<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Feroze Ashraff</title>
    <description>The latest articles on DEV Community by Feroze Ashraff (@feroze_ashraff_e952c5a67a).</description>
    <link>https://dev.to/feroze_ashraff_e952c5a67a</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4025560%2Fa9bfc1b1-c4a3-4848-967f-9aeaff457009.png</url>
      <title>DEV Community: Feroze Ashraff</title>
      <link>https://dev.to/feroze_ashraff_e952c5a67a</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/feroze_ashraff_e952c5a67a"/>
    <language>en</language>
    <item>
      <title>How to Spot Phishing Emails — The NZ-Specific Guide for 2026</title>
      <dc:creator>Feroze Ashraff</dc:creator>
      <pubDate>Sat, 11 Jul 2026 22:06:06 +0000</pubDate>
      <link>https://dev.to/feroze_ashraff_e952c5a67a/how-to-spot-phishing-emails-the-nz-specific-guide-for-2026-411j</link>
      <guid>https://dev.to/feroze_ashraff_e952c5a67a/how-to-spot-phishing-emails-the-nz-specific-guide-for-2026-411j</guid>
      <description>&lt;h1&gt;
  
  
  How to Spot Phishing Emails — The NZ Specific Guide for 2026
&lt;/h1&gt;

&lt;p&gt;Phishing is not a new problem. What is new: the volume, the specificity, and the NZ angle that makes local targets lower their guard.&lt;/p&gt;

&lt;p&gt;In 2024, CERT NZ received over 2,300 cyber incident reports directly attributable to phishing — and that's only the incidents that got reported. The real number is significantly higher. Most security professionals will tell you the same thing: phishing works because it doesn't need to be sophisticated. It just needs you to be busy, distracted, or new to the country.&lt;/p&gt;

&lt;p&gt;This is a guide built for New Zealanders. The examples are real. The URLs are NZ-specific. The advice is actionable.&lt;/p&gt;




&lt;h2&gt;
  
  
  What Phishing Actually Accomplishes
&lt;/h2&gt;

&lt;p&gt;Most people think phishing is about stealing a password. Sometimes it is. More often, it's a stepping stone:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Credential harvesting&lt;/strong&gt; — fake login pages capture usernames and passwords&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;MFA bypass&lt;/strong&gt; — attackers pair captured passwords with real-time phishing kits that relay the MFA code before it expires&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Malware delivery&lt;/strong&gt; — malicious attachments or drive-by downloads&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Business Email Compromise (BEC)&lt;/strong&gt; — once inside an account, attackers impersonate you to your colleagues, vendors, or clients&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Ransomware deployment&lt;/strong&gt; — an initial foothold becomes a full network encryption event&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The 2024 Quarter 4 CERT NZ report flagged phishing as the primary initial access vector for ransomware cases in NZ. That's not unique to NZ — it's global — but the local attack patterns have distinct characteristics.&lt;/p&gt;




&lt;h2&gt;
  
  
  The Red Flags That Actually Work in 2026
&lt;/h2&gt;

&lt;p&gt;Stop looking for the obvious fake emails. The obvious ones are training exercises. Here's what to look for:&lt;/p&gt;

&lt;h3&gt;
  
  
  1. The Sender Domain Is the Whole Game
&lt;/h3&gt;

&lt;p&gt;The single most reliable indicator is the sending domain — not the display name. A message can appear to come from "IRD NZ" while the actual address is &lt;code&gt;@ird-govt.nz.xyz-redirect.com&lt;/code&gt;. That level of detail isn't visible on mobile.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Action:&lt;/strong&gt; On mobile, tap the sender name to reveal the full address. On desktop, hover. If the domain doesn't match the real organisation, don't engage.&lt;/p&gt;

&lt;p&gt;Known legitimate NZ government domains:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;govt.nz&lt;/code&gt; and &lt;code&gt;govt.nz&lt;/code&gt; only for core agencies&lt;/li&gt;
&lt;li&gt;&lt;code&gt;parliament.govt.nz&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;police.govt.nz&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;.govt.nz&lt;/code&gt; — but verify the full subdomain&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For banks and telcos, use the official website directly — don't trust links in emails.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. NZ-Specific Phishing Patterns Currently Circulating
&lt;/h3&gt;

&lt;p&gt;CERT NZ has documented these recurring patterns targeting NZ:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;IRD rebate scams&lt;/strong&gt; — Emails claiming you're owed a tax refund. The real IRD doesn't send refund links via email. Ever. Go to &lt;code&gt;ird.govt.nz&lt;/code&gt; directly.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Spark/Vodafone billing scams&lt;/strong&gt; — Fake bills with urgency: "Your account will be suspended in 48 hours." Real providers send bills through the app and your online account portal, not random email links.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;NZ Post / Couriers Please fake delivery notices&lt;/strong&gt; — These spike around Christmas and after long weekends. The link goes to a lookalike tracking page that harvests credentials or drops malware.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Fake Trade Me messages&lt;/strong&gt; — Trade Me never asks you to re-enter your password via an email link. Any message urging you to "verify your account" due to a "suspicious login" is a phish.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Fake NZ business invoices&lt;/strong&gt; — attackers impersonate known suppliers and send updated banking details. If you get a request to change payment details, verify via a known phone number — not the one in the email.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Urgency Without Substance
&lt;/h3&gt;

&lt;p&gt;"Your account will be suspended." "Unusual activity detected." "Act within 24 hours or lose access permanently."&lt;/p&gt;

&lt;p&gt;These are pressure tactics. Real security notifications from real services will:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Not require immediate action to avoid a consequence&lt;/li&gt;
&lt;li&gt;Allow you to log in through the official app or website to check&lt;/li&gt;
&lt;li&gt;Not demand you click a link in the email&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If the email only exists to make you click — not to inform you — treat it as suspicious.&lt;/p&gt;

&lt;h3&gt;
  
  
  4. Links That Don't Match
&lt;/h3&gt;

&lt;p&gt;If the visible text says &lt;code&gt;google.com&lt;/code&gt; but the destination is &lt;code&gt;googIe.com&lt;/code&gt; (capital I, not lowercase L), that's a phishing URL. Homograph attacks — where attackers use characters that look identical in different scripts — are real, though increasingly blocked by browsers.&lt;/p&gt;

&lt;p&gt;The practical rule: &lt;strong&gt;hover before you click, tap before you open on mobile&lt;/strong&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  5. Requests for Credentials or MFA Codes
&lt;/h3&gt;

&lt;p&gt;No legitimate service emails you asking for:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Your password&lt;/li&gt;
&lt;li&gt;Your MFA code or authenticator OTP&lt;/li&gt;
&lt;li&gt;Your recovery codes&lt;/li&gt;
&lt;li&gt;Your date of birth as "verification"&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If it asks for it in an email, it's a scam.&lt;/p&gt;




&lt;h2&gt;
  
  
  What If You've Already Clicked?
&lt;/h2&gt;

&lt;p&gt;Don't panic. The speed of your response matters more than the panic.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 1 — Disconnect if needed
&lt;/h3&gt;

&lt;p&gt;If you downloaded an attachment, disconnected from the network immediately. Run a full antivirus/malware scan from a clean state.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 2 — Change the password
&lt;/h3&gt;

&lt;p&gt;From a different device. Use the official website directly — not the link you just clicked.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 3 — Check your account activity
&lt;/h3&gt;

&lt;p&gt;Google, Microsoft, and most major services have account activity pages showing recent logins, IP addresses, and connected devices. If there's something you don't recognise, revoke access and change the password again.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 4 — If you use that password elsewhere, change it everywhere
&lt;/h3&gt;

&lt;p&gt;This is why password managers matter. Unique passwords per service mean one breach doesn't cascade.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 5 — If financial information was entered
&lt;/h3&gt;

&lt;p&gt;Call your bank immediately. Block the card, monitor transactions, consider a temporary freeze.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 6 — Report it
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;CERT NZ:&lt;/strong&gt; &lt;code&gt;cert.govt.nz&lt;/code&gt; — reports are fast, anonymous, and actually used&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Your email provider&lt;/strong&gt; — forward the email, mark it as phishing&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The organisation being impersonated&lt;/strong&gt; — most banks and major services have fraud reporting addresses&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  The Technical Side: Why Phishing Still Works on Smart People
&lt;/h2&gt;

&lt;p&gt;This is the part that bothers technically literate readers: why do smart people still fall for this?&lt;/p&gt;

&lt;p&gt;The honest answer is that modern phishing is not a technology problem. It's a psychology problem. The attacks target:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Cognitive load&lt;/strong&gt; — people under stress or time pressure don't scrutinise&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Authority&lt;/strong&gt; — messages from "IT Support" or "The CEO" bypass the normal skepticism&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Trust exploitation&lt;/strong&gt; — if you've clicked a legitimate Google Doc link 20 times this week, you're primed to click the 21st without looking&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Real-time relay attacks&lt;/strong&gt; — tools like "EvilGinx" and "Muraena" proxy the entire login session in real time, including MFA codes, so the legitimate service completes the authentication before the attacker pivots&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is why technical controls alone don't stop phishing. Awareness training matters — but only training that tests people with real simulations, not annual video modules that everyone clicks through.&lt;/p&gt;




&lt;h2&gt;
  
  
  The NZ Context That Changes Everything
&lt;/h2&gt;

&lt;p&gt;New Zealand's cyber security maturity is behind comparable countries. We're a small, trusting population with high internet penetration and relatively low awareness of international scam patterns. That makes us a disproportionately attractive target.&lt;/p&gt;

&lt;p&gt;What also changes the NZ equation:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Our banks and telcos are good but not perfect at anti-phishing&lt;/li&gt;
&lt;li&gt;NZ's privacy law (Privacy Act 2020) means data breaches have to be reported — but only if you know a breach happened&lt;/li&gt;
&lt;li&gt;Many NZ small businesses have no dedicated IT staff, meaning one successful phish can take down an entire practice&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The most effective thing you can do in NZ is: assume it's phishing until proven otherwise, and verify via a separate channel.&lt;/p&gt;




&lt;h2&gt;
  
  
  Further Reading
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.cert.govt.nz/individuals/report/" rel="noopener noreferrer"&gt;CERT NZ — Report a Cyber Security Incident&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.cert.govt.nz/individuals/threats/phishing/" rel="noopener noreferrer"&gt;CERT NZ — Phishing and Scams Guidance&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.ncsc.govt.nz" rel="noopener noreferrer"&gt;NCSC NZ — Cyber Security Small Business Guide&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://myaccount.google.com/security-checkup" rel="noopener noreferrer"&gt;Google Security Checkup&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;




&lt;p&gt;&lt;em&gt;This article was originally published on &lt;a href="https://nzaisecurity.com" rel="noopener noreferrer"&gt;NZAI Security&lt;/a&gt;. NZAI Security provides free cybersecurity education resources for New Zealanders — schools, small businesses, and individuals.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>beginners</category>
      <category>cybersecurity</category>
      <category>security</category>
      <category>tutorial</category>
    </item>
  </channel>
</rss>
