You should always check the email address that an email has been sent from. It should be an organisational one such as @ird.co.nz or @www.wk.co.nz.
Even if the email is sent from a legitimate address it could still be malicious if that person has already been attacked. The safest way to know if something is legitimate is to call the sender and check they were the sender. You should also have up to date anti-virus software and regularly back up your files.