The Email Looked Real, But Something About it Felt…Off

Written By Jabey Gray

How one architecture practice dodged a phishing scam — just by slowing down. This incident could've easily ended with a fraudulent payment — or worse, a compromised system. Instead, it became a moment of quiet success.


In today's digital world, cyber threats don't always come crashing through the firewall. Sometimes, they arrive as a polite email — dressed up to look like business as usual.

That was the case for a 30-person architectural practice we recently worked with. And thanks to one team member's quick thinking, what could have been a serious security incident turned into a valuable lesson in awareness.


The Monday Morning That Could Have Gone Wrong

It started like any other Monday: inboxes were full, and the week was already underway. The studio's practice manager opened an email that appeared to be from the studio director — someone with whom they regularly correspond. The message requested urgent approval of an invoice from a 3D visualisation subcontractor.

There were no red flags at first glance:

  • The subcontractor's name seemed plausible.

  • The invoice mentioned a real project the team was currently working on.

  • The signature matched the director's exactly.

  • The tone was professional, yet insistent.

In fact, the email included a line saying that the client was waiting on this approval — adding a subtle but urgent pressure.

Something Felt… Off

Despite how legitimate everything looked, the practice manager hesitated. Something about the urgency, the tone — it didn't sit right.

And that pause? It made all the difference.

They remembered a piece of advice from a recent cybersecurity refresher:

"If something feels rushed, out of place, or emotionally urgent — take a breath and double-check."

So they hovered over the sender's name. And sure enough, the email address — though close — wasn't the director's. It was a spoofed domain designed to imitate the real one.

Instead of clicking, they forwarded the message to us.

What Happened Next

From there, a quick response helped neutralise the threat:

  • The email was confirmed to be a phishing attempt.

  • The domain was blocked across the company's email system.

  • A full scan confirmed that no one else had clicked or engaged with the link.

  • The scenario was documented and later used as a basis for a future training exercise.

No data lost. No money stolen. No crisis.

Just a team member who trusted their instincts — and had the training to know what to do next.

Why This Matters to Architecture Practices

Architecture practices often rely on complex digital workflows — cloud-based collaboration, remote file access, external consultants, and high-value project data. That interconnected setup creates efficiency, but it also opens the door to more targeted scams.

Phishing attacks have become more sophisticated. They're no longer generic or full of typos. Today's scams are researched, tailored, and timed to catch people off-guard — especially when projects are running at full speed.

In this case, the attacker used real project names and mimicked internal roles to add credibility. That kind of detail is hard to spot unless your team knows what to look for.

Cybersecurity: Not Just a Tech Problem

We often think of cybersecurity as something handled by IT — firewalls, antivirus software, encryption.

But as this story shows, people are the first line of defence.

In a busy studio, it's the people reading emails, clicking links, and moving projects forward who have the power to spot the first signs of something unusual.

This incident wasn't prevented by a high-end tool — it was prevented by a person choosing to pause.

Key Takeaways for Architecture Teams

  • Pressure is a red flag. If an email conveys urgency or emotional cues (such as "the client is waiting"), take a second look.

  • Trust your instincts. If something feels slightly off — in tone, timing, or wording — it's worth verifying.

  • Hover before you click. Check the sender's actual email address, not just the display name.

  • Keep awareness fresh. Occasional training reminders go a long way in building digital confidence across your team.

  • Report suspicious emails. Even if it turns out to be nothing, it's better to verify than regret.

A Culture of Awareness is the Best Defence

This incident could've easily ended with a fraudulent payment — or worse, a compromised system. Instead, it became a moment of quiet success.

Not because someone was an expert — but because they were aware, empowered, and had just enough training to trust their gut.

In creative environments where pace and precision go hand in hand, a culture of cybersecurity awareness doesn't need to be heavy-handed. Sometimes, it's as simple as encouraging people to pause and giving them the tools to act when something doesn't feel quite right.

Want to Learn More? If you're curious about how to build a cyber-aware culture in your practice — whether through simple checklists, training sessions, or email simulations — we're happy to share what has worked for other practices.

No pressure. Just a conversation.

Jabey Gray
Next

How Often Do You Check In With Your IT?