Kiwis warned to be on the alert over internet fraud as officials work to remove website that mimics the real thing.
Overseas scammers using a fake website nearly identical to the Inland Revenue Department's are preying on Kiwis in one of the most sophisticated attacks NZ officials have seen.
IRD is working with the National Cyber Security Centre and the New Zealand Police e-crimes division to remove the site and others like it.
The latest scam appeared last week, sending out emails with a link to the bogus website for customers to lodge online tax refunds, with the promise of quick payment for refunds of $600 or less.
The branding and layout of the site mimic the real IRD one, and it instructs potential victims to give their IRD numbers, bank and credit card details and personal contact and address information - including their driver's licence number.
An IRD spokeswoman said the scam came after a similar attack last month, but was the most complex the government agency had dealt with.
"It's the first one we have had as sophisticated as this," she said. "Although the pages look very similar to those on the Inland Revenue website, they are most definitely fake.
"It is important that people are aware that this is a deliberate attempt to use the Inland Revenue logo and brand to steal confidential and personal information."
She said the websites were based overseas and the latest batch had emerged with slightly different designs and URLs after last month's sites were shut down.
The agency had more than 400 emails from people alerting it to the scam since Thursday, and got more than 1190 about last month's.
The head of consumer information at the Ministry of Business, Innovation and Employment, Jarrod Rendle, said he had known of scams with fake IRD emails for some time.
"However, this latest one appears to be more sophisticated, as the website appears genuine," he said.
Meanwhile, today is global Safer Internet Day and an emphasis is being placed on staying safe with social media.
Symantec Security Response is encouraging people to revise their security settings as social media become a more common target for scams, spam, and phishing attempts.
Basic tips include getting familiar with the privacy settings and security services of by each social network and application and using strong passwords and different passwords for each site.
More high-tech advice promotes using two-factor authentication, where an added security feature - usually a randomly generated number - is required with your password to access a service.
* Never enter your personal details into a website unless you are sure it is genuine.
* If you get a suspicious IRD email, send it to firstname.lastname@example.org and report the scam at www.scamwatch.govt.nz
* Never visit your bank's website by clicking on a link. Type in the website address yourself.
* Don't reply to any spam emails or click on any links or open any files they contain. Don't call any numbers in spam emails.
* Check your account statements and credit card bill to make sure no one is accessing your accounts. Order a credit report every year to make sure no one is using your name to borrow money or run up debts.
* If you have given money or personal details to a scam, contact your bank or credit card provider immediately.