Protect your business
Kia pare i tō pakihi kei whakamahia e ngā tāware hītinihanga

Protect your business from being used for phishing scams

Learn how to stop scammers from using your business or technology to send out phishing scams.

What it is

Phishing is a type of email scam.  Online attackers can use your brand or your IT systems to make it look like a phishing email comes from your business.

Learn more about phishing scams

How to protect your business from being used for phishing attacks

Install updates

Updating your operating systems and software whenever patches are released means any identified  security vulnerabilities will be fixed. If you don’t install patches when they’re released, scammers could exploit any known vulnerabilities to gain access to your website or your business work station. They could use that access to create a phishing page on your website or send an email from your work station.

Keep up with updates

Set up two-factor authentication

Protect your email, administrator account and any other key accounts, with multi-factor authentication.

Protect your business with two-factor authentication (2FA)

Register similar domain names

When you register a domain name for your website, think about registering other, similar domain names too. It’s not expensive to do, and could stop online attackers from using similar domain names to your business to front a phishing attack.

Keep an eye on your website

Monitor your website – if you’re familiar with what’s on there, you’ll notice if something changes when it shouldn’t. Then, if someone gains access to your website and tries to use it to host a phishing page or malware, you’ll know.

Protect your website

Educate your staff

Train your staff to know what to look out for. Make sure they know to report any suspicious activity on their work station – for example, if they get strange emails or pop ups, or find odd applications running.

Educating your staff about online security

Think about implementing a social media policy for your business to help guide staff on what they can or can't share about their work – this can limit the amount of information a potential attacker can gather.

Double check unusual requests

If you get an email request that you're not expecting, or that seems strange, contact the sender another way – by phone or in person – to double check it. 
Don’t click on web links sent by someone you don’t know, or that seem out of character for someone you do know.

Check your security measures

Ensure that appropriate security measures are in place for your organisation.

Think about:

  • antivirus
  • firewalls
  • patch management/updates policy
  • email filtering
  • antispam
  • limiting access to external websites within your network
  • segmenting highly privileged accounts (like administrator and root accounts)
  • documenting and testing processes for dealing with security incidents
  • how you monitor and react to security events.

Top online security tips for your business

Create an incident response plan

No matter how prepared you are, sometimes things go wrong. Knowing what to do during an attack is important – you’ll need a plan to help you get through what can be a stressful time. Check out our incident response planning guide to see how to make sure you're prepared.

Creating an Incident response plan

Get help

If you think your business brand or systems are being used to send out a phishing attack:

  • trigger your incident response plan
  • report it to your IT department immediately.

If you are unsure what else to do, report it to CERT NZ. We’ll:

  • investigate the phishing page, to understand where the web server is hosted and where the domain name is registered
  • confirm whether the scammer has compromised your legitimate website, or set up a new domain name and replicated it
  • try to make contact with the hosting or domain name owner and have the phishing page taken down.

Get help now