Get protected from scams

Many businesses think a cyber attack won’t happen to them.

In the past year, CERT NZ received more than 2,000 cybersecurity reports from New Zealand businesses and organisations. The reported financial loss was over $5.2 million. For example, CERT NZ received a report from a small business that was receiving emails from an attacker pretending to be a recognised supplier.

The emails contained fake invoices and were attempting to trick the business into paying the invoiced amount into an attacker’s account. The emails seemed legitimate. For example, they included information about recent goods the business had requested and the right costs. However, there were small differences in the sender’s email address that fortunately staff noticed before any payments were made.

With the help of their IT provider, the business discovered that an employee’s email account had been hacked.

The account had a simple password, making it easy for the attacker to get into the account and forward any emails containing words like “account”, “invoice” and “pay” to an external address belonging to the attacker. The information in these emails gave the attacker enough details about the business’s billing cycles and behaviours to create fake invoices that looked legitimate.

Every year during the busy tax reporting season, a lot of people have received fake emails purportedly from Inland Revenue (IR) informing them that there is tax refund with a small dollar amount stated (to entice you) and asking them to click on the link provided to claim the tax refund. Please don’t do it! If you are not sure, please call IR or your tax agent who is able to help you.

The telltale sign is taking a look at the sender address to see that if it is coming from the official IR domain name address. If not, it will clearly indicate that the email is not coming from IR as illustrated in the example above and it certainly is a scam or phishing email.

IR has put up media release that it never sends emails with a link to taxpayers to claim a tax refund. There are a lot of examples on the IR website:

If you have received a scam email lately, you may want to report it to IR by visiting

To help keep you and your business safe, we suggest putting the following four measures in place.

Manage your passwords
Have a strong and different password on each of your accounts, like email and software programmes. You might use a password manager, an app that securely stores account logins. That way you only have to remember one password.

Keeping your data safe with a password manager (external link) — CERT NZ

Turn on two-factor authentication
Add an extra layer of security to your business email accounts by applying two-factor authentication (2FA). It’s often a password and something else, like a code that is sent to your mobile phone.

Two-factor authentication as a security tool for business (external link) — CERT NZ

Check your privacy settings on social media
Updating your social media privacy settings to only friends and family makes it hard for cybercriminals to find out information about you.

Cybersecurity and social media (external link) — CERT NZ

Update the software on your devices
Don’t ignore software updates when they are available. Try to action them as soon as possible. It’ll help protect against bugs and viruses.

If you have a cybersecurity issue, report any issues to CERT NZ right away. You’ll be asked to describe the cybersecurity issue you’re experiencing. CERT NZ will then identify it and let you know what the next steps are to resolve it.

Along with providing you with help, CERT NZ uses the information you share to create advice and guidance for others who might be going through the same issue. Any information you provide is confidential unless you give consent to share the details of your report.

Report an issue (external link) — CERT NZ

Adapted from an article in