What is phishing?
Phishing is when someone tries to get personal information (like bank account numbers and passwords), from a large audience, so they can use it to impersonate or defraud people. These emails can look very real, and some will even use the branding and logos of a legitimate organisation to make the email seem genuine.
Phishing scammmers will contact a large number of people in the hope that some of them will fall for the scam. These scams can seem like they’re being sent just to you, but in reality the same scam is being sent to hundreds, if not thousands of people at the same time.
Phishing scammers will often claim to be from a legitimate organisation, or to have some kind of ‘deal’ to be claimed. For example, a scammer may send out an email telling people they have won a lottery, and to claim the winnings they need to provide some details. Other phishing scams use scare tactics, where the scammers pretend to be lawyers or employees of the government and threaten legal action if you don’t give them information or money. We’ve also heard of scam emails claiming that online accounts or memberships have been cancelled, have expired or have details that need updating.
Why is it called ‘phishing’?
This scam got the name ‘phishing’ because it’s similar to fishing – scammers use email or phone ‘lures’, in order to ‘fish’ for personal information from the ‘sea’ of internet users.
Phishing scammers contact a large group of people in the hope that some of them will believe the scam – there is generally no targeting involved.
There are other types of phishing such as:
Spear phishing: spear phishing is the same as regular phishing, but there is some reason why the people contacted have been targeted.
Whaling: whaling is a type of phishing scam that is highly targeted to a certain person that the scammers can gain a lot from – for example, high-level business people, politicians and celebrities.
How does phishing work?
Phishing attempts often look or sound genuine because the scammer is impersonating a trusted organisation or person. They could be pretending to be from your phone or internet company, a law firm, your bank or even the government. The scammer asks you to update your details, provide details, complete a survey, make a payment or another request that gives them access to your personal information.
Sometimes there can be an enticing story about why the scammer is contacting you. For example, that you have a wealthy relative who has passed away and you’re the closest known living family member who will inherit their fortune. At other times, the scammer will try to intimidate you. For example, they might say they’re from Inland Revenue and that if you don’t make a payment for an overdue tax bill immediately, you’ll face legal action.
If the scammer gets personal information, they’ll likely use it to impersonate or defraud that person. This could include anything from opening credit cards or bank accounts in your name, to accessing your online accounts like email, or even taking money from your bank account.
Are phishing emails obvious?
The short answer is no. Some phishing attempts look obvious, while others don’t. Phishing scams are becoming more difficult to spot as scammers become more sophisticated. There are some basic rules to follow to help keep yourself safe online in the Email Phishing 101 Guide, and if you’re still unsure if an email is legitimate you can contact us for advice.
Email Phishing 101 Guide
- Be cautious about emails asking you to update or verify your details online
- Be cautious of emails saying you’ve won prizes from competitions that you don’t remember entering
- Be cautious of emails that try to get you to act quickly by threatening you with legal action or loss of an account
- Ignore any emails asking you to provide personal information like passwords, or banking information
- Remember legitimate organisations like banks will never ask you to send them your password
- Only open email attachments when you’re expecting them, even if you know who the sender is
- If you’re unsure if an email is from a legitimate organisation, you can contact them to ask. If you do contact them, make sure you go through their official contact channels – don’t use the phone numbers, websites or email addresses included in the email
- You can also try an internet search using the names or exact wording of the email to check for any references to a scam – many scams can be identified this way
- If you’re still unsure if an email is legitimate you can contact us for advice
What information should I protect?
You should protect any information about you that could be used to access your online accounts, build a fake online presence or impersonate you in any way, including the following:
- Login details and passwords to any online account including banking, email, social media and trading sites
- Bank account and credit card details
- Phone number
- Personal information that could be used to guess security questions on your online accounts
What to do if you receive a phishing email
If you receive a phishing email, do not reply to it. You can report it to Netsafe, and if the scammer is pretending to be from a legitimate brand you can forward it to that organisation so they know about it. If you’re unsure if the email you’ve received is a phishing scam, you can contact us for advice.
If you’ve given out banking details, contact your bank immediately. If you’ve given out information of any type, contact us for advice immediately. The faster you act, the more likely you are to reduce the damage that could be done.
You can also forward phishing emails to known brands directly, so they know about new phishing scams using their brand.
Here are the email addresses for commonly targeted brands if you’d like to forward scam emails to them.
- Westpac email@example.com
- TSB firstname.lastname@example.org
- TradeMe email@example.com
- PayPal firstname.lastname@example.org
- Kiwibank email@example.com
- IRD firstname.lastname@example.org
- BNZ email@example.com
- ASB firstname.lastname@example.org
- Apple email@example.com
- ANZ firstname.lastname@example.org
- Countdown: email@example.com
Report a scam
Help if you have been scammed or think you are about to be scammed: Netsafe can’t open investigations or track scammers, but we can offer support and advice for people who have lost money in a scam, or think they are about to. This includes letting you know the steps you can take depending on the scam you’re in and giving you advice about how to stay safe in future. You can report a scam to www.netsafe.org.nz/report.
Our help service is open from 8am – 8pm Monday to Friday and 9am – 5pm on weekends.
- More information on scams
- Quick guide for staying safe online
- Online safety advice for parents
- Online safety advice for businesses