Originally published via https://itp.nz/techblog/phishing-email

Phishing has evolved past broken grammar and obvious fakes. These days, it is often the familiar name, not the unfamiliar link, that gets the first click. 

Last week, ITP NZ members were targeted by a phishing email that used Victoria’s name, the head of ITP, to provoke a reply. It was not her account. It was not even her domain. But it looked just familiar enough to get attention. The message was short, vague, and deliberately polite. Nothing overtly malicious. Just enough to make someone curious. That is the point. 

From an attacker’s perspective, this kind of impersonation is low-cost, low-effort, and often effective. It uses the psychology of trust, not technical compromise, to get past the first filter. With a single spoofed display name and a few scraped contact lists from LinkedIn or recent webinars, anyone can spin up a credible pretext. And while the grammar in this example was clean, the phrasing was subtly off. “Faithfully yours” is not how Victoria signs off. That kind of linguistic dissonance is becoming more important, especially as generative tools clean up the usual red flags. 

To be clear, Victoria’s account was not compromised. This was display name spoofing. Not a breach, but a trick. And the members who flagged it showed strong security instincts. This post unpacks how the email worked, what made it suspicious, and how to respond when you see similar patterns in the wild. 

What This Email Got Right (and Wrong) 

This phishing email did not rely on malware, malicious links, or a compromised inbox. It relied on trust. The attacker created a free email account, set the display name to match Victoria’s, and sent a vague but polite message to ITP NZ members. 

That was enough to get past the first mental filter. Victoria is a known and respected figure in the ITP community. The natural instinct is to respond quickly, especially when the message reads, “Reply when you see this.” 

This kind of vagueness is not lazy. It is calculated. It creates curiosity and opens the door for a follow-up. That is often where the real payload or request appears.

Why this Works 

From the attacker’s perspective, impersonation is easier than compromise. Spoofing a name takes minutes. Compromising an account takes effort and luck. When the goal is to initiate contact, gather information, or prepare a scam, the name is often all they need. But there were signs.

Despite the surface polish, several cues made this message suspicious: 

• The email address did not match Victoria’s domain - This does not guarantee safety, but it confirms the email was not sent from her account. 

• The tone felt off - “Faithfully yours” is not something Victoria says. These linguistic mismatches are becoming more important as generative tools clean up the usual spelling and grammar errors. 

• The message had no context - There was no reason for the contact, no specific request, no signature. Just a name, a vague prompt, and a polite close. For a first-time message, that is a red flag. This was not a sophisticated campaign. It did not need to be. It was just effective enough. And thanks to sharp eyes, it was stopped early. 

How to Respond, Report, and Reduce the Risk 

Phishing emails like this will keep happening. They are easy to launch and hard to block outright. But they are not hard to catch once you know what to look for.  Here is how to handle these messages when they appear. 

1. Do not reply. Do not forward inline - Even if it looks polite. Even if the name is someone you know. Treat vague or unexpected messages as potentially malicious until verified. 

2. Check the sender address, not just the name - If the domain does not match what you expect, treat it with caution. This does not guarantee the real account is safe, but it confirms the message did not come from it. 

3. Send the email as an attachment to your support or security team - Forwarding the email as an attachment preserves the headers. This allows proper analysis of where it came from and how it was sent. If you forward inline, that forensic data is lost. 

If you use Outlook, right-click the message and select “Forward as Attachment”. Other mail clients may vary slightly. 

4. Watch the language - AI has largely solved the bad grammar problem. Many phishing emails now read clearly, sound professional, and pass a quick scan. But tone is harder to fake. In this case, “Faithfully yours” stood out. It was grammatically correct, but not something Victoria would ever say. That kind of phrasing mismatch can be a red flag. 

If the wording feels off, not wrong but simply not like the person you know, trust your instincts. Tone is still one of the most reliable human sensors we have. 

5. Treat impersonation as the default, not the exception - It is much easier to impersonate someone than to breach their inbox. So if something feels off, confirm through another channel. It is better to be cautious than compromised.