“ Phishing: If you suspect deceit, hit delete!” ― Anonymous


Phishing is a type of email scam. The sender pretends to be a trustworthy organization — like a bank or government agency — in an attempt to get you to provide them with personal information, particularly financial details.

Phishing emails often ask for:

  • your credit card information
  • your internet banking details
  • personal information and documents, including drivers license and passport
  • usernames or passwords for your online accounts, including social media accounts.

The emails aim to target specific groups, like customers of a particular bank, for example. Attackers send phishing messages to a list of email addresses, made up of contact details found on web pages and social media sites, or from other lists that are shared and sold online. In some cases they use guesswork, and send phishing emails to addresses that might be in use in the hope that they’ll reach someone’s inbox.

Phishing emails can look and feel legitimate. They use the same design and logos as the company or organization they’re pretending to be, and the same kind of language.

Most look like they come from:

  • a bank
  • a social media site
  • a government agency
  • an online game, or
  • an online service with access to your financial details, like iTunes.

They ask you to either click a link or open an attachment in the email. This will prompt you to enter personal information somewhere online, or allow the sender to infect your computer with malware. Either way, this gives them access to your personal information without you knowing.

For example:

  • you may be directed to a website that looks like your bank’s website, and asked to enter your internet banking login details. This will give the attacker access to both your login information, and your bank accounts.
  • you might get an email saying that you’ve been charged for services you didn’t receive — like lawn mowing, for example — with an invoice for the job. If you open the invoice to check the details, it could download malware to your computer without you realizing.

It’s important to know that reputable companies and organizations will never ask you to provide them with personal information by email.

Spear phishing

Spear phishing is a very targeted type of phishing. Rather than emailing many people at once, the attacker only emails specific people within a company or organization, asking for sensitive business information that shouldn’t be available externally. The emails look like they’ve come from a specific department, like HR or Finance, or a particular person in the company.

Preventing Phishing

Although you can’t prevent a phishing attack, there are things you can do to make sure you recognise one.

  • Know what to look for in a phishing email. You might notice that:
    • you don’t recognise the sender
    • the sender name doesn’t sound quite right
    • you don’t recognise the name of the company
    • the company logo doesn’t look like it should
    • the email refers to you in a generic or odd way — for example, ‘Dear You…’
    • the email contains bad grammar or spelling
    • if you hover over a link in the email with your mouse, the address that you see doesn’t match the place it’s saying it’ll take you.
  • Don’t click on web links sent by someone you don’t know, or that seem out of character for someone you do know. If you’re not sure about something, contact the person you think might have sent it to check first.
  • Use bookmarks or favourites to access websites rather than links in emails.
  • Check to see how the companies you deal with — like your bank — will contact you, so you’re more likely to recognise what’s a legitimate request and what isn’t.
  • If you have your own business, make sure you keep your support contracts (with your antivirus provider or your firewall provider, for example) up to date.

Remember — if you don’t click on any links or attachments in a phishing email, your system is safe.

If you’ve received a phishing email

If you think you’ve been sent a phishing email, here’s what to do next.

  • If you haven’t done anything with the email, delete it.
  • If you gave out some personal or financial details:
    • contact the service provider for your online accounts — like your bank or your email provider. Let them know what’s happened and ask what they can do to help.
    • change the passwords for any online accounts you think might be at risk.
Visit CERT NZ for more information. 
Visit ACSC for more information.