How to spot and stop an email compromise before it hits your business
Email scams continue to evolve in sophistication, and small businesses are a prime target. Cybercriminals love email because it’s the digital front door to your business. They use clever tricks to make fraudulent messages look legitimate, often impersonating people or brands you trust.
Just recently, the Wellington Cable Car website was hacked, leading to scam emails being sent from its official address. The emails were pretending to be from Waka Kotahi (NZTA), with links to a fake website requesting payments.
It’s a reminder that if it can happen to them, it can happen to anyone. In fact, in CERT NZ’s last security insights report, phishing and credential harvesting was the second most reported incident.
What makes your business vulnerable?
Email compromises often stem from weak security practices or outdated software. Businesses that don’t use multi-factor authentication (MFA) or have weak passwords are often easy targets. Ultimately though, successful phishing attacks rely on the human element – you and your team.
Phishing emails trick users into handing over login details, while malware from infected attachments can give hackers access to your email system. In cases like the Wellington Cable Car hack, vulnerabilities in website security can also be exploited, allowing attackers to send scam emails from legitimate domains. If your systems aren’t regularly updated and monitored, you could unknowingly become the next target.
Prevention tips:
Use strong passwords and multi-factor authentication (MFA) – This makes it much harder for hackers to break into your email accounts.
Educate your team – Regular training on email scams can help your staff spot and avoid threats.
Keep software up to date – Security updates patch vulnerabilities that scammers might exploit.
Have a plan – Know what to do if an email compromise happens, including who to contact and how to secure your systems.
Red flags: How to spot a compromised email
Unexpected emails from known senders – If you receive an email from a colleague, supplier, business (or even yourself!) that feels out of character, double-check before responding.
Urgency and pressure – Scammers often create a sense of urgency, pushing you to act fast. They might claim your account is at risk, a payment is overdue, or your boss needs something immediately.
Strange links or attachments – Hover over links before clicking. If the URL looks unfamiliar or doesn’t match the company’s website, don’t open it. Attachments in unexpected emails should also raise a red flag.
Requests for sensitive information – No reputable company will ask for passwords, credit card details, or two-factor authentication codes via email.
Odd formatting and spelling mistakes – While some scam emails are well-written, others have typos, unusual phrasing, or inconsistent branding.
What to do if you suspect a scam email
Verify the sender – Call or message the person directly (using a known phone number, not the one in the email) to confirm if they sent it.
Don’t click or download – If something seems off, don’t click on any links or download attachments until you’ve confirmed it’s safe.
Report it – If you receive a scam email, report it to your IT team or email provider. If your own email has been compromised, let customers and suppliers know to be cautious.
Reporting phishing attempts
New Zealand businesses have access to a free tool that helps fight phishing scams. The National Cyber Security Centre (NCSC) runs a Phishing Disruption Service (PDS), which compiles a verified list of phishing indicators that organisations can act on and block from their network.
If you receive a suspicious email or text containing a phishing link, you can report it by forwarding it to phishpond@ops.cert.govt.nz. The NCSC’s incident response team analyses these reports and adds verified threats to the PDS. They also proactively identify phishing sites and take them down before they can be used to target businesses and individuals.
In the last quarter alone, the NCSC processed over 11,000 phishing threats, with nearly 1,000 confirmed and published to the PDS. Financial services remain one of the most impersonated industries, making it critical for all businesses to stay alert and report scams as soon as they appear.
Email compromises are a growing threat, but by staying alert, training your team, and using strong security measures, you can create a good line of defence. If you ever get an email that doesn’t feel right, trust your gut and double check the credentials! And if you need security advice specific to your business, reach out to our team about how we can help, from policies improving email security in Microsoft 365 and Google Workspace to 24x7 managed detection and response.