AI Is Supercharging Phishing — And NZ Businesses Are Unprepared
The phishing emails of 2020 were easy to spot: poor grammar, generic greetings, suspicious links. The phishing attacks of 2026 are written in flawless English, personalised with real details about your business, and in some cases delivered in the voice of your CEO. Artificial intelligence has fundamentally changed the threat landscape — and most NZ businesses are still defending against the old version of the attack.
What AI-Powered Phishing Looks Like in Practice
AI enables attackers to do in minutes what previously took hours of manual research:
- Hyper-personalised spear phishing — AI tools scrape LinkedIn, company websites, social media, and business registries to build detailed profiles of targets. The resulting email references real projects, real colleagues, real supplier names.
- Voice cloning (vishing) — using as little as 30 seconds of audio from a YouTube video, podcast, or LinkedIn post, AI tools can generate convincing voice calls impersonating executives or colleagues. Several NZ businesses have received calls from apparent CEOs authorising urgent wire transfers.
- Deepfake video — video call impersonation is emerging, with documented cases of finance teams approving large payments after video calls with apparent executives who were entirely AI-generated.
- Polymorphic phishing — AI generates unique variations of each phishing email, bypassing signature-based email security filters that rely on recognising known patterns.
Why Traditional Defences Are Failing
Email filters trained to catch grammar errors and generic templates are largely ineffective against AI-generated personalised content. Staff security training that teaches people to spot "bad writing" is outdated. The advice to "trust your instincts" is dangerous when the attack is sophisticated enough to pass all the traditional checks. Even multi-factor authentication can be bypassed through adversary-in-the-middle (AiTM) phishing attacks that capture session tokens in real time.
Real NZ Incidents Involving AI-Enhanced Social Engineering
In 2025, CERT NZ reported a significant increase in voice-based social engineering incidents targeting NZ businesses. Multiple cases involved callers with convincing NZ accents — almost certainly AI-generated or enhanced — impersonating IT support, banks, and government agencies. In several instances, businesses were directed to install remote access software or transfer funds before the fraud was identified.
How Businesses Should Adapt
The defence against AI-enhanced attacks requires moving away from trusting content authenticity and toward trusting verified processes. This means: establishing out-of-band verification protocols for any financial request (call back to a saved number, not a number in the email); implementing code words for high-trust communications; training staff that convincing does not mean legitimate; and ensuring cyber insurance covers social engineering losses regardless of how convincing the attack was.
Does Cyber Insurance Cover AI-Driven Attacks?
The core coverage mechanics remain the same — cyber policies cover business email compromise, social engineering fraud, and funds transfer fraud regardless of how the deception was engineered. However, ensure your policy's social engineering sub-limit is adequate, as AI-enhanced attacks tend to target larger transactions. With your broker, review whether voice-based and video-based social engineering is explicitly within scope.
About the Author
CyberCover Team — the CyberCover crew are self-confessed insurance geeks on a mission to make cyber cover simple, accessible and jargon-free for businesses of every size.