Do NOT Open the American Express Refund Authorization Email!
0 (0)

american express amex refund scam
Rate this post!
 

If you get an email from Amex with the subject “ACTION NEEDED: Refund Authorization” don’t open it, and if you do by accident open it, whatever you do do not click on the link! The email appears to be coming from “bothmans.com” via “wineu.mail”, although the bad guys are sending it through Sendgrid (who has already been notified).

These fake emails are phishing scams designed to steal your America Express credentials, and perhaps also to download a virus and malware onto your computer. The scam is being sent, scattershot, to countless people – some of whom don’t even have an American Express account or card! But it doesn’t matter, because the criminals behind this only need to get a few people to respond, by logging in to the fake Amex site, to make it worth the bad guys’ while.


Here’s the text of the email:


From: American Express® Card
Date: May 31, 2020 at 8:09 PM
Subject: ACTION NEEDED: Refund Authorization

Important Account Information

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

 

You have (1) refund pending authorization

Dear Customer:

We found a double – charged payment on your American Express® Card account statement. We to tried issue you a refund automatically but could not due to some wrong details on your account.

 

Refund Amount: $98.60

Please follow the link below to manually authorize your refund to complete it.

Authorize refund »

Thank you for your Card Membership.

Sincerely,

American Express Customer Care.


Now, of course, we always caution our readers to never click on a link received in email, especially where finances are involved, and to always instead go directly to the site and log in to your account that way. If the service from which the email is claimed to have been sent was really trying to contact you, there would be a message there in your account, on the website.

For those into this sort of thing, here are the full headers:

Return-Path:
Delivered-To: [redacted]@comcast.net
Received: from dovdir1-hoa-03o.email.comcast.net ([69.252.207.45])
by dovback1-hoa-08o.email.comcast.net with LMTP id yMAELFVj1F4HKwAAiZoTAQ (envelope-from ) for <[redacted]@comcast.net>; Mon, 01 Jun 2020 02:09:25 +0000
Received: from dovpxy-hoa-16o.email.comcast.net ([69.252.207.45])
by dovdir1-hoa-03o.email.comcast.net with LMTP id iJYDKVVj1F56XQAAPPnpwQ (envelope-from ) for <[redacted]@comcast.net>; Mon, 01 Jun 2020 02:09:25 +0000
Received: from resimta-ch2-26v.sys.comcast.net ([69.252.207.45])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by dovpxy-hoa-16o.email.comcast.net with LMTPS id AJlNI1Vj1F4kPgAAZKibLA (envelope-from ) for <[redacted]@comcast.net>; Mon, 01 Jun 2020 02:09:25 +0000
Received: from mout.kundenserver.de ([212.227.126.131])
by resimta-ch2-26v.sys.comcast.net with ESMTP id fZtDjmDiRFhcwfZtEj1LAV; Mon, 01 Jun 2020 02:09:25 +0000
X-CAA-SPAM: N00000
X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgeduhedrudefgedgheduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhinecuuegrihhlohhuthemuceftddunecuogfuuhhsphgvtghtkfhmghffohhmrghinhculdeftddmnecujfgurhepggfhvfffufgtgfeshhgstddttddtjeenucfhrhhomheptehmvghrihgtrghnucfggihprhgvshhsjlcuvegrrhguuceoughishgtohhvvghrrdgtrghrugdttddvlehsuhhpphhorhhtsegsohhthhhmrghnshdrtghomheqnecuggftrfgrthhtvghrnhepjeekuedvjedutefhtddtgfduhfefgefhhedtveejffeilefggeehvdduhfejleeunecuffhomhgrihhnpehsvghnughgrhhiugdrnhgvthenucfkphepvdduvddrvddvjedruddviedrudefudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehmohhuthdrkhhunhguvghnshgvrhhvvghrrdguvgdpihhnvghtpedvuddvrddvvdejrdduvdeirddufedupdhmrghilhhfrhhomhepughishgtohhvvghrrdgtrghrugdttddvlehsuhhpphhorhhtsegsohhthhhmrghnshdrtghomhdprhgtphhtthhopegtkhgrrhhvrggurgestghomhgtrghsthdrnhgvth
X-Xfinity-VMeta: sc=30.00;st=legit
X-Xfinity-Message-Heuristics: IPv6:N;TLS=1;SPF=3;DMARC=
Received: from winhex19beeu13.wineu.mail ([10.72.140.17]) by mrieue.server.lan
(mrieue002 [172.19.128.220]) with ESMTPS (Nemesis) id
0M58bH-1imP080xvb-00zY13 for <[redacted]@comcast.net>; Mon, 01 Jun 2020
04:09:23 +0200
Received: from hwc-hwp-5191070 (10.72.140.250) by winhex19beeu13.wineu.mail
(10.72.140.17) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.529.5; Mon, 1 Jun 2020
04:09:22 +0200
MIME-Version: 1.0
From: =?utf-8?Q?American Express=C2=AE Card?=

To: <[redacted]@comcast.net>
Date: Sun, 31 May 2020 19:09:22 -0700
Subject: ACTION NEEDED: Refund Authorization
Content-Type: text/html; charset=”utf-8″
Content-Transfer-Encoding: base64
Message-ID:
Return-Path: discover.card0029support@bothmans.com
X-ClientProxiedBy: winhex19beeu6.wineu.mail (10.72.140.143) To
winhex19beeu13.wineu.mail (10.72.140.17)
X-1and1-Spam-Score: 0.1/10
X-1and1-Spam-Level: None
X-Provags-ID: V02::Uu0xqGl5U4fzTwvyUf977u3YtU3mm+cMeu2UMB+hVhs5c
KB4A4KWsD2PslQxtEfPnKvBgDCuZJPS3SgRT6e87hOqNXcEDE9
g7tX5t4fUIWF3GnP/czrNVk6xlpjMLZZk81YrWOqYl5kzkAgQa
1/6mCpantnqUemGBoyP8pfAGA13s0q69xDOeo8B+95yX3hm
X-Routing-0be3562e-11e2-4fc7-b5a6-c7ea0e0bf210: 1.0.0.0
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:cBIveF0f5h8=:CScoQMIFMsNxy33UXLHqZ1
foWTJ4IaVJywcqmxQjgvGpQxJBaRqa2VLYpXys8ttlP3rzODbmdGhhl9+RySn6N+k/rbr4FyM
lL6TawUPoUMMPM0KzNd4pp4K+Se9RWBFM4H/m8gbPcAUrstTlCZpmKhAlF1rWtOUyU7cvZgCu
SRgoQNcFRIbmrMlvP8kPdqynuea2JqRpXecW3PTDczTmFt0XApfuga+7wLtxX8yQ4EsOkxqjp
qXv0T0MYOb0jcKt1NxQxhwZoQGZkxXQ5CU24UXl2n1SVZ3fEc/js/Zz5XJHggPE21U+0qMCUL
QZ4XvVsT/fqveVSiQO13h7tOVp3LHT8S4V5KYKa42rwjycQZv5cfvbr+nkwcwmFf2fqmui3SF
cgPmJS0aqfLWsYBHUFUnFOaB6j3fBGLjij4YK0k0nwwfaFPYQ6cqdTTdHcinyUzIV1c5vgXwl
3AFfwv2qMLcohhEU3/d/WE4Any8QMtH8iN9crTfM5acQpuqY2A0lKonyen1inLPBXdB6JANbb
lmHWILUXgpZT1gT+qNWxyO6q7dCuWSCk0Jn/k4guo45tpRzItpRgByA0WoA6CLzdA==

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

People also searched for cryptocurrency comcast net
Rate this post!
 
Summary
Do NOT Open the American Express Refund Authorization Email!
Article Name
Do NOT Open the American Express Refund Authorization Email!
Description
If you get email from Amex with the subject ACTION NEEDED: Refund Authorization, don't open it, or if you already did, don't click on it! It's a phish scam!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.