Ngā tāware hītinihanga me tō pakihi

Phishing scams

Phishing scams are one of the most common, prolific and successful attacks we see. Learn how they could affect your business.

What it is

Phishing is a type of email scam. A phishing email will ask you to either click a link and enter personal information, or open an attachment in the email. The scammer might make it look like the email comes from your business.

One of the challenges with phishing is that it exploits people’s everyday behaviour. Businesses often send emails to customers asking them to:

  • click on links to the business’s website
  • log into their account when they get there.

Phishing scams mimic this behaviour to:

  • trick customers into giving up their information or account login details, or
  • install software – like ransomware – on peoples' computers.

Spear phishing and whaling

Spear phishing and whaling scams are more targeted types of

In a spear phishing attack, people within a company receive an email asking them to provide the sender with confidential company information. The emails will look like they’ve come from a particular department or person in the company.

Whaling specifically targets the management or executives in a company — the ‘big fish’. These are usually the people who have the most authority and the most access to sensitive business information.

How it works

Phishing process diagram

View long description

1. Research: attackers identify targets and objectives and get a list of email addresses.

2. Phishing page: the attacker creates a phishing page by compromising a domain or using a similar domain name to a common brand.

3. Email sent: the email targets are sent a message to trick them into visiting the website.

4. Request actioned: the target enters information into the phishing page (credentials information) or is tricked into downloading malware.

5. Information harvested: the attacker uses information in attacks or sells it. Attackers use malware to steal information or money, or to use the computer for other attacks.

Setting up a phishing campaign is a two-step process – the scammers need to:

  1. find somewhere they can host their campaign
  2. send phishing messages to their target audience.

Hosting a phishing campaign

Scammers like to target local websites (that use .nz domains) to make their phishing campaigns seem trustworthy. They may look for unpatched or insecure websites that they can take over.

Or the scammer could register for a name that's like their target brand's.

For example, if your domain name is, a scammer could set up a new domain name like:

  • — using the .org domain instead of, or
  • — which replaces the m with an rn and still looks very similar.

Sending phishing emails

Once they have a to host their campaign on, the scammer can start sending out phishing emails. They'll create an email that looks like those sent by the brand they're impersonating. Then they'll send it out to the brand's customers in the hope that people will:

  • respond to the email and provide their personal information to the scammer, or
  • download malware onto their computers.

Spear phishing and whaling scams

Spear phishing and whaling emails will often refer to their subject by name and job title. They might request that you:

  • send them information by return email
  • open an attachment
  • pay an invoice
  • visit a fake website to enter personal information, like login details.

These requests seem urgent and sound legitimate.

The risks

Scammers could:

  • set up a fake domain that looks like your website and email address, making it look like it's your business sending the emails, or
  • get access to your organisation's email accounts, and use them to send out phishing emails.

This could cause serious problems for your customers. It could also damage your business’s reputation.