Cyber Incident Victim: AGL Energy Limited
Date:
Nov 2022
Location:
Australia
Summary
AGL customers were targeted by a phishing campaign involving fraudulent emails impersonating the company to steal payment information. The scam emails contained grammatical errors, inconsistent subject lines, and originated from non-AGL domains, directing recipients to malicious links under the guise of processing refunds. These links led to fake websites designed to harvest financial details, with discrepancies in formatting and embedded URLs further indicating fraudulent intent. The incident prompted cybersecurity efforts to contain the scam while highlighting risks of financial data compromise through deceptive requests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early November 2022, AGL customers were targeted by a phishing campaign involving fraudulent emails impersonating the company’s refund processes. The emails exhibited multiple technical and linguistic indicators of deception, including grammatical errors in the subject line such as “Refund need to be Issued…” and inconsistencies between the subject line and email heading content. Attackers used a non-AGL domain (@harborps.org) for sender addresses, deviating from legitimate corporate communications. The email body contained further inaccuracies, such as directing recipients to complete a form referenced as being “above” while placing the actual link below, alongside grammatically flawed phrases like “…so we can processed a refund.” Embedded hyperlinks disguised as “Refund Me” buttons led to external URLs unrelated to AGL, redirecting users to impersonation websites designed to harvest payment details. Formatting inconsistencies in font types and sizes provided additional visual cues distinguishing the fraudulent emails from authentic AGL correspondence.
AGL’s Cyber Security Team actively worked to contain identified scams upon detection or customer reporting. The company publicly documented these fraud indicators to educate customers, emphasizing vigilance against suspicious links and urging verification of interactions through official channels. AGL advised impacted customers who submitted payment details via scam links to contact their financial institutions immediately. No confirmed compromise of AGL’s internal systems was disclosed in available sources. The incident primarily threatened customer data security through external phishing infrastructure, with operational impacts limited to scam containment efforts and customer support engagements via the designated helpline (131 245).