110 scam ads in 24 hours
In April 2026, the Financial Markets Authority flagged 110 fraudulent investment ads on Meta platforms in a single 24-hour period. The ads used AI-generated deepfake videos of recognisable New Zealand figures, including bank CEOs and politicians, to lend credibility to fictitious trading platforms. Since early March 2026, the FMA has flagged more than 190 fake trading platform websites for removal.
The playbook is consistent. Deepfake video of a trusted public figure endorses a fake investment opportunity. The ad links to a fabricated news article carrying stolen logos from RNZ, TVNZ, or the NZ Herald. Victims register, receive a call from someone posing as a broker, and are directed to a platform showing manipulated returns. The initial ask is around US$250. The exit never comes.
This is not a consumer protection story. It is a business story about collapsing fraud economics, inadequate platform accountability, and a regulatory gap that every financial firm and every company with a publicly visible executive should be worried about.
The real number is probably four times higher
In November 2025, MBIE published the first consolidated cross-bank fraud figure: $265 million in gross losses reported by 12 banks via Payments NZ in the 12 months to November 2025. Of that, $126 million came from authorised push payment scams, where victims were manipulated into approving the transfer themselves. That distinction matters because banks can often avoid reimbursement when the customer technically authorised the payment.
But $265 million is almost certainly a floor. MBIE estimates only one in five scams are reported, which implies real annual losses closer to $1 billion. The SFO’s Long-term Insights Briefing put the range even wider, between $601 million and $12.97 billion annually. The width of that range tells you how badly the country is flying blind.
Meanwhile, the NCSC’s own quarterly data recorded just $3.2 million in direct financial losses in Q4 2025, a fraction of the Payments NZ figure and a measure of how severely fraud is under-reported even to official channels.
AI has rewritten the economics of fraud
The deeper problem is not any single campaign. It is that artificial intelligence has collapsed the cost of producing convincing attacks at scale.
Kordia’s 2026 NZ Business Cyber Security Report found more than 80% of phishing emails now contain AI-generated content. Microsoft’s Digital Defence Report found AI-assisted phishing campaigns achieve a 54% click-through rate, compared with 12% for traditional phishing. Phishing volumes grew 1,200% from 2022 to 2025, with an organisation targeted every 39 seconds.
The criminal toolkit now extends well beyond email. The Better Identity Coalition’s April 2026 guidance identified 10 AI-driven attack vectors against financial institutions, including voice cloning, deepfake video, synthetic identity creation, and AI agents capable of running attacks automatically and persistently across multiple channels.
For businesses, this means the accounts payable function, contract signing workflows, and any process relying on identity verification are now active attack surfaces. Executives and founders whose faces and voices are publicly available are impersonation targets, not just for consumer-facing scams but for internal fraud like fake invoice approvals and wire transfer authorisation.
Every company is now a target
Research from Christchurch-founded document workflow firm Lumin underlines the breadth of the risk. In a survey of 1,000 organisations across New Zealand, Australia, and the United States, more than half reported AI-generated identity fraud, and nearly 70% said they were afraid to work with partners who had been hacked. That is a supply chain trust problem that compounds direct financial losses.
Australia acted, New Zealand has not
The contrast with Australia is the sharpest indictment of New Zealand’s position. Australia’s Scams Prevention Framework Act 2025 places binding obligations on banks, telcos, and digital platforms, with fines up to A$50 million for non-compliance. Critically, Meta only introduced financial advertiser verification requirements in Australia after that law passed. Voluntary cooperation from platforms, without legal compulsion, has proved inadequate.
New Zealand has no equivalent legislation. The FMA can flag scam content and request removal. It cannot compel action. When a deepfake ad featuring a bank CEO appeared on Facebook, the executive reportedly tried to contact Meta through four separate routes without receiving a response. The ad was eventually pulled, possibly after FMA involvement, but no confirmation of action was ever provided.
That is not a regulatory framework. It is a suggestion box.
What happens next matters more than what happened already
The trajectory is clear. AI-generated fraud is scaling faster than detection, faster than reporting, and faster than any voluntary cooperation framework can manage. The $265 million figure will look quaint within two years if the regulatory architecture does not change.
For business owners, the immediate priorities are practical: tighten identity verification in payment workflows, assume that any voice or video request for funds transfer could be synthetic, and treat executive impersonation as a standing risk rather than a theoretical one. For policymakers, the lesson from Australia is that platforms respond to liability, not to letters. Until New Zealand puts a legal consequence behind the request, Meta has no commercial reason to prioritise it.
Sources
- FMA warns of fraudulent trading platforms using fake news articles to entice investors (2026-04-08)
- Meta deepfake scam ads cost NZ banks $265m in fraud losses (2026-04-23)
- AI fraud costs NZ $265m as phishing and deepfakes outpace banks (2026)
- Banks issue warning over AI-powered identity fraud risks (2026-04-01)
- AI-generated identity fraud reported by more than half of businesses – report