If you get an email from Amex with the subject “ACTION NEEDED: Refund Authorization” don’t open it, and if you do by accident open it, whatever you do do not click on the link! The email appears to be coming from “bothmans.com” via “wineu.mail”, although the bad guys are sending it through Sendgrid (who has already been notified).
These fake emails are phishing scams designed to steal your America Express credentials, and perhaps also to download a virus and malware onto your computer. The scam is being sent, scattershot, to countless people – some of whom don’t even have an American Express account or card! But it doesn’t matter, because the criminals behind this only need to get a few people to respond, by logging in to the fake Amex site, to make it worth the bad guys’ while.
Here’s the text of the email:
From: American Express® Card
Date: May 31, 2020 at 8:09 PM
Subject: ACTION NEEDED: Refund Authorization
Important Account Information
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
You have (1) refund pending authorization
Dear Customer:
We found a double – charged payment on your American Express® Card account statement. We to tried issue you a refund automatically but could not due to some wrong details on your account.
Refund Amount: $98.60
Please follow the link below to manually authorize your refund to complete it.
Authorize refund »
Thank you for your Card Membership.
Sincerely,
American Express Customer Care.
Now, of course, we always caution our readers to never click on a link received in email, especially where finances are involved, and to always instead go directly to the site and log in to your account that way. If the service from which the email is claimed to have been sent was really trying to contact you, there would be a message there in your account, on the website.
For those into this sort of thing, here are the full headers:
Return-Path:
Delivered-To: [redacted]@comcast.net
Received: from dovdir1-hoa-03o.email.comcast.net ([69.252.207.45])
by dovback1-hoa-08o.email.comcast.net with LMTP id yMAELFVj1F4HKwAAiZoTAQ (envelope-from
Received: from dovpxy-hoa-16o.email.comcast.net ([69.252.207.45])
by dovdir1-hoa-03o.email.comcast.net with LMTP id iJYDKVVj1F56XQAAPPnpwQ (envelope-from
Received: from resimta-ch2-26v.sys.comcast.net ([69.252.207.45])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by dovpxy-hoa-16o.email.comcast.net with LMTPS id AJlNI1Vj1F4kPgAAZKibLA (envelope-from
Received: from mout.kundenserver.de ([212.227.126.131])
by resimta-ch2-26v.sys.comcast.net with ESMTP id fZtDjmDiRFhcwfZtEj1LAV; Mon, 01 Jun 2020 02:09:25 +0000
X-CAA-SPAM: N00000
X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgeduhedrudefgedgheduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhinecuuegrihhlohhuthemuceftddunecuogfuuhhsphgvtghtkfhmghffohhmrghinhculdeftddmnecujfgurhepggfhvfffufgtgfeshhgstddttddtjeenucfhrhhomheptehmvghrihgtrghnucfggihprhgvshhsjlcuvegrrhguuceoughishgtohhvvghrrdgtrghrugdttddvlehsuhhpphhorhhtsegsohhthhhmrghnshdrtghomheqnecuggftrfgrthhtvghrnhepjeekuedvjedutefhtddtgfduhfefgefhhedtveejffeilefggeehvdduhfejleeunecuffhomhgrihhnpehsvghnughgrhhiugdrnhgvthenucfkphepvdduvddrvddvjedruddviedrudefudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehmohhuthdrkhhunhguvghnshgvrhhvvghrrdguvgdpihhnvghtpedvuddvrddvvdejrdduvdeirddufedupdhmrghilhhfrhhomhepughishgtohhvvghrrdgtrghrugdttddvlehsuhhpphhorhhtsegsohhthhhmrghnshdrtghomhdprhgtphhtthhopegtkhgrrhhvrggurgestghomhgtrghsthdrnhgvth
X-Xfinity-VMeta: sc=30.00;st=legit
X-Xfinity-Message-Heuristics: IPv6:N;TLS=1;SPF=3;DMARC=
Received: from winhex19beeu13.wineu.mail ([10.72.140.17]) by mrieue.server.lan
(mrieue002 [172.19.128.220]) with ESMTPS (Nemesis) id
0M58bH-1imP080xvb-00zY13 for <[redacted]@comcast.net>; Mon, 01 Jun 2020
04:09:23 +0200
Received: from hwc-hwp-5191070 (10.72.140.250) by winhex19beeu13.wineu.mail
(10.72.140.17) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.529.5; Mon, 1 Jun 2020
04:09:22 +0200
MIME-Version: 1.0
From: =?utf-8?Q?American Express=C2=AE Card?=
To: <[redacted]@comcast.net>
Date: Sun, 31 May 2020 19:09:22 -0700
Subject: ACTION NEEDED: Refund Authorization
Content-Type: text/html; charset=”utf-8″
Content-Transfer-Encoding: base64
Message-ID:
Return-Path: discover.card0029support@bothmans.com
X-ClientProxiedBy: winhex19beeu6.wineu.mail (10.72.140.143) To
winhex19beeu13.wineu.mail (10.72.140.17)
X-1and1-Spam-Score: 0.1/10
X-1and1-Spam-Level: None
X-Provags-ID: V02::Uu0xqGl5U4fzTwvyUf977u3YtU3mm+cMeu2UMB+hVhs5c
KB4A4KWsD2PslQxtEfPnKvBgDCuZJPS3SgRT6e87hOqNXcEDE9
g7tX5t4fUIWF3GnP/czrNVk6xlpjMLZZk81YrWOqYl5kzkAgQa
1/6mCpantnqUemGBoyP8pfAGA13s0q69xDOeo8B+95yX3hm
X-Routing-0be3562e-11e2-4fc7-b5a6-c7ea0e0bf210: 1.0.0.0
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:cBIveF0f5h8=:CScoQMIFMsNxy33UXLHqZ1
foWTJ4IaVJywcqmxQjgvGpQxJBaRqa2VLYpXys8ttlP3rzODbmdGhhl9+RySn6N+k/rbr4FyM
lL6TawUPoUMMPM0KzNd4pp4K+Se9RWBFM4H/m8gbPcAUrstTlCZpmKhAlF1rWtOUyU7cvZgCu
SRgoQNcFRIbmrMlvP8kPdqynuea2JqRpXecW3PTDczTmFt0XApfuga+7wLtxX8yQ4EsOkxqjp
qXv0T0MYOb0jcKt1NxQxhwZoQGZkxXQ5CU24UXl2n1SVZ3fEc/js/Zz5XJHggPE21U+0qMCUL
QZ4XvVsT/fqveVSiQO13h7tOVp3LHT8S4V5KYKa42rwjycQZv5cfvbr+nkwcwmFf2fqmui3SF
cgPmJS0aqfLWsYBHUFUnFOaB6j3fBGLjij4YK0k0nwwfaFPYQ6cqdTTdHcinyUzIV1c5vgXwl
3AFfwv2qMLcohhEU3/d/WE4Any8QMtH8iN9crTfM5acQpuqY2A0lKonyen1inLPBXdB6JANbb
lmHWILUXgpZT1gT+qNWxyO6q7dCuWSCk0Jn/k4guo45tpRzItpRgByA0WoA6CLzdA==
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
