Scammers Trick Customers with 'Your new refund bill' Phishing Email

Posted by MailGuard on 29 November 2021 12:14:34 AEDT

Optus customers need to be wary of a phishing email that may land in their inbox, claiming to offer a refund. A similar email, intercepted by MailGuard earlier in the month mimicking another popular telecommunications provider, uses the same messaging, offering victims a refund on their bill due to a system error.  

It’s not surprising that opportunistic scammers are taking advantage of the holiday season to try and entice unsuspecting customers into providing them with credit card, username, and password details with the promise of a refund. With over 10 million Optus subscribers in Australia, it is highly likely that some unsuspecting victims will follow through on the phishing scam without giving it a second thought.  

The email arrives with the subject, ‘Your new refund bill No: [###]’ from ‘Optus’ attached to what appears to be a compromised business account. Customers are reminded to always check the email address that the email has come from, as scammers try to distract recipients by using the company name as the sender. Upon opening the email, the victim is met with a ‘Your refund did not go through!’ message, advising them that the latest balance of their account has been paid twice due to a system error. Clicking on the ‘Refund the amount’ link supposedly refunds the purported amount ‘within 3 business days.’ 

Here’s what the email looks like:  

Your new refund bill N° - 89089833431 - Mozilla Thunderbird_734

Scammers have not gone to much effort to accurately copy Optus branding, however, the inclusion of brand colours, a bill number, and refund message, could easily fool time-poor and innocent victims.  

Clicking on the ‘refund the amount’ link takes customers to the first phishing page (below), asking for Optus customer login details, username, and password.  

My account login page - Optus — Mozilla Firefox_735

After logging in, victims are taken to the page below, requesting the credit card details used for their billing.  

Optus - Informations — Mozilla Firefox_736

When the user enters and confirms these details and cybercriminals have harvested their credentials, they are taken to the following SMS verification page and notified that their ‘invoice has been paid successfully’ before being redirected to a legitimate Optus page. Scammers regularly use this technique to confuse victims into believing that it is authentic communication.  

Optus - SMS Verification — Mozilla Firefox_737

Optus - Confirmation — Mozilla Firefox_738

This campaign is designed to capture and harvest sensitive user credentials like usernames and passwords, along with credit card details, which may then be used in subsequent criminal activity such as for fraudulent payments or sold on the dark web to other cybercriminal groups.   

Optus provides the following advice in relation to spotting a phishing scam purporting to be from them:  

“How to identify a scam SMS / email 

Not all phishing attempts are obvious, but signs to look out for include: 

  •  Generic greetings, such as 'Hi Optus customer' 
  •  Poor grammar, spelling, layout 
  •  Urgent requests for personal or sensitive information 
      (Optus will never request personal info via email / SMS) 
  •  Unusual URL links or attachments 
  •  Message isn't from usual sender” 

For more information, visit:  

MailGuard urges all recipients of this email to delete it immediately without clicking on any links. Providing your personal details can result in your sensitive information being used for criminal activity and may have a severe negative impact on your financial well-being.    

MailGuard urges users not to click links or open attachments within emails that:     

  • Are not addressed to you by name.     
  • Appear to be from a legitimate company but use poor English or omits personal details that a legitimate sender would include.     
  • Are from businesses that you were not expecting to hear from, and/or     
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.     

One email is all that it takes     

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

Keep Informed with Weekly Updates


Topics: Phishing Email Security greylisting Cybersecurity Optus email scam scam alert

Back to Blog


    Something Powerful

    Tell The Reader More

    The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


    • Bullets are great
    • For spelling out benefits and
    • Turning visitors into leads.

    Recent Posts

    Posts by Topic

    see all