What is phishing?
Phishing is when someone tries to get personal information (like bank account numbers and passwords), from a large and un-targeted audience, so they can use it to impersonate or defraud people.
Phishing scammmers will contact a large number of people in the hope that some of them will fall for the scam. These scams can seem like they’re targeted at you, but in reality the same scam is being sent to hundreds, if not thousands of people at the same time.
Phishing scammers will often claim to be from a legitimate organisation, or to have some kind of ‘deal’ to be claimed. For example, a scammer may send out an email telling people they’ve have won a lottery, and to claim the winnings they need to provide some details. Other phishing scams use scare tactics, where the scammers pretend to be lawyers or employees of the government and threaten legal action if you don’t give them information or money.
Why is it called ‘phishing’?
This scam got the name ‘phishing’ because it’s similar to fishing – scammers use email or phone ‘lures’, in order to ‘fish’ for personal information from the ‘sea’ of internet users.
Phishing scammers contact a large group of people in the hope that some of them will fall for the scam – there is generally no targeting involved.
There are other types of phishing such as:
Spear phishing: spear phishing is the same as regular phishing, but there is some reason why the people contacted have been targeted.
Whaling: whaling is a type of phishing scam that is highly targeted to a certain person that the scammers can gain a lot from – for example, high-level business people, politicians and celebrities.
How does phishing work?
Phishing attempts often look or sound genuine because the scammer is impersonating a trusted organisation or person. They could be pretending to be from your phone or internet company, a law firm, your bank or even the government. The scammer asks you to update your details, provide details, complete a survey, make a payment or another request that gives them access to your personal information.
Sometimes there can be an enticing story about why the scammer is contacting you. For example, that you have a wealthy relative who has passed away and you’re the closest known living family member who will inherit their fortune. At other times, the scammer will try to intimidate you. For example, they might say they’re from Inland Revenue and that if you don’t make a payment for an overdue tax bill immediately, you’ll face legal action.
If the scammer gets personal information, they’ll likely use it to impersonate or defraud that person. This could include anything from opening credit cards or bank accounts in your name, to accessing your online accounts like email, or even taking money from your bank account.
Are phishing emails obvious?
The short answer is no. Some phishing attempts look obvious, while others don’t. Phishing scams are becoming more difficult to spot as scammers become more sophisticated. There are some basic rules to follow to help keep yourself safe online in the Email Phishing 101 Guide, and if you’re still unsure if an email is legitimate you can contact us for advice.
Email Phishing 101 Guide
- Be cautious about emails asking you to update or verify your details online
- Be cautious of emails saying you’ve won prizes from competitions that you don’t remember entering
- Be cautious of emails that try to get you to act quickly by threatening you with legal action or loss of an account
- Ignore any emails asking you to provide personal information like passwords, or banking information
- Remember legitimate organisations like banks will never ask you to send them your password
- Only open email attachments when you’re expecting them, even if you know who the sender is
- If you’re unsure if an email is from a legitimate organisation, you can contact them to ask. If you do contact them, make sure you go through their official contact channels – don’t use the phone numbers, websites or email addresses included in the email
- You can also try an internet search using the names or exact wording of the email to check for any references to a scam – many scams can be identified this way
- If you’re still unsure if an email is legitimate you can contact us for advice
What information should I protect online?
You should protect any information about you that could be used to access your online accounts, build a fake online presence or impersonate you in any way, including the following:
- Login details and passwords to any online account including banking, email, social media and trading sites
- Bank account details
- Phone number
- Personal information that could be used to guess security questions on your online accounts
What to do if you receive a phishing email
If you receive a phishing email, the best thing to do is delete it and forget about it.
If you’ve given out banking details, contact your bank immediately. If you’ve given out information of any type, contact us for advice immediately. The faster you act, the more likely you are to reduce the damage that could be done.
You can also forward phishing emails to known brands directly, so they know about new phishing scams using their brand.
Here are the email addresses for commonly targeted brands:
- ANZ email@example.com
- Apple firstname.lastname@example.org
- ASB email@example.com
- BNZ mailto:firstname.lastname@example.org
- IRD email@example.com
- Kiwibank firstname.lastname@example.org
- PayPal email@example.com
- TradeMe firstname.lastname@example.org
- TSB email@example.com
- Westpac firstname.lastname@example.org
- Call 0508 NETSAFE seven days a week toll-free from anywhere in New Zealand
- Visit netsafe.org.nz/report
- Email email@example.com