April 28, 2026

AI fraud is outrunning every defence NZ banks currently have

A cybersecurity expert inspecting lines of code on multiple monitors in a dimly lit office.

The numbers are already ugly

New Zealand lost $265 million to fraud in 2025, according to MBIE’s first Reported Fraud Monitor, compiled from 12 banks via Payments NZ. Nearly half of that, $126 million, involved authorised payments, meaning victims were tricked into approving the transactions themselves. The biggest categories were compromised credentials ($84 million), products and services scams ($76 million), and relationship fraud ($31 million).

That $265 million is a floor. The SFO’s Long-term Insights Briefing, published in January 2026, estimates annual fraud and error losses across New Zealand at between $601 million and $12.97 billion. A range that wide tells you how poorly understood the real exposure is. At the consumer end, Experian research published this month found 43% of New Zealanders say they have been victims of online fraud.

Criminals got the same tools without the compliance overhead

The structural shift is not that fraud exists. It is that AI has industrialised it. Kordia’s 2026 NZ Business Cyber Security Report found more than 80% of phishing emails now contain AI-generated content. Microsoft’s Digital Defence Report, cited by Kordia, found AI-assisted phishing campaigns achieve click-through rates of around 54%, compared with 12% for traditional phishing. McKinsey data in the same report shows phishing volumes grew 1,200% from 2022 to 2025, targeting an organisation every 39 seconds.

The toolkit now in routine criminal use includes voice cloning, deepfake video, AI-built phishing websites, and synthetic identity creation. Norton identified five main AI-enabled scam types active in New Zealand in late 2025, including fake celebrity endorsement schemes and business email compromise. NZ recorded a 416% increase in web skimming attempts and a 137% rise in sextortion scams.

Joshua Alcock, cybersecurity expert leading Fortinet’s operational technology and critical infrastructure division across NZ and Australia, put the asymmetry plainly: “The bad guys have a lot less restrictions in place for advancing quickly. They don’t have the policies that maybe a business or the government has in order to put protections in.”

The threat is already inside the building

Kordia’s survey of nearly 250 NZ businesses found 44% were successfully attacked in the past 12 months. Of those, 61% suffered serious business disruption and 19% faced financial extortion, up from 14% in 2024. Eight percent paid a ransom, and half of all business leaders said they would consider paying if attacked.

But the external attack vector is now matched by an internal one. 24% of NZ businesses cite improper staff AI use as their top cybersecurity challenge, up from 16% the previous year. The specific risk is “shadow AI”, staff copying confidential client data, financial records, or intellectual property into AI tools without understanding the exposure. Financial services and banking reported the highest fraud exposure of any industry at 71%, followed by e-commerce at 64%.

Richard Atkinson, Head of Fraud and Identity at Experian, noted: “Advances in technology are changing how fraud is carried out, enabling more convincing impersonation, making attacks easier to scale, and for organisations, harder to detect.”

Spending more, catching less

The defence industry’s own data is the most damning evidence. A SEON survey of over 1,000 director-level fraud and compliance leaders found 98% now integrate AI into daily fraud work. Yet 83% expect budgets to increase in 2026, and 94% plan to add at least one full-time fraud hire. If AI was solving the problem, headcount would be falling. Instead, more leaders now believe losses are closing in on revenue growth.

Tamas Kadar, CEO of SEON, was direct: “Fraud and financial crime were supposed to become more manageable as AI matured. Instead, 2026 is the year leaders are confronting a more complicated reality.” Only 47% of organisations run fully integrated fraud and AML workflows, while 80% said achieving a unified view of data remains challenging.

TJ Horan, FICO’s Vice President of Fraud Product Management, reinforced the point: “Banks must understand the speed with which fraudsters can now operate and commit to a proactive mitigation approach.”

What this means for every business with a bank account

The SFO’s briefing presents three possible futures for New Zealand: a “digital fortress” scenario where the country leads in anti-fraud innovation, a “shadow economy” where corruption creeps in, and a “captured state” scenario where institutions are compromised. It is candid that the current trajectory does not point toward the first option.

For business owners, the practical implications are immediate. Multi-factor authentication on everything. Staff AI-use policies that actually get enforced, given that 43% of business leaders identify accidental employee data exposure as their biggest cyber risk. Independent verification of any urgent financial request, regardless of how legitimate the voice on the phone sounds. And an incident response plan written before an attack, not after, because half of NZ leaders are already contemplating paying ransoms when they should be deciding that question in advance.

The uncomfortable reality is that criminals will always adopt faster than regulated institutions. They have no procurement process, no board sign-off, no privacy impact assessment. Every month a bank spends evaluating a new fraud detection tool is a month criminals spend deploying the next generation of deepfakes. The arms race is real, and right now the wrong side is winning it.

Sources

Related Posts
Subscribe for weekly news

Subscribe For Weekly News

* indicates required