MailGuard 08 August 2025 13:28:35 AEST 6 MIN READ

Origin Energy “refund” scam, in a handful of easy steps

MailGuard has intercepted a multi-stage phishing campaign impersonating Origin Energy and offering a fake $150 overpayment refund. The lure is simple, the flow is polished, and the goal is to harvest identity data, card details, and one-time SMS codes that enable account takeover and fraudulent payments. Our filters are blocking these emails for protected customers, and we're publishing indicators and screenshots here so security teams can brief staff and tune controls quickly.

What to watch out for

Here's what it looks like:

  • Subject line: Notice: Refund for Overpayment on Previous Electricity Bill
  • Display name: Origin Energy
  • Visible sender: `hello-origin-energy-support(at)smtp.com` or `mailsender-origin-energy(at)ecdesk(dot)org`
  • Envelope sender: `msprvs1=20315cripdch6=bounces-251530(at)ecdesk(dot)org`

Step 1: Spoofed email

A branded HTML email mimicking an authentic Origin Energy electricity bill advises the recipient of a refund and urges them to 'Verify Account' within 24 hours.

origin - 0825 - email

Step 2: Refund bait

The link opens a page carrying Origin Energy branding and a large 'Verify' button, hosted on a domain unrelated to Origin Energy.

origin - 0825 - refund - step 1

Step 3: Personal data capture

A “Billing Address” form requests full name, date of birth, address, email and phone.

origin - 0825 - address - step 2

Step 4: Card data capture

Following that, a “Card Verification” form requests the victim's credit card number, expiry and CVV.

origin - 0825 - credit card - step 3

Step 5: One-time code harvest

A “Phone Verification” page then captures an SMS code, enabling attackers to bypass 2FA protections and process fraudulent payments.

origin - 0825 - verification code - step 4

Step 6: False reassurance

Finally, a “Completed” page appears offering false reassurance to the victim is redirected to the legitimate Origin Energy website to reduce suspicion.

origin - 0825 - complete - step 5

Here's an end-to-end view of the flow, in the process diagram below.

origin - 0825 - process flow -3

Why it works

The scam trades on the well-known and trusted brand of Origin Energy, coupled with a plausible trigger to create urgency and lower scrutiny. Clean templates and consistent branding reduce obvious tells users rely on, and progressive disclosure collects data in small steps, which feels routine. At the end, the redirection to the real site provides closure and hides the theft.

Guidance for organisations

Reinforce a “stop and check” norm for any refund or payment change request received via email, and disable link-tracking trust in mail clients. Train users to navigate to brands directly via bookmarks, not email links, and harden payment change processes with out-of-band verification and role-based approvals. Security teams should monitor DNS and brand lookalikes that mimic your corporate assets, and instrument your SOC to alert on unusual MFA prompts, failed 3-D Secure events and repeated card tokenisation attempts.

If someone in your team clicked

Contact your bank to block the card and monitor for fraud. Reset any passwords reused with the same email address and invalidate active sessions and refresh MFA secrets where possible. File a report with your internal security team and with the ACSC, and advise the affected energy retailer through its official support channel. Origin Energy can be contacted at digitalsecurity@originenergy.com.au or ​by calling 13 24 61. 

Stay Safe, Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

  • Aren’t addressed to you personally.
  • Are unexpected and urge immediate action.
  • Contain poor grammar or miss crucial identifying details.
  • Direct you to a suspicious URL that isn’t associated with the genuine company.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters!  Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

Keep Informed with Weekly Updates