News

Is your organisation on the lookout for phishing?

Apr 2, 2024

With phishing attacks increasing in frequency and sophistication, it’s important to be on the lookout.

Māori woman holding device

Phishing attacks on businesses and organisations are how attackers get their foot in the door to obtaining your sensitive information, valuable data or hard-earned money.

Phishing consistently tops the chart for threats that businesses in Aotearoa face online. CERT NZ's latest quarterly report shows 55% of the incidents reported by organisations in Q4 2023 fell into the category of phishing and credential harvesting. The numbers are similar for the whole year, too, with phishing accounting for over half of all reported incidents in 2023.

Graph showing total incidents affecting organisations between 2021 and 2023

Figure 1: The proportion of phishing attacks we saw in 2023 is consistent with what we have seen in the last three years, as this chart shows.

Understanding phishing

Phishing is the practice of sending a message pretending to be a trusted organisation or individual and asking you to click on a link or open an attachment. These messages can come to you through email, as texts or on social media and try to obtain important information about you or your business including login credentials and credit card details.  

Phishing can cause significant financial loss. In 2023, organisations across Aotearoa reported losing $113k to Phishing and Credential Harvesting, up 15% from $100k in 2022.  It can also affect you and your business in other ways – such as loss of important or sensitive data, or reputational damage.

How phishing works

A typical example of phishing targeting a business is the gift card scam. A staff member receives a message that appears to be from a boss, saying the person needs urgent assistance and asking the staff member to buy a gift card, perhaps as a reward for another staff member, and to send through the gift card details. 

“Phishing attacks are effective because they emulate everyday communication,” CERT NZ Senior Analyst Sam Leggett says. “They are also constantly evolving so phishing messages become increasingly difficult to detect.”

Phishing can target individuals within your organisation. But scammers can also target your customers by sending phishing emails with links or attachments made to look like they came from your company. They do this by setting up a domain or website that closely resembles that of your organisation.  Attackers usually do this to:

  • trick your customers into providing sensitive information such as credit card details or login credentials, or
  • install malicious software – like ransomware – on peoples’ computers.
Phishing process diagram

1. Research: attackers identify targets and objectives and get a list of email addresses.

2. Phishing page: the attacker creates a phishing page by compromising a domain or using a similar domain name to a common brand.

3. Email sent: the email targets are sent a message to trick them into visiting the website.

4. Request actioned: the target enters information into the phishing page (credentials information) or is tricked into downloading malware.

5. Information harvested: the attacker uses information in attacks or sells it. Attackers use malware to steal information or money, or to use the computer for other attacks.

Own Your Online has resources to learn more about phishing attacks and how to protect your business against them.  

Make sure you and your staff are aware of the red flags to watch out for, so you can keep your data and finances safe.

Know the risks of phishing scams for your business 

How to protect your business from phishing scams 

Learn more about phishing and how to spot the signs in our business webinar 

Read full reports

CERT NZ Cyber Security Insights Q4 2023 (external link)

CERT NZ Annual Summary 2023(external link)

Get help now

If you or your business has been affected by an online incident or targeted by a scammer, we’re here to help.

Report now | CERT NZ (external link)