Protect yourself
Kia pare i a koe ki te hītinihanga

Protect yourself against phishing emails

Find out how to recognise a phishing email, and what to do if you think you've been sent one.

Recognising phishing

Phishing is a type of email scam. The sender pretends to be a trustworthy organisation – like a bank or government agency – to try and get you to provide them with personal information or financial details.

Learn more about phishing

Although you can’t prevent a phishing attack, there are things you can do to make sure you recognise one.

Know what to look for

A phishing email will ask you to either click a link and enter personal information, or open an attachment in the email.

Most phishing emails use the same design and logos as the company or organisation they’re pretending to be, and the same kind of language. They often look quite legitimate, but you might notice that:

  • you don’t recognise the sender
  • the sender's name doesn’t sound quite right
  • you don’t recognise the name of the company
  • the company logo doesn’t look like it should
  • the email refers to you in a generic or odd way — for example, 'Dear You…' (note that a phishing email may contain your name if the attacker got your information from a data breach)
  • the email contains bad grammar or spelling
  • the email is trying to convince you to hurry or take action urgently – for example, using language like "action required" or telling you you need to collect a parcel or pay a toll
  • if you hover over a link in the email with your mouse, the address that you see doesn’t match the place it’s saying it’ll take you.

Whenever you follow a link to a screen that's asking you to log in or enter personal details, check the domain name in the browser address bar matches the company you expect before you enter any information.

Don't click on links in emails that you're not sure about

  • Don’t click on web links sent by someone you don’t know, or that seem out of character for someone you do know.
  • Use bookmarks or Google to access websites rather than links in emails.
  • Stop and check before you give out any personal information. If you’re not sure about something, contact the person or company another way – by looking up their website and using the contact phone number, for example – to check first.

Know what legitimate emails look like

  • Make sure you know how the companies you deal with will contact you, and know what kind of information they’ll ask you for. For example, a bank should never email you a link to online banking and ask you to login – always log into your bank by going to their app or website.
  • If you’re not sure why you’re being asked for information, call the company directly to check what they want it for. Businesses are legally obliged to only ask for information they need.

Get help

If you think you’ve been sent a phishing email, here’s what to do next.

If you haven’t done anything with the email

Delete it. You can also report it as spam or block it first to make sure you won't receive email from that sender again. If you haven't clicked on anything in the email, your system and personal information is safe.

If you gave out some personal or financial details

For any accounts you think may now be at risk:

  • contact the service provider and ask what they can do to help
  • change the account password – including any other accounts that use the same password – and turn on two-factor authentication if it's available.

How to create good passwords

Use two-factor authentication to protect your accounts

If you've provided:

Get a free credit check done. This will let you see if any accounts have been opened in your name. There are three main credit check companies in NZ, and you’ll have to contact all of them. You can ask to have your credit record corrected if there’s any suspicious activity on it.

How to get a credit report in NZ

Report the issue to CERT NZ

You can also report an online issue or security incident to us at CERT NZ.

Get help now