From novelty to operational risk
Deepfakes have crossed the line from internet party trick to documented business threat, and the numbers are no longer anecdotal. More than half of New Zealand organisations, 55%, were hit by fraudsters in the past year, with advanced AI identity fraud costing an average of $2.2 million per incident, according to identity firm Lumin’s report published in May 2026. The NCSC recorded $5.6 million in direct financial losses from cyber incidents in the first quarter of 2026 alone, a 76% jump on the previous quarter.
These are not phishing emails caught by a spam filter. The threat is now real-time video calls impersonating executives, cloned voices issuing payment instructions, and AI-generated images of senior leaders used in investment scam ads.
It is already happening to named executives
On 1 July 2026, RNZ reported that Westpac NZ chief executive Catherine McGrath was targeted by an AI-generated deepfake image used in scam ads on Facebook and Instagram, linking to investment scams that caused real financial damage.
McGrath said the fake made her “look angry in a way that I’ve never seen myself. If you knew me, you knew that would never happen. If you didn’t know me, though, it’s easy clickbait.” The detail that should worry any business owner is what happened next. Westpac tried four different routes to reach Meta and got no response. A bank CEO had her face cloned for fraud and the platform hosting the ads did nothing. This is a brand and liability problem for any organisation whose leadership is publicly visible.
The detection gap is a capability problem, not a training one
The standard corporate response has been awareness training, teaching staff to look for mismatched lip-sync, odd lighting or unnatural blinking. That approach is now structurally inadequate.
Marco Ramilli, chief executive of identity verification firm identifAI, warned in January 2026 that “deepfake technology can surpass even the most advanced biometric tools,” concluding bluntly that “we can no longer trust what we see.” Joel Foster, chief commercial officer at Lumin, told 1News in May 2026 that “the ability and the power that fraudsters have today is much more than we had a year ago, two years ago, three years ago.”
The vectors hit the core of B2B trade. Back in October 2024, Mastercard-commissioned research found 18% of NZ businesses had been targeted by deepfake scams in the prior year, and 47% of those targeted fell for it. The most common impersonation targets were customer service, clients and suppliers, exactly the relationships that sit at the heart of a payment run.
New Zealand is investing behind the curve
The fear is there but the spending is not. Only 67% of NZ organisations increased identity verification investment, against 82% in Australia and 78% in the US, even though 90% of NZ businesses feared their critical agreement workflows were vulnerable to AI-powered fraud. Being defrauded is not just a loss, it is a commercial liability, with 69% of NZ businesses saying they were less willing to work with partners who had experienced identity fraud.
The threat is spreading into hiring too. Microsoft’s Australia and New Zealand chief security officer Mark Anderson noted in May 2026 that deepfake video interviews now feature in job scams, with facial glitches and speech delays that even alert candidates miss.
The regulatory vacuum
TUANZ chair Paul Littlefair told RNZ on 1 July 2026 that “too much responsibility is being placed on individual users and small businesses to manage complex digital risks,” calling for laws requiring telcos and platforms to proactively detect and block fraud. The Kordia Business Cyber Security Report of March 2026 notes international frameworks like the EU’s NIS2 Directive and Australia’s SOCI Act are tightening board accountability. New Zealand has no equivalent in place.
What to do while the law catches up
The fix is procedural, not technological wizardry. Ramilli recommended in January 2026 that firms use multiple means of verification, noting that requesting extra verification after a call from a senior leader, even a genuine-seeming one, defeats voice-cloning attacks. In practice that means no payment instruction from a phone, video or email is actioned without out-of-band confirmation on a number held on file, escalation rules that never rely on recognition, and supplier verification at onboarding.
The governance shift matters most. Treat deepfake fraud as an operational risk category with board-level visibility, not an IT ticket. The businesses still leaning on staff to trust their eyes and ears are, on the current evidence, already behind the people trying to rob them.
Sources
- AI-generated Westpac boss used in scam ads on Facebook (2026-07-01)
- Deep fakes and AI-generated scams harder to spot (2026-07-01)
- AI turning identity fraud into major business risk, tech firm says (2026-05-06)
- Job hunters facing more fraud and AI-powered deepfake video interviews (2026-05-06)
- New Zealand Business Cyber Security Report 2026 (2026-03)
- AI deepfakes force firms to rethink trust & security (2026-01-29)