Ways to help protect your business from AI scams

AI is rapidly changing the way Kiwis do business by finding efficiencies, increasing productivity, and transforming how brands connect with customers.

While AI is helping many businesses thrive, it’s also giving scammers powerful new tools to deceive. With generative AI, scammers can:

• Clone voices and faces to impersonate colleagues, suppliers, or even bank staff
• Generate emails that mimic a company’s tone and branding
• Use publicly available data from websites, news articles, and social media to tailor their scams to your business.

In other words, scammers are becoming expert impersonators and their tactics are working. According to Mastercard research, nearly 29% of Kiwis and 18% of businesses were targeted by deepfake scams last year. Of those businesses, nearly half fell victim to the scam.

AI-driven scams are convincing because they’re highly personalised and highly convincing. Scammers use public information like job titles, team structures, and communication styles to mimic the people you deal with every day. Because they’re so personal, they often bypass your gut instincts. No one expects to be scammed by someone they know.

AI scams also exploit common business dynamics: urgency, confidentiality, and trust. When a message looks legitimate and lands at a busy moment, it’s easy to miss the subtle signs that something’s off.

AI is fuelling a growing number of scams, but there are two to be aware of.

Using AI, scammers can manipulate different types of media to create realistic voice messages and videos that sound and look like someone you know. These are called ‘deepfakes’ and they can be incredibly hard to spot.

Deepfakes often impersonate suppliers, clients, or customer service staff to request sensitive information, change payment details, or push through urgent transfers. They might even pose as an authority figure like a CEO or CFO to add pressure. The goal is to make the request feel urgent and legitimate, so you’re less likely to question it in the moment.

Watch out for:

• Unusual, unexpected, or out-of-character requests
• Pressure to act quickly or keep things confidential
• Requests to click links, download attachments, or share login details
• Unnatural tone, pacing, or phrasing.

Even if these signs seem harmless on their own, it’s worth pausing before you act.

Using AI tools, scammers can now create invoices and messages that closely mimic those from your real suppliers or partners right down to layout, tone, and sender details. Like deepfake scams, these often come with urgent payment requests or last-minute changes to bank account details.

Watch out for:

• Invoices you weren’t expecting
• Formats and bank account details that don't match previous invoices
• Requests that skip your usual approval process or feel unusually urgent
• Slight changes in email addresses, like .co.nz instead of .com, or substituting an 'ɑ' for an 'a'
• Missing, misspelled, or vague contact details.

Even small details can be easy to overlook especially when the message looks familiar.

You don’t have to be a tech expert to stay safe, there are a few smart habits that can go a long way in helping protect your business from AI-driven scams.

Always review invoices or payment requests carefully using the ‘four eyes principle’. This is also known as the two-person rule, and it requires a second staff member to review and double-check the transaction.

The four eyes principle is one of the best ways to help avoid any type of scam or fraud in your business, from phishing to dishonesty regardless of whether AI is involved.

If you suspect an invoice isn’t legitimate, call the contact directly using a trusted number to confirm. For example, one published on their official website, instead of the number provided in the message.

Enable two-factor authentication for email accounts, apps, and all digital channels. It adds an extra layer of defence, making it harder for scammers to gain access to your accounts.

ANZ’s OnlineCode feature provides this extra layer of security, by verifying certain transactions or updates in the ANZ goMoney app and Internet Banking—. ANZ Direct Online (ADO)— uses a separate payment authorisation app called ANZ Direct Auth, which is available on the Google Play Store— or App Store—.

Remember, never disclose ADO response codes,  ANZ OnlineCodes, or Visa Secure Codes with anyone, even ANZ staff.

On our Scams and fraud that target businesses page, you can learn more about securing your business accounts.

Train your staff to spot irregularities in emails and invoices, and encourage them to question urgency, secrecy, or anything that feels off.

If you or your staff become aware of any suspicious activity, scams, phishing emails, texts or phone calls, contact us immediately.

Review what’s publicly available about your business and people, including what you and your staff say on websites, LinkedIn, and other social media channels.

Anything you post online helps scammers personalise their attacks, and use your own information against you.

AI-driven scams are evolving fast but your defences can evolve even faster. By understanding how these scams work and taking a few practical steps, you can reduce your chances of being caught out.

We have a range of resources to help you strengthen your scam defences. See our Scams and fraud section for tools, tips, and support.

Staying informed is key, so we recommend checking our Latest scams page to help you keep up to date with current scam alerts.

You can also share these updates with your team to build a culture of scams and fraud awareness in your business.