MailGuard Blog — Breaking alerts, news and updates on cybersecurity topics

Origin Energy "Billing Mistake" Email A Con

Written by MailGuard | 05 October 2025 23:34:41 Z

'We've made a mistake', the subject line alone is enough to make you click, but don't be too hasty. MailGuard's threat detection network is currently intercepting a sophisticated phishing campaign impersonating Origin Energy that uses a clever psychological hook to steal login credentials, payment card details, and SMS verification codes.

The Scam: How It Works

This multi-stage attack begins with an email claiming Origin Energy has made a billing error and accidentally charged customers twice for the same service period. The email promises a refund of $403.56 and directs recipients to click a link labeled "Set up direct" to complete a refund form.


What makes this scam particularly dangerous is its psychological approach. Rather than creating urgency through threats or warnings, it leverages a different emotion entirely: the appearance of corporate accountability and customer service. The subject line "We've made a mistake" immediately positions the sender as honest and apologetic, lowering the recipient's defenses. The promise of a refund, money you're supposedly owed, creates a sense of entitlement that makes clicking the link feel like claiming what's rightfully yours rather than responding to a suspicious solicitation.

This is social engineering at its most insidious. The scammers understand that people are more likely to engage with messages that offer them something they deserve than those that threaten consequences.

The Three-Stage Credential Harvest

Once a victim clicks the link, they're taken through a carefully designed sequence of pages that systematically extract sensitive information:

Stage 1: Account Credentials

The first page presents a convincing Origin Energy login portal requesting email address and password. The page includes "Forgot email?" and "Forgot password?" links to enhance authenticity, along with a "Log in without a password" option that claims to send a one-time link.


Stage 2: Payment Card Details

After entering credentials, victims are directed to a "Review & Refund" page that requests complete credit card information: card number, expiry date, CVV, and cardholder name. The page displays Visa, Mastercard, and American Express logos and includes a reassuring message: "Your information is encrypted and secure."

This false security statement is particularly manipulative. It's designed to override any remaining skepticism by addressing the exact concern a cautious user might have at this stage.

Stage 3: SMS Verification Code

The final stage requests an SMS verification code, claiming it has been sent to the victim's registered phone number. The page displays a partially masked phone number and states the code expires in 5 minutes, with options to verify or resend the code.


This third stage is what elevates this scam from standard credential phishing to real-time account compromise. By capturing the SMS verification code, attackers can potentially bypass two-factor authentication on the victim's actual Origin Energy account or use the stolen payment card details immediately while the verification code is still valid.

Once the victim enters the SMS code, they're redirected to the legitimate Origin Energy website, a technique designed to make victims believe the process was genuine and delay them from realising they've been compromised.

Critical Warning Signs

Despite its polished appearance, this phishing campaign contains several red flags that should immediately alert recipients:

Sender Email Address Mismatch

The emails display "Origin Energy" as the sender name, but the actual sending addresses are completely unrelated:

  • accounts@beautyart.com.mx
  • clientservices@brinkster.net
  • customer.care@baobamoil.com

None of these domains have any connection to Origin Energy. Legitimate Origin communications would come from an @originenergy.com.au address.

Unsolicited Refund Offers

Legitimate companies rarely initiate refunds via email links. Genuine billing corrections would typically appear as credits on your next statement, or require you to log in directly through the company's official website (by typing the URL yourself, not clicking an email link).

Request for Complete Payment Card Details

A legitimate refund would be processed back to the original payment method automatically. Origin Energy would never need you to re-enter your complete credit card details, including CVV, to issue a refund.

SMS Code Request

This is the most alarming indicator. No legitimate refund process requires an SMS verification code from you. If a company needs to verify your identity for a refund, they would use information already on file or direct you to contact their official support channels.

Professional Appearance Is Not Proof of Legitimacy

The polished design of the phishing pages demonstrates that scammers are capable of replicating legitimate websites with remarkable accuracy. Never use visual quality as your primary indicator of legitimacy, focus instead on sender addresses, URLs, and the logic of what's being requested.

What Happens If You Fall for This Scam?

Victims of this attack face multiple serious consequences:

Immediate Risks:

  • Account Takeover: Attackers gain access to your actual Origin Energy account using your stolen credentials, allowing them to view personal information, change account details, or redirect billing.
  • Financial Fraud: Your credit card details can be used immediately for fraudulent purchases, potentially before you realise you've been compromised.
  • Identity Theft: The combination of email credentials, account access, and payment information provides scammers with enough data to potentially commit broader identity fraud.

Secondary Risks:

  • Credential Reuse Attacks: If you use the same password for multiple accounts, attackers will attempt to access your email, banking, and other online services.
  • Further Phishing: Your email address will be marked as "responsive" and added to lists for future scam campaigns.
  • SMS Phishing: The captured phone number may be used for SMS-based scams (smishing).

Keeping Businesses Safe and Secure

Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.

No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist AI-powered email threat detection solution like MailGuard.   

For a few dollars per staff member per month, businesses are protected by MailGuard's specialist, zero-day email security. Special Ops for when speed matters!  Our real-time zero-day, email threat detection amplifies your client’s intelligence, knowledge, security and defence.

MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your clients today to ensure they’re prepared and get in touch with our team to discuss fortifying your client’s cyber resilience.

Talk to us

MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.

Australian partners, please call us on 1300 30 65 10

US partners call 1888 848 2822

UK partners call 0 800 404 8993

 

 
View full post