Email Spoofing vs Phishing vs Impersonation: What NZ Staff Need to Know

Email remains the single most common delivery mechanism for cyber attacks on New Zealand businesses. According to the NCSC, 40% of incidents responded to in Q4 2024 related to scams and fraud, with unauthorised money transfers a leading category — most enabled by a deceptive email. Yet staff often use the terms "spoofing", "phishing" and "impersonation" interchangeably, which makes it harder to spot what's actually in front of them. Understanding the differences helps your team respond correctly rather than freeze or forward the problem on.

The Three Terms, Clearly Defined

These attacks overlap, but they are technically distinct.

Email spoofing is a technical trick. The attacker forges the email header so the message appears to come from a trusted domain — for example, making an email look like it was sent from accounts@yourbusiness.co.nz when it wasn't. As the NCSC explains, "Email spoofing is the practice of making an email look like it came from someone else." Spoofing doesn't require the attacker to control that domain or register anything — it's manipulation of the "From" field and related headers.

Phishing is the goal and the social engineering wrapper. It's the attempt to trick the recipient into clicking a malicious link, opening a malware attachment, entering credentials on a fake login page, or handing over information. Phishing often uses spoofing or impersonation to look convincing, but the defining feature is the lure — "reset your password", "view this invoice", "your parcel is held at NZ Post".

Impersonation is identity-based deception that usually doesn't rely on forging headers. The attacker registers a look-alike domain (yourbuslness.co.nz, xero-invoices.com), uses a free Gmail address with the CEO's real display name, or takes over a genuine account (known as account takeover or BEC — business email compromise). Because the email is technically sent from a real, correctly-authenticated mailbox, standard anti-spoofing controls like SPF and DKIM won't flag it.

In plain terms: spoofing is how, phishing is why, impersonation is who.

Why the Distinction Matters for Defence

Each category is stopped by different controls, which is why one-size-fits-all "be careful with email" training fails.

  • Spoofing is primarily a technical problem with a technical fix: SPF, DKIM and DMARC on your sending domain. The NCSC's "Preventing your email from being spoofed" guide (hosted on Own Your Online) recommends all NZ businesses publish these records so receiving mail servers can reject forged messages claiming to be from you.
  • Phishing requires layered defences: email filtering, link rewriting, endpoint protection, MFA on all accounts, and — critically — trained staff who can recognise the lure.
  • Impersonation is the hardest of the three. Because the email is technically "legitimate", defence relies on human process: verifying bank account changes by phone, confirming unusual requests from executives through a second channel, and flagging external senders clearly in the mail client.

Treating these as one problem leads to gaps. Many NZ businesses correctly deploy DMARC and then assume they're covered — but DMARC does nothing to stop a criminal who registers yourbusiness-nz.com and emails your accounts team.

What NZ Staff Should Actually Look For

Train staff to run through a short mental checklist before acting on any email that involves money, credentials, or sensitive data:

  1. Check the full email address, not just the display name. On mobile especially, clients hide the actual address. "Sarah Smith (CEO)" may be sending from sarah.smith.ceo@gmail.com.
  2. Hover over links before clicking. Look at the real destination. Watch for character substitutions (rn for m, 0 for o) and unfamiliar top-level domains.
  3. Be suspicious of urgency and secrecy. "Don't tell anyone, I need this paid today" is a near-universal red flag for CEO fraud.
  4. Verify bank account changes out-of-band. If a supplier emails new bank details, call them on a previously known number — not one from the email. The NCSC has repeatedly flagged invoice fraud as one of the highest-loss categories for NZ SMBs.
  5. Report, don't just delete. Suspicious emails should go to your IT team and, where appropriate, to CERT NZ via cert.govt.nz.

Practical Controls for NZ Businesses

At a minimum, we recommend:

  • Publish SPF, DKIM and a DMARC policy on every domain you own — including parked domains attackers could abuse. Move DMARC to p=reject once you've monitored reports and confirmed legitimate mail is aligned.
  • Enforce MFA on all email accounts. Account takeover is the foundation of the most damaging impersonation attacks.
  • Enable external sender warnings in Microsoft 365 or Google Workspace so staff immediately see when a message claiming to be internal isn't.
  • Document a payment verification process. Any new bank account, any change to an existing one, any unusual payment request — all get verified by voice on a known number. Put it in writing and train to it.
  • Run realistic phishing simulations. Generic training gets tuned out; seeing a near-miss in your own inbox does not.
  • Know your obligations under the Privacy Act 2020. If a phishing or BEC incident results in unauthorised access to personal information that causes serious harm, you must notify the Privacy Commissioner and affected individuals.

When Something Goes Wrong

Speed matters. If a staff member has clicked a link or entered credentials:

  1. Reset the affected account password and revoke active sessions.
  2. Review mailbox rules — attackers commonly create auto-forwarding or delete rules to hide their tracks.
  3. Check for unauthorised payments or changes to payment details.
  4. Report to CERT NZ and, if funds have moved, contact your bank immediately — recovery windows are often measured in hours.
  5. Assess Privacy Act notification obligations.

Strong email authentication is the foundation that makes everything else easier. You can check your domain's SPF, DKIM and DMARC configuration free at xteam MailCheck.

Sources

  • NCSC New Zealand — Quarter Two Cyber Security Insights 2024: Spoof and Spam: https://www.ncsc.govt.nz/insights-and-research/insights-reports/quarter-two-cyber-security-insights/spoof-and-spam/
  • NCSC New Zealand — Quarter Four Cyber Security Insights 2024: Data Landscape: https://www.ncsc.govt.nz/insights-and-research/insights-reports/quarter-four-cyber-security-insights-2024/data-landscape-a-closer-look-at-our-numbers/
  • NCSC New Zealand — 2023/2024 Cyber Threat Report: Incidents affecting individuals and SMBs: https://www.ncsc.govt.nz/insights-and-research/cyber-threat-reports/20232024-cyber-threat-report/incidents-usually-affecting-individuals-or-small-to-medium-businesses/
  • Own Your Online (NCSC) — Preventing your email from being spoofed: https://www.ownyouronline.govt.nz/business/get-protected/guides/preventing-your-email-from-being-spoofed/
  • NCSC NZ — Report an issue: https://www.ncsc.govt.nz/report/business-and-individuals/
  • Huntress — Spoofing vs. Phishing: https://www.huntress.com/phishing-guide/spoofing-vs-phishing

This guide reflects best practices as of June 2025. Security guidance evolves — verify recommendations against current vendor documentation.