Email continues to be the primary way criminals target Australian businesses. Impersonation and email spoofing attacks are designed to manipulate staff into compromising sensitive data, finances, or personal information — and they’re becoming harder to spot by eye as attackers get better tooling.

This is a practical guide to recognising these attacks and the controls that actually stop them.

Understanding the threat

Email spoofing is when an attacker crafts a message that appears to come from someone trusted — a colleague, an executive, a vendor, a bank. The “from” name looks right. The email address often looks right at a glance. The branding might be identical to a real email thread the target has already been having.

Impersonation attacks are a refined variant of spoofing, where the attacker closely mimics a specific known individual inside or adjacent to the business. These campaigns typically aim to:

Steal login credentials
Convince staff to transfer funds or change payment details
Get the victim to open a malicious file
Extract sensitive company information or IP

The perceived legitimacy of these messages is what makes them effective. A well-crafted impersonation email doesn’t feel suspicious at all — it feels like a normal Tuesday morning request from the CFO.

How to recognise fraudulent messages

Several observable indicators can help identify a spoofed or impersonation email. None are definitive on their own; the skill is in recognising the pattern.

Examine the sender information

Verify the actual email address, not just the display name. Display names are trivially easy to fake.

In Outlook, double-click the sender name or hover over it to reveal the complete address. Look for subtle alterations — a rn instead of m, a 0 instead of O, a .co instead of .com.au, or an entirely different domain that “looks close.” Attackers increasingly register Unicode look-alike domains that render almost identically.

Identify impersonal language

Generic salutations like “Dear Employee,” “Hi Team,” or “Hello Customer” are common in fraudulent messages. Legitimate internal communications almost always include the recipient’s name.

That said, attackers with access to LinkedIn or a leaked contact list can personalise now. Don’t rely on this signal alone.

Scrutinise links and attachments

Hover over links to preview the actual destination URL before clicking. The visible text and the actual destination are two different things, and attackers exploit this constantly.

Question unexpected attachments, especially from external senders. Be particularly cautious of executable file types (.exe, .js, .scr, .hta, .iso) and password-protected archives — those are delivery mechanisms, not business documents.

Recognise pressure tactics

Phrases like “Immediate action required,” “Account closure pending,” “Process this payment before 5pm,” or “Don’t discuss this with anyone else” are pressure tactics designed to bypass rational review. When urgency and secrecy are the main features of a request, verify it through an alternative channel — pick up the phone, walk to the desk, send a Teams message to a known contact.

Review email headers

Advanced users can examine full email headers to identify the actual source IP address, originating domain, and results of authentication checks (SPF, DKIM, DMARC). In Outlook: open the message, then View → Message Options or File → Properties. The “Internet headers” field shows the routing.

For most staff this is too technical to do on every email — which is why the controls below matter.

Outlook best practices for every employee

Verify the sender address, not just the display name
Use Reading Pane and preview features rather than opening suspicious emails fully
Flag and categorise questionable messages for IT review
Report suspicious content via your company’s reporting channel (in Microsoft 365, the Report Phishing button in Outlook)
Enable multi-factor authentication on every account — it’s the single best control against credential theft

What organisations can do to reduce risk

Individual vigilance is necessary but not sufficient. The organisation needs to make the hard cases easier:

Security awareness training. Short, regular, practical training — especially simulated phishing — consistently reduces click rates. One-off annual training is almost worthless; frequent, varied, specific training works.
Phishing simulation tests. Running controlled phishing exercises reveals your actual click rate and identifies staff who need additional support.
Modern email security. Advanced email gateways catch the emails employees shouldn’t have to judge at all — spoofed domains, malicious links, suspicious attachments, brand impersonation.
Authentication records. Configuring SPF, DKIM and DMARC on your own domain prevents attackers from spoofing your domain to your staff, customers and suppliers.
Conditional access and MFA. Even if credentials are stolen, strong MFA means the attacker can’t actually log in.
Payment verification policies. Any change to supplier bank details, or any out-of-cycle urgent payment, must be verified by a phone call to a known number. Write this into policy; don’t leave it to judgment.

The bottom line

Impersonation and spoofing attacks aren’t going away — they’re getting more sophisticated, more personalised, and harder to spot by eye. The answer isn’t to expect every employee to become a security analyst. It’s to combine staff training with email security tools and IT policies that catch most attacks before they reach an inbox, verify high-risk actions out-of-band, and make the consequences of a click as small as possible.

If you’d like help assessing where your email security stands — including DMARC configuration, phishing simulation, and the right level of advanced email protection — get in touch. We’ll walk your setup and tell you honestly what needs to change.