The country's largest insurer is sending fake phishing emails to its own staff to test them on their ability to identify scams.

Mark Knowles, director of cyber security and risk at IAG New Zealand, said the firm began sending fake emails several months ago as part of a company-wide approach to cyber security.

Its 3500 staff are sent a phishing email once a month and those who click on links are then sent an instant reminder to undertake cyber security training.

Knowles said it began the programme with an easy scam - an email about a turkey recipe for the American holiday Thanksgiving.


"We started with something quite simple."

Not many people fell for the first one but a more elaborate second scam got more clicks.

Knowles would not say how many staff were tricked into clicking the second time around, citing security reasons.

"I'm not too keen to let people know how many people clicked on the phishing email. The number to start with was really low.

"The more important part was that it raised awareness across all staff not just about phishing emails but security."

It also prompted more people to click on its internal cyber security warning button which automatically sends a notice to its cyber defence centre.

Knowles said the system helped the company to identify which scams people were most likely to fall for.

It also created a whole team of people looking out for scams across the company rather than just having a small team focused on it.


Staff are not punished for clicking on the fake scam emails but those who identify emails which they think are scams are rewarded.

He would not say how many scams the company has caught but said there were a lot going on all the time.

"These campaigns are running by adversaries all the time."

This week's global WannaCry scam was just the latest cyber attack, he said, and it served as a reminder for companies and individuals to be aware of the risks.

Knowles said another reason the company was training its staff to recognise scams was to help make people safer at home which also protected the company due the number of people that brought devices in and out of the office.

The insurer is not alone in using fake email scams on its staff.

"I know some of the banks do," said Knowles.

He said corporates were also sharing scam warnings with each other, putting aside their competitive differences.

"We do talk to each other.

"It is the good guys versus the bad."

How to protect yourself

Cyber security expert Mark Knowles said the most important way for individuals to protect against cyber attacks was password control.

Knowles said a big mistake was using the word Password as your password.

While capping up the p and changing the a for an @ symbol might seem clever, that was not enough to provide protection.

Knowles said people should not tell anyone their password and try using passwords that were more complex than pet names suggesting they could relate to a favourite song or an event that happened that day.

At the other end of the scale random letter and number passwords were also not helpful if people ended up writing them down on a post-it note or piece of paper.

"I think the thing with cyber security is getting your basics right."

Knowles said people should have a secure password and change it regularly.

The other big no-no was putting too much trust in people met online.

"People you have met online are not as trustworthy as people you have met in person."

Knowles said reading the email carefully was also very important.

"We are all busy but take a few extra seconds to read the email."

He said usually the grammar was poor, although more sophisticated email scams were getting better at this.

Scrolling over the link without clicking on it often gave a clue that the email was a phishing scam as it would come up with words or a phrase that seemed suspicious.

Knowles said those who were targeted by phishing scams should report it either to CertNZ or Netsafe.

Top ways to protect your business

• Restrict privileged access users - those people who are allowed to make changes to the computer systems

• Patching is really important

• White-listing rather than black-listing names all the website staff can go to and restrict people from using sites outside of those.