Phishing and social engineering

  • Password Sucker - wants you to confirm your password for online banking, or auction account.

    The classic phishing email that breathlessly insists you must unlock your suspended account RIGHT NOW by visiting a rogue website and sending your login details through to cyber criminals looking to profit. Delete those emails and never click on the links.

  • Chameleon Shark
    Chameleon Shark - pretends to be a handsome man working overseas who needs your help with a temporary financial problem. Online dating sites have allowed people seeking love to cast their net far beyond their home town, city or even country. But be prepared for romance scammers who can spend many months lulling you into believing you're in a relationship only to request cash payments - small at first, then larger - to help them out of all kinds of crises.
  • Flying Phish - masquerades as an airline website to trick you into giving credit card details.

    Check website addresses (URLs) carefully. Type them into your browser, be wary of clicking on links in emails and look for https:// when paying for flights.

  • Attachment Flounder - click the file and download software which invades your computer.

    Always think before you click and be wary of attachments to emails you weren't expecting. Even opening a malicious PDF file can harm your computer if you haven't updated your helper system and software.

  • Whale-phisher - persues CEO's and other wealthy individuals via their social media profiles.

    A whale is a big catch for the cyber criminal phishing for important information and celebrities and high-ranking government officials have been targeted in recent years. Whaling can bring big rewards and phishers use deception via phone or email to gain access to state or industry secrets.

  • iPhone Fangtooth - lures prey with glowing offers of cheap electronic devices.

    Be wary of sellers offering consumer gadgets at bargain prices - NetSafe receives reports every week of people lured into paying hundreds of dollars for iPhones and other expensive items that never arrive.

  • Big Prize Pirahna - an 'advanced fee fraud' special. You receive an email or txt that claims you are eligible for a large sum of cash but the processing fee you must pay in advance to claim your win makes you the loser. Ignore lottery winner texts and emails and don't reply or report them as spam.
  • Medicine Mullet - offers fake pharmaceuticals and gathers your credit card details. Think twice before ordering medicine from online pharmacies as both your health and financial well-being may be at risk.
  • Overpay Moray - a popular tactic for the overseas car auction buyer. They pay you too much with a stolen credit card and then request the remainder is wired to a shipping company looking after delivery. It's you who ends up out of pocket when their payment is later bounced.
  • Tax-refund Ray - watch out for unexpected phishing emails around tax time suggesting a large cheque can be claimed from IRD or other companies.

    Click on the links and you may suffer a nasty sting. Grant payments and bank fee refunds are increasingly being offered by telephone cold callers too.

  • Pleading Pillock - pretends to be a friend on holiday who needs cash wired to them urgently.

    Another classic email scam, very popular with people hacking into webmail accounts secured with weak passwords. Once in they can send fake requests for urgent wire transfers to all your account contacts insisting you've been mugged in London.

  • Octo-scammers - often teams targeting potential victims use multiple identities, such as a lawyer, government official and hotel manager to try every way possible to draw you in and convince you about a great share offer or family inheritance. Think carefully before you respond to emails offering rewards or a share of a foreign fortune. It's your cash they want to grab before you see any payout.
  • Net-detective - Been scammed before? Watch out for the follow up recovery trick - the net detective offers to catch the original scammers and retrieve your lost funds for a fee. They merely pocket more of your money as a 'processing fee' to ensure speedy repayment of your frozen funds.
  • Love Bait - strikes up a relationship with its prey then pleads for cash to cope with a phony financial crisis. NetSafe reported $674,000 lost to romance scammers in NZ in 2012. If a new lover asks you to wire transfer money it's time to throw them back and go look for another fish in the sea.
  • Spear-phisher - targets individuals using selected personal information published online or shared on Facebook and other social media. What's published on the web can be a wonderful source of background for cyber criminals looking to target individuals or particular businesses.
  • Diddler Crab - pretends to be a grandchild in financial distress in order to scam seniors. A crusty offshoot of the Pleading Pillock and a popular scam used by those who hack into webmail accounts secured with weak passwords.
  • IT Help Haddock - wants access to your computer and money for installing free software.

    The cold calling PC doctors plagued NZ in 2011/12 and cost the country millions of dollars as they tried to persuade unsuspecting computer owners that a virus needed urgent attention. Avoid giving anyone remote access to your computer, especially people who call you up and baffle you with jargon.

  • Sloppy Grammar Guppie - most scammers can be identified by their poor spelling and grammar.

    Suspicious about an email? Read it carefully and you may spot poor sentence construction or other language oddities that flag a likely phishing attempt.

  • Fake Bank Website - Lures prey into giving their user names and passwords. Another phishing classic, the random internet banking alert sent by bank X, Y or Z that wants you to login now to unlock your suspended account.

    Check the email address of the sender and avoid clicking on any links in the email body. Phishing scammers steal bank logos and text and set up websites that are close to the real URLs. Always type out the full bank website address when you bank online and avoid transacting over free wi-fi.

  • Fake Wi-Fi Dory - lurks around airports, hotels and train stations hoping to devour your email and bank passwords. So called 'Man in the Middle' attacks may sound unlikely but it pays to be careful when connecting your laptop or smartphone to free internet hotspots

    Avoid banking or buying things over free Wi-Fi. If you're a regular traveller who needs secure web access consider buying a mobile data stick or using a VPN service to encrypt your sensitive emails.

  • Fabaloney - Any offer which seems too good to be true probably is - and that includes txts, emails and websites designed to lure you in

    Talk with friends and family, research any good deals by searching for the name of the company or product and the word 'scam' or call NetSafe.

  • Virus Puffer - claims to have detected a virus on your computer in order to extract payment.

    'Scareware' - fake or malicious anti-virus software - is a popular social engineering trick that relies on a lack of knowledge and fear of loss to get you to install it. Research any programme carefully before installing it.

  • Spam Clam - scours the web for email addresses then clogs your in-box with offers of cheap goods and services.

    Spam complaints are dealt with by the Department of Internal Affairs Electronic Messaging Compliance Unit. You can submit a report to via or using the 7726 shortcode.

New Zealand Phishing Species

For Cyber Security Awareness Week 2013 we worked with cartoonist Chris Slane to produce a humorous take on the traditional fish and chip shop poster featuring New Zealand’s local catch.

Phishing (note the ph), and a whole host of new social engineering tactics used online, are designed to catch you out and reel you in with all kinds of offers or highly targeted emails, links and messages.

Read through the various ‘species’ above for an insight into the variety of ways you can be targeted and then read our advice on how to avoid becoming a phishing victim.

In many of these situations cyber criminals rely on human weaknesses to be successful. A little bit of suspicion and looking before you leap – by undertaking online research – can really pay off.


These cartoons (and the A3 formatted printed poster) are for free use in publications in New Zealand for community organisations without need to ask permission under the following conditions:

# Permitted:

– New Zealand organisations that are charities or community organisations or seniors’ organisations.
– Unpublished academic papers, non-commercial.
– Extract for purposes of review.

Any reuse or distribution must make clear to others the licence terms of this work. The best way is to attach this statement. Attribution must also be added: ‘Cartoon © Chris Slane, All rights reserved.’

# Not permitted: (i.e. usual copyright permission must be sought and fees may apply)

– Non-New Zealand organisation use.
– Public sector or commercial use.
– Non-community or non-seniors’ organisation use.
– Charge for distribution or use, alter, transform, or build upon this work.
– Promote any commercial occupation, workplace or service.

# Contact:

If you would like use of full resolution files for professional or other purposes, contact Chris Slane at