How to Spot Phishing Emails — The NZ-Specific Guide for 2026

How to Spot Phishing Emails — The NZ-Specific Guide for 2026

如何识别钓鱼邮件——2026年新西兰专属指南

Phishing is not a new problem. What is new: the volume, the specificity, and the NZ angle that makes local targets lower their guard. In 2024, CERT NZ received over 2,300 cyber incident reports directly attributable to phishing — and that’s only the incidents that got reported. The real number is significantly higher. 钓鱼攻击并不是什么新鲜事。新的变化在于:攻击的数量、针对性,以及让本地目标放松警惕的“新西兰视角”。2024年,新西兰计算机应急响应小组(CERT NZ)收到了超过2,300起直接归因于钓鱼攻击的网络安全事件报告——而这仅仅是已上报的案例。实际数字要高得多。

Most security professionals will tell you the same thing: phishing works because it doesn’t need to be sophisticated. It just needs you to be busy, distracted, or new to the country. This is a guide built for New Zealanders. The examples are real. The URLs are NZ-specific. The advice is actionable. 大多数安全专家都会告诉你同样的事实:钓鱼攻击之所以有效,是因为它根本不需要多么高明。它只需要你正忙碌、分心,或者刚来到这个国家。这是一份专为新西兰人编写的指南。其中的案例是真实的,网址是新西兰特有的,建议也是切实可行的。

What Phishing Actually Accomplishes

钓鱼攻击的真正目的

Most people think phishing is about stealing a password. Sometimes it is. More often, it’s a stepping stone: 大多数人认为钓鱼攻击就是为了窃取密码。有时确实如此,但更多时候,它只是一个跳板:

  • Credential harvesting — fake login pages capture usernames and passwords
  • 凭据收集——伪造的登录页面获取用户名和密码
  • MFA bypass — attackers pair captured passwords with real-time phishing kits that relay the MFA code before it expires
  • 绕过双重身份验证(MFA)——攻击者将获取的密码与实时钓鱼工具包结合,在MFA验证码过期前将其转发
  • Malware delivery — malicious attachments or drive-by downloads
  • 恶意软件投递——通过恶意附件或“路过式下载”植入病毒
  • Business Email Compromise (BEC) — once inside an account, attackers impersonate you to your colleagues, vendors, or clients
  • 商业电子邮件诈骗(BEC)——一旦进入账户,攻击者会冒充你与同事、供应商或客户联系
  • Ransomware deployment — an initial foothold becomes a full network encryption event
  • 勒索软件部署——最初的入侵点最终演变为整个网络的加密勒索事件

The 2024 Quarter 4 CERT NZ report flagged phishing as the primary initial access vector for ransomware cases in NZ. That’s not unique to NZ — it’s global — but the local attack patterns have distinct characteristics. 2024年第四季度的CERT NZ报告指出,钓鱼攻击是新西兰勒索软件案件的主要初始入侵途径。这并非新西兰独有,而是全球性的问题,但本地的攻击模式具有鲜明的特征。

The Red Flags That Actually Work in 2026

2026年真正有效的预警信号

Stop looking for the obvious fake emails. The obvious ones are training exercises. Here’s what to look for: 别再盯着那些一眼假的邮件了。那些明显的假邮件只是训练素材。你需要关注的是:

1. The Sender Domain Is the Whole Game 1. 发件人域名是关键

The single most reliable indicator is the sending domain — not the display name. A message can appear to come from “IRD NZ” while the actual address is @ird-govt.nz.xyz-redirect.com. That level of detail isn’t visible on mobile. 最可靠的判断指标是发件人域名,而不是显示名称。一封邮件可能看起来来自“IRD NZ”,但实际地址却是 @ird-govt.nz.xyz-redirect.com。这种细节在手机上往往无法直接看到。

  • Action: On mobile, tap the sender name to reveal the full address. On desktop, hover. If the domain doesn’t match the real organisation, don’t engage.
  • 操作建议: 在手机上,点击发件人名称以显示完整地址;在电脑上,将鼠标悬停在名称上。如果域名与真实机构不符,请勿进行任何操作。

Known legitimate NZ government domains: 新西兰政府已知的合法域名:

  • govt.nz and govt.nz only for core agencies
  • 仅限核心机构使用的 govt.nz
  • parliament.govt.nz
  • police.govt.nz
  • .govt.nz — but verify the full subdomain
  • .govt.nz —— 但请务必核实完整的子域名

For banks and telcos, use the official website directly — don’t trust links in emails. 对于银行和电信公司,请直接访问官方网站——不要相信邮件中的链接。

2. NZ-Specific Phishing Patterns Currently Circulating 2. 当前流行的新西兰专属钓鱼模式

CERT NZ has documented these recurring patterns targeting NZ: CERT NZ 记录了这些针对新西兰的常见钓鱼模式:

  • IRD rebate scams — Emails claiming you’re owed a tax refund. The real IRD doesn’t send refund links via email. Ever. Go to ird.govt.nz directly.
  • IRD退税诈骗——声称你有一笔退税待领。真实的IRD永远不会通过电子邮件发送退税链接。请直接访问 ird.govt.nz。
  • Spark/Vodafone billing scams — Fake bills with urgency: “Your account will be suspended in 48 hours.” Real providers send bills through the app and your online account portal, not random email links.
  • Spark/Vodafone账单诈骗——伪造带有紧迫感的账单,如“您的账户将在48小时内被暂停”。真正的服务商会通过App或在线账户门户发送账单,而不是通过随机的邮件链接。
  • NZ Post / Couriers Please fake delivery notices — These spike around Christmas and after long weekends. The link goes to a lookalike tracking page that harvests credentials or drops malware.
  • 新西兰邮政/快递虚假投递通知——这类诈骗在圣诞节前后和长周末后激增。链接会跳转到一个伪造的追踪页面,用于窃取凭据或植入恶意软件。
  • Fake Trade Me messages — Trade Me never asks you to re-enter your password via an email link. Any message urging you to “verify your account” due to a “suspicious login” is a phish.
  • 虚假Trade Me消息——Trade Me绝不会要求你通过邮件链接重新输入密码。任何以“可疑登录”为由要求你“验证账户”的消息都是钓鱼。
  • Fake NZ business invoices — attackers impersonate known suppliers and send updated banking details. If you get a request to change payment details, verify via a known phone number — not the one in the email.
  • 虚假新西兰商业发票——攻击者冒充已知供应商并发送更新后的银行账户信息。如果你收到更改付款信息的请求,请通过已知的电话号码核实,而不是邮件中提供的号码。

3. Urgency Without Substance 3. 空洞的紧迫感

“Your account will be suspended.” “Unusual activity detected.” “Act within 24 hours or lose access permanently.” These are pressure tactics. Real security notifications from real services will: “您的账户将被暂停。”“检测到异常活动。”“24小时内不操作将永久失去访问权限。”这些都是施压手段。来自真实服务的安全通知通常会:

  • Not require immediate action to avoid a consequence
  • 不会要求你为了避免后果而立即采取行动
  • Allow you to log in through the official app or website to check
  • 允许你通过官方App或网站登录查看
  • Not demand you click a link in the email
  • 不会强迫你点击邮件中的链接

If the email only exists to make you click — not to inform you — treat it as suspicious. 如果这封邮件存在的唯一目的就是让你点击,而不是为了通知你,请将其视为可疑邮件。

4. Links That Don’t Match 4. 不匹配的链接

If the visible text says google.com but the destination is googIe.com (capital I, not lowercase L), that’s a phishing URL. Homograph attacks — where attackers use characters that look identical in different scripts — are real, though increasingly blocked by browsers. The practical rule: hover before you click, tap before you open on mobile. 如果显示的文本是 google.com,但目标地址是 googIe.com(大写字母I,而非小写字母l),这就是钓鱼网址。同形异义字攻击(攻击者使用在不同脚本中看起来相同的字符)是真实存在的,尽管浏览器正在越来越多地拦截它们。实用规则:点击前先悬停,在手机上打开前先点击查看。

5. Requests for Credentials or MFA Codes 5. 索要凭据或MFA验证码

No legitimate service emails you asking for: 没有任何合法服务会通过邮件向你索要:

  • Your password
  • 你的密码
  • Your MFA code or authenticator OTP
  • 你的MFA验证码或身份验证器一次性密码(OTP)
  • Your recovery codes
  • 你的恢复代码
  • Your date of birth as “verification”
  • 作为“验证”的出生日期

If it asks for it in an email, it’s a scam. 如果邮件中要求提供这些信息,那就是诈骗。

What If You’ve Already Clicked?

如果你已经点击了怎么办?

Don’t panic. The speed of your response matters more than the panic. 不要惊慌。你的响应速度比惊慌失措重要得多。

  • Step 1 — Disconnect if needed: If you downloaded an attachment, disconnect from the network immediately. Run a full antivirus/malware scan from a clean state.
  • 第一步——必要时断网: 如果你下载了附件,请立即断开网络。在干净的状态下运行全面的杀毒/反恶意软件扫描。
  • Step 2 — Change the password: From a different device. Use the official website directly — not the link you just clicked.
  • 第二步——更改密码: 使用另一台设备。直接访问官方网站,不要使用你刚才点击的那个链接。
  • Step 3 — Check your account activity: Google, Microsoft, and most major services have account activity pages showing recent logins, IP addresses, and connected devices. If there’s something you don’t recognise, revoke access and change the password again.
  • 第三步——检查账户活动: Google、Microsoft及大多数主流服务都有账户活动页面,显示最近的登录记录、IP地址和已连接设备。如果有你不认识的记录,请撤销访问权限并再次更改密码。
  • Step 4 — If you use that password elsewhere, change it everywhere: This is why password managers matter. Unique passwords per service mean one breach doesn’t cascade.
  • 第四步——如果你在其他地方使用了该密码,请全部更改: 这就是密码管理器重要的原因。每个服务使用唯一的密码意味着一次泄露不会引发连锁反应。
  • Step 5 — If financial information was entered: Call your bank immediately. Block the card, monitor transactions, consider a temporary freeze.
  • 第五步——如果输入了财务信息: 立即致电银行。挂失卡片、监控交易,并考虑临时冻结账户。
  • Step 6 — Report it: CERT NZ (cert.govt.nz) — reports are fast, anonymous, and actually used; Your email provider — forward the email, mark it as phishing; The organisation being impersonated — most banks and major services have fraud reporting addresses.
  • 第六步——举报: 向CERT NZ (cert.govt.nz) 举报——举报过程快速、匿名且确实有效;向你的邮件服务商举报——转发邮件并标记为钓鱼;向被冒充的机构举报——大多数银行和大型服务商都有专门的欺诈举报地址。

The Technical Side: Why Phishing Still Works on Smart People

技术层面:为什么钓鱼攻击对聪明人依然有效

This is the part that bothers technically literate readers: why do smart people still fall for this? The honest answer is that modern phishing is not a technology problem. It’s a psychology problem. The attacks target: 这是让技术娴熟的读者感到困扰的部分:为什么聪明人还会上当?诚实的回答是,现代钓鱼攻击不是一个技术问题,而是一个心理学问题。攻击的目标在于:

  • Cognitive load — people under stress or time pressure don’t scrutinise
  • 认知负荷——处于压力或时间紧迫下的人不会仔细审查
  • Authority — message
  • 权威性——信息(通常伪装成权威机构)