Fraudsters are targeting Australian users with scam emails that contain malware-laden fake bills from a legitimate energy provider.
At 08:30 on 10 May, tens of thousands of Australian users began receiving emails from what appeared to be Origin Energy. The messages contained the logo for the Sydney-based energy provider, included a URL linking to the privacy page on the company’s website, and adapted to both desktop and mobile screens. To add an even greater degree of legitimacy, they listed the plausible address “originenergysolar.net” as the sender email.
But all these emails were fakes. The address “originenergysolar.net” is a far enough cry from the company’s actual domain, “originenergy.com.au.” Therefore, it’s not a surprise to learn that someone in China registered “originenergysolar.net” a few days before sending out the fake emails from a server in France. The messages also included a link to a customer-service number registered to a recycling business in Pinewood, Victoria.
As for the bills themselves, clicking on the “View bill” link downloaded spyware onto the email recipient’s computer.
This scam campaign, which falls into the “deceptive phishing” category, is part of a growing number of bill hoaxes targeting Australian users. Craig McDonald, CEO of MailGuard, elaborates on this point for The Sydney Morning Herald:
“Increasingly we’re seeing cyber criminals carrying out targeted attacks by impersonating well-known and trusted entities, such as Australia Post, Telstra, FedEx, Google and the Australian Government’s myGov website. This is because these scammers realise that by impersonating brands people deal with daily, there’s a good chance people will click the link to find out about a parcel they’ve apparently ordered, or to find out how much money they supposedly owe.”
The Australian Competition and Consumer Commission has already received 136 reports of fake bills in 2017 as of this writing. In 2016, Australians lost 659,835 AUD to 14,634 reported false bills.
Going forward, users should carefully inspect the sender and contact information included in an email purporting to be a bill. Rather than click on a link in the message, they can sign into their account using a web browser and view their bill that way. Doing so will help prove whether the email they received was a fake.