Do NOT Open the American Express Refund Authorization Email!

american express amex refund scam
Share the knowledge

If you get an email from Amex with the subject “ACTION NEEDED: Refund Authorization” don’t open it, and if you do by accident open it, whatever you do do not click on the link! The email appears to be coming from “” via “wineu.mail”, although the bad guys are sending it through Sendgrid (who has already been notified).

These fake emails are phishing scams designed to steal your America Express credentials, and perhaps also to download a virus and malware onto your computer. The scam is being sent, scattershot, to countless people – some of whom don’t even have an American Express account or card! But it doesn’t matter, because the criminals behind this only need to get a few people to respond, by logging in to the fake Amex site, to make it worth the bad guys’ while.

Here’s the text of the email:

From: American Express® Card
Date: May 31, 2020 at 8:09 PM
Subject: ACTION NEEDED: Refund Authorization

Important Account Information

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

You have (1) refund pending authorization

Dear Customer:

We found a double – charged payment on your American Express® Card account statement. We to tried issue you a refund automatically but could not due to some wrong details on your account.

Refund Amount: $98.60

Please follow the link below to manually authorize your refund to complete it.

Authorize refund »

Thank you for your Card Membership.


American Express Customer Care.

Now, of course, we always caution our readers to never click on a link received in email, especially where finances are involved, and to always instead go directly to the site and log in to your account that way. If the service from which the email is claimed to have been sent was really trying to contact you, there would be a message there in your account, on the website.

For those into this sort of thing, here are the full headers:

Delivered-To: [redacted]
Received: from ([])
by with LMTP id yMAELFVj1F4HKwAAiZoTAQ (envelope-from ) for <[redacted]>; Mon, 01 Jun 2020 02:09:25 +0000
Received: from ([])
by with LMTP id iJYDKVVj1F56XQAAPPnpwQ (envelope-from ) for <[redacted]>; Mon, 01 Jun 2020 02:09:25 +0000
Received: from ([])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by with LMTPS id AJlNI1Vj1F4kPgAAZKibLA (envelope-from ) for <[redacted]>; Mon, 01 Jun 2020 02:09:25 +0000
Received: from ([])
by with ESMTP id fZtDjmDiRFhcwfZtEj1LAV; Mon, 01 Jun 2020 02:09:25 +0000
X-CAA-SPAM: N00000
X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgeduhedrudefgedgheduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuvehomhgtrghsthdqtfgvshhinecuuegrihhlohhuthemuceftddunecuogfuuhhsphgvtghtkfhmghffohhmrghinhculdeftddmnecujfgurhepggfhvfffufgtgfeshhgstddttddtjeenucfhrhhomheptehmvghrihgtrghnucfggihprhgvshhsjlcuvegrrhguuceoughishgtohhvvghrrdgtrghrugdttddvlehsuhhpphhorhhtsegsohhthhhmrghnshdrtghomheqnecuggftrfgrthhtvghrnhepjeekuedvjedutefhtddtgfduhfefgefhhedtveejffeilefggeehvdduhfejleeunecuffhomhgrihhnpehsvghnughgrhhiugdrnhgvthenucfkphepvdduvddrvddvjedruddviedrudefudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopehmohhuthdrkhhunhguvghnshgvrhhvvghrrdguvgdpihhnvghtpedvuddvrddvvdejrdduvdeirddufedupdhmrghilhhfrhhomhepughishgtohhvvghrrdgtrghrugdttddvlehsuhhpphhorhhtsegsohhthhhmrghnshdrtghomhdprhgtphhtthhopegtkhgrrhhvrggurgestghomhgtrghsthdrnhgvth
X-Xfinity-VMeta: sc=30.00;st=legit
X-Xfinity-Message-Heuristics: IPv6:N;TLS=1;SPF=3;DMARC=
Received: from winhex19beeu13.wineu.mail ([]) by mrieue.server.lan
(mrieue002 []) with ESMTPS (Nemesis) id
0M58bH-1imP080xvb-00zY13 for <[redacted]>; Mon, 01 Jun 2020
04:09:23 +0200
Received: from hwc-hwp-5191070 ( by winhex19beeu13.wineu.mail
( with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.529.5; Mon, 1 Jun 2020
04:09:22 +0200
MIME-Version: 1.0
From: =?utf-8?Q?American Express=C2=AE Card?=

To: <[redacted]>
Date: Sun, 31 May 2020 19:09:22 -0700
Subject: ACTION NEEDED: Refund Authorization
Content-Type: text/html; charset=”utf-8″
Content-Transfer-Encoding: base64
X-ClientProxiedBy: winhex19beeu6.wineu.mail ( To
winhex19beeu13.wineu.mail (
X-1and1-Spam-Score: 0.1/10
X-1and1-Spam-Level: None
X-Provags-ID: V02::Uu0xqGl5U4fzTwvyUf977u3YtU3mm+cMeu2UMB+hVhs5c
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:cBIveF0f5h8=:CScoQMIFMsNxy33UXLHqZ1

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link


Share the knowledge

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.