Origin Energy login portal requesting email address and password. The page includes "Forgot email?" and "Forgot password?" links to enhance authenticity, along with a "Log in without a password" option that claims to send a one-time link.
Stage 2: Payment Card Details
After entering credentials, victims are directed to a "Review & Refund" page that requests complete credit card information: card number, expiry date, CVV, and cardholder name. The page displays Visa, Mastercard, and American Express logos and includes a reassuring message: "Your information is encrypted and secure."
This false security statement is particularly manipulative. It's designed to override any remaining skepticism by addressing the exact concern a cautious user might have at this stage.
Stage 3: SMS Verification Code
The final stage requests an SMS verification code, claiming it has been sent to the victim's registered phone number. The page displays a partially masked phone number and states the code expires in 5 minutes, with options to verify or resend the code.
This third stage is what elevates this scam from standard credential phishing to real-time account compromise. By capturing the SMS verification code, attackers can potentially bypass two-factor authentication on the victim's actual Origin Energy account or use the stolen payment card details immediately while the verification code is still valid.
Once the victim enters the SMS code, they're redirected to the legitimate Origin Energy website, a technique designed to make victims believe the process was genuine and delay them from realising they've been compromised.
Critical Warning Signs
Despite its polished appearance, this phishing campaign contains several red flags that should immediately alert recipients:
Sender Email Address MismatchThe emails display "Origin Energy" as the sender name, but the actual sending addresses are completely unrelated:
- accounts@beautyart.com.mx
- clientservices@brinkster.net
- customer.care@baobamoil.com
None of these domains have any connection to Origin Energy. Legitimate Origin communications would come from an @originenergy.com.au address.
Unsolicited Refund OffersLegitimate companies rarely initiate refunds via email links. Genuine billing corrections would typically appear as credits on your next statement, or require you to log in directly through the company's official website (by typing the URL yourself, not clicking an email link).
Request for Complete Payment Card DetailsA legitimate refund would be processed back to the original payment method automatically. Origin Energy would never need you to re-enter your complete credit card details, including CVV, to issue a refund.
SMS Code RequestThis is the most alarming indicator. No legitimate refund process requires an SMS verification code from you. If a company needs to verify your identity for a refund, they would use information already on file or direct you to contact their official support channels.
Professional Appearance Is Not Proof of LegitimacyThe polished design of the phishing pages demonstrates that scammers are capable of replicating legitimate websites with remarkable accuracy. Never use visual quality as your primary indicator of legitimacy, focus instead on sender addresses, URLs, and the logic of what's being requested.
What Happens If You Fall for This Scam?
Victims of this attack face multiple serious consequences:
Immediate Risks:
- Account Takeover: Attackers gain access to your actual Origin Energy account using your stolen credentials, allowing them to view personal information, change account details, or redirect billing.
- Financial Fraud: Your credit card details can be used immediately for fraudulent purchases, potentially before you realise you've been compromised.
- Identity Theft: The combination of email credentials, account access, and payment information provides scammers with enough data to potentially commit broader identity fraud.
Secondary Risks:
- Credential Reuse Attacks: If you use the same password for multiple accounts, attackers will attempt to access your email, banking, and other online services.
- Further Phishing: Your email address will be marked as "responsive" and added to lists for future scam campaigns.
- SMS Phishing: The captured phone number may be used for SMS-based scams (smishing).
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
- Aren’t addressed to you personally.
- Are unexpected and urge immediate action.
- Contain poor grammar or miss crucial identifying details.
- Direct you to a suspicious URL that isn’t associated with the genuine company.
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
