Protect your business
Kia pare i tō pakihi kei whakamahia e ngā tāware hītinihanga

Protect your business from being used for phishing scams

Learn how to stop scammers from using your business or technology to send out phishing scams.

What it is

Phishing is a type of email scam.  Online attackers can use your brand or your IT systems to make it look like a phishing email comes from your business.

Learn more about phishing scams

How to protect your business

  • Install updates

    Updating your operating systems and whenever patches are released means any identified security vulnerabilities will be fixed. If you don’t install patches when they’re released, scammers could exploit any known vulnerabilities to gain access to your website or your business workstation. They could use that access to create a page on your website or send an email from your workstation.

    Keep up with updates

  • Set up two-factor authentication

    Protect your email, administrator account and any other key accounts, with .

    Protect your business with two-factor authentication (2FA)

  • Register similar domain names

    When you register a name for your website, think about registering other, similar domain names too. It’s not expensive to do and could stop online attackers from using similar domain names to your business to front a attack.

  • Keep an eye on your website

    Monitor your website – if you’re familiar with what’s on there, you’ll notice if something changes when it shouldn’t. Then, if someone gains access to your website and tries to use it to host a phishing page or , you’ll know.

    Protect your website

  • Educate your staff

    Train your staff to know what to look out for. Make sure they know to report any suspicious activity on their workstation – for example, if they get strange emails or pop ups, or find odd applications running.

    Educate your staff about online security

    Think about implementing a social media policy for your business to help guide staff on what they can or can't share about their work – this can limit the amount of information a potential attacker can gather.

  • Double check unusual requests

    If you get an email request that you're not expecting, or that seems strange, contact the sender another way – by phone or in person – to double check it.

    Don’t click on web links sent by someone you don’t know, or that seem out of character for someone you do know.

  • Check your security measures

    Ensure that appropriate security measures are in place for your organisation.

    Think about:

    • /updates policy
    • limiting access to external websites within your network
    • segmenting highly privileged accounts (like administrator and root accounts)
    • documenting and testing processes for dealing with security incidents
    • how you monitor and react to security events.

    Top online security tips for your business

  • Create an incident response plan

    No matter how prepared you are, sometimes things go wrong. Knowing what to do during an attack is important – you’ll need a plan to help you get through what can be a stressful time. Check out our incident response planning guide to see how to make sure you're prepared.

    Create an Incident response plan

Get help

If you think your business brand or systems are being used to send out a phishing attack:

  • trigger your incident response plan
  • report it to your IT department immediately.

If you are unsure what else to do, report it to CERT NZ. We’ll:

  • investigate the phishing page, to understand where the web server is hosted and where the domain name is registered
  • confirm whether the scammer has compromised your legitimate website, or set up a new domain name and replicated it
  • try to make contact with the hosting or domain name owner and have the phishing page taken down.

Get help now