What is phishing — and how to spot it before it catches you

Phishing is the reason most people get hacked. Not because they're careless, but because the emails and messages are genuinely convincing. I've seen smart, careful people get caught out by a well-crafted phishing email — there's no shame in it.

But once you know what to look for, you'll start spotting them almost instantly.

What phishing actually is

Phishing is when someone pretends to be a trusted organisation — your bank, NZ Post, IRD, Netflix, Microsoft — to trick you into handing over your password, credit card number, or personal information. It usually arrives as an email, but it can also come as a text message (sometimes called "smishing") or even a phone call ("vishing").

The goal is almost always the same: get you to click a link and enter your details on a fake website that looks identical to the real one.

What a phishing email looks like

They've come a long way from the days of Nigerian princes. Modern phishing emails often look completely professional. But there are tells:

The sender address is slightly off

The email might say it's from "NZ Post" but the actual address is something like [email protected]. Always check the full email address, not just the display name.

It creates urgency or fear

"Your account has been compromised." "Your parcel couldn't be delivered." "You have 24 hours to respond or your account will be closed." Real organisations don't threaten you with deadlines in emails. They especially don't ask you to fix things by clicking a link.

The link doesn't go where it says

This is the big one. On a computer, hover your mouse over any link in the email — don't click it — and check the address that appears. If the email says it's from ANZ but the link goes to anz-secure-login.dodgy-domain.com, that's phishing.

On a phone, press and hold the link to preview it instead of tapping.

It asks for information they should already have

Your bank will never email you asking for your account number, password, or PIN. IRD won't ask for your myIR login via email. If someone's asking for information they should already know, that's a red flag.

The greeting is generic

"Dear Customer" or "Dear User" instead of your actual name often signals a mass phishing campaign. Though increasingly, phishers do personalise — so a correct name alone doesn't make an email safe.

What to do when you spot one

1. Don't click anything. Not the links, not the attachments, not the unsubscribe button.
2. Don't reply. Even replying confirms your email address is active.
3. Report it. Forward it to the organisation being impersonated (most banks have a dedicated phishing email). In New Zealand, you can also report it to CERT NZ.
4. Delete it. Once reported, get rid of it.

What to do if you've already clicked

Don't panic — but do act quickly.

• Change your password immediately for whatever account the fake site was imitating. If you use the same password anywhere else (and you know you shouldn't), change those too.
• Turn on two-factor authentication if you haven't already.
• Check your bank accounts for any transactions you don't recognise.
• Run a malware scan if you downloaded an attachment.
• Contact your bank if you entered any financial details. They deal with this every day and can freeze things fast.

The ones that nearly got me

I'll be honest — I've had a couple land in my inbox that made me pause. A fake Xero invoice notification that looked pixel-perfect. A courier delivery text that arrived the same day I was actually expecting a parcel. The timing made it convincing.

The thing that saved me both times was the same: I didn't click the link in the message. I opened a browser, went directly to the real website, and logged in there. If there was genuinely a problem, it would show up in my actual account.

That single habit — never click, always go direct — blocks almost every phishing attempt.

If you've received something suspicious and you're not sure whether it's real, send it my way. I'm always happy to take a look — better safe than sorry.