DEV Community

Cover image for How to Spot Phishing Emails — The NZ-Specific Guide for 2026
Feroze Ashraff
Feroze Ashraff

Posted on • Originally published at nzaisecurity.com

How to Spot Phishing Emails — The NZ-Specific Guide for 2026

How to Spot Phishing Emails — The NZ Specific Guide for 2026

Phishing is not a new problem. What is new: the volume, the specificity, and the NZ angle that makes local targets lower their guard.

In 2024, CERT NZ received over 2,300 cyber incident reports directly attributable to phishing — and that's only the incidents that got reported. The real number is significantly higher. Most security professionals will tell you the same thing: phishing works because it doesn't need to be sophisticated. It just needs you to be busy, distracted, or new to the country.

This is a guide built for New Zealanders. The examples are real. The URLs are NZ-specific. The advice is actionable.


What Phishing Actually Accomplishes

Most people think phishing is about stealing a password. Sometimes it is. More often, it's a stepping stone:

  • Credential harvesting — fake login pages capture usernames and passwords
  • MFA bypass — attackers pair captured passwords with real-time phishing kits that relay the MFA code before it expires
  • Malware delivery — malicious attachments or drive-by downloads
  • Business Email Compromise (BEC) — once inside an account, attackers impersonate you to your colleagues, vendors, or clients
  • Ransomware deployment — an initial foothold becomes a full network encryption event

The 2024 Quarter 4 CERT NZ report flagged phishing as the primary initial access vector for ransomware cases in NZ. That's not unique to NZ — it's global — but the local attack patterns have distinct characteristics.


The Red Flags That Actually Work in 2026

Stop looking for the obvious fake emails. The obvious ones are training exercises. Here's what to look for:

1. The Sender Domain Is the Whole Game

The single most reliable indicator is the sending domain — not the display name. A message can appear to come from "IRD NZ" while the actual address is @ird-govt.nz.xyz-redirect.com. That level of detail isn't visible on mobile.

Action: On mobile, tap the sender name to reveal the full address. On desktop, hover. If the domain doesn't match the real organisation, don't engage.

Known legitimate NZ government domains:

  • govt.nz and govt.nz only for core agencies
  • parliament.govt.nz
  • police.govt.nz
  • .govt.nz — but verify the full subdomain

For banks and telcos, use the official website directly — don't trust links in emails.

2. NZ-Specific Phishing Patterns Currently Circulating

CERT NZ has documented these recurring patterns targeting NZ:

IRD rebate scams — Emails claiming you're owed a tax refund. The real IRD doesn't send refund links via email. Ever. Go to ird.govt.nz directly.

Spark/Vodafone billing scams — Fake bills with urgency: "Your account will be suspended in 48 hours." Real providers send bills through the app and your online account portal, not random email links.

NZ Post / Couriers Please fake delivery notices — These spike around Christmas and after long weekends. The link goes to a lookalike tracking page that harvests credentials or drops malware.

Fake Trade Me messages — Trade Me never asks you to re-enter your password via an email link. Any message urging you to "verify your account" due to a "suspicious login" is a phish.

Fake NZ business invoices — attackers impersonate known suppliers and send updated banking details. If you get a request to change payment details, verify via a known phone number — not the one in the email.

3. Urgency Without Substance

"Your account will be suspended." "Unusual activity detected." "Act within 24 hours or lose access permanently."

These are pressure tactics. Real security notifications from real services will:

  • Not require immediate action to avoid a consequence
  • Allow you to log in through the official app or website to check
  • Not demand you click a link in the email

If the email only exists to make you click — not to inform you — treat it as suspicious.

4. Links That Don't Match

If the visible text says google.com but the destination is googIe.com (capital I, not lowercase L), that's a phishing URL. Homograph attacks — where attackers use characters that look identical in different scripts — are real, though increasingly blocked by browsers.

The practical rule: hover before you click, tap before you open on mobile.

5. Requests for Credentials or MFA Codes

No legitimate service emails you asking for:

  • Your password
  • Your MFA code or authenticator OTP
  • Your recovery codes
  • Your date of birth as "verification"

If it asks for it in an email, it's a scam.


What If You've Already Clicked?

Don't panic. The speed of your response matters more than the panic.

Step 1 — Disconnect if needed

If you downloaded an attachment, disconnected from the network immediately. Run a full antivirus/malware scan from a clean state.

Step 2 — Change the password

From a different device. Use the official website directly — not the link you just clicked.

Step 3 — Check your account activity

Google, Microsoft, and most major services have account activity pages showing recent logins, IP addresses, and connected devices. If there's something you don't recognise, revoke access and change the password again.

Step 4 — If you use that password elsewhere, change it everywhere

This is why password managers matter. Unique passwords per service mean one breach doesn't cascade.

Step 5 — If financial information was entered

Call your bank immediately. Block the card, monitor transactions, consider a temporary freeze.

Step 6 — Report it

  • CERT NZ: cert.govt.nz — reports are fast, anonymous, and actually used
  • Your email provider — forward the email, mark it as phishing
  • The organisation being impersonated — most banks and major services have fraud reporting addresses

The Technical Side: Why Phishing Still Works on Smart People

This is the part that bothers technically literate readers: why do smart people still fall for this?

The honest answer is that modern phishing is not a technology problem. It's a psychology problem. The attacks target:

  • Cognitive load — people under stress or time pressure don't scrutinise
  • Authority — messages from "IT Support" or "The CEO" bypass the normal skepticism
  • Trust exploitation — if you've clicked a legitimate Google Doc link 20 times this week, you're primed to click the 21st without looking
  • Real-time relay attacks — tools like "EvilGinx" and "Muraena" proxy the entire login session in real time, including MFA codes, so the legitimate service completes the authentication before the attacker pivots

This is why technical controls alone don't stop phishing. Awareness training matters — but only training that tests people with real simulations, not annual video modules that everyone clicks through.


The NZ Context That Changes Everything

New Zealand's cyber security maturity is behind comparable countries. We're a small, trusting population with high internet penetration and relatively low awareness of international scam patterns. That makes us a disproportionately attractive target.

What also changes the NZ equation:

  • Our banks and telcos are good but not perfect at anti-phishing
  • NZ's privacy law (Privacy Act 2020) means data breaches have to be reported — but only if you know a breach happened
  • Many NZ small businesses have no dedicated IT staff, meaning one successful phish can take down an entire practice

The most effective thing you can do in NZ is: assume it's phishing until proven otherwise, and verify via a separate channel.


Further Reading


This article was originally published on NZAI Security. NZAI Security provides free cybersecurity education resources for New Zealanders — schools, small businesses, and individuals.

Top comments (0)