An email security firm says the latest “IR” scam, which could be sent out in different forms with different wording, is convincing enough to fool some people.

Kiwis are being targeted by convincing phishing emails that pretend to be from Inland Revenue and that suggest people are entitled to an unpaid Cost of Living Payment, a British technology firm warns.

The Australian branch of London-based Mimecast said its threat-hunting team had discovered the emails had been sent to at least 500 New Zealanders over the past week.

“While currently the volume is low, the scam is convincing enough to entice vulnerable people to hand over their financial details to the scammers,” it said.

The emails advise people that they qualify for the Cost of Living Payments that were announced in the May Budget and invite them to “log in to myIR” to process the payment, linking to a relatively convincing mock-up of a myIR login page.

Mimecast’s chief technology officer in the Asia-Pacific, Garrett O’Hara, said the advice used to be to look for “logos with bad aspect ratios or emails with bad grammar” but this scam was among a growing number that were increasingly polished.

“It is very ‘clean’ and they have done some clever things here, including keeping the number of words to a minimum.

“The logo is spot on and it has that kind of ‘utilitarian’ government feel. The tone is right.”

IR paid out the $350 Cost of Living Payment to about 1.5 million people last year.

But it has yet to make the payments to tens of thousands of people who appear to be entitled to them but who have not yet supplied IR with their bank details, which it needs to make the payments.

Unusually, IR has previously sent out genuine emails to people asking them to provide it with those details.

But it reminded people last year that they should not click on links in emails to do that.

Instead, the secure ways for people to provide their bank account details to IR were to manually key-in the myir.ird.govt.nz address into their web browser and then log-in from there, or to phone the tax department on 0800 257 777.

Website addresses can be “spoofed” in links in emails and on websites, but O’Hara said keying-in the correct actual address was “the one thing that will save you”.

“Typing the website directly in is such good advice.”

Mimecast was aware the scam emails had been sent to at least 500 people as it provides security for some email providers in New Zealand and had seen that volume detected in its systems, but as it was one of a number of such security providers, the total would be higher, he said.

This week IR sent out about 80,000 emails to people who it believed had received the Cost of Living Payment in error, when they weren’t entitled to it, asking them and in some cases instructing them to return the payment.

One of the criteria for the payments was that recipients were still resident in New Zealand.

One person said on Thursday that they had wrongly received one of the repayment demands simply because they had gone on a short holiday overseas when the payment was made.