How AI is Changing the Cyber Threat Landscape
The rapid advancement of artificial intelligence tools has materially changed the cyber threat landscape for businesses of all sizes in New Zealand. AI tools that were cutting-edge only two years ago are now freely available and widely used by cybercriminals to create more convincing phishing emails, more targeted social engineering attacks, and more sophisticated fraud schemes. Understanding these threats — and ensuring your cyber insurance responds to them — is essential for any NZ business.
AI-Generated Phishing: No More Grammar Mistakes
Traditional phishing emails were often identifiable by poor grammar, unusual formatting and generic language. AI-generated phishing has eliminated these tells entirely. Using large language models, criminals can now generate highly personalised phishing emails in fluent New Zealand English that reference specific details about the recipient, their role, their organisation and even recent business events. CERT NZ has noted a significant increase in the quality and targeting precision of phishing attacks reaching NZ businesses in 2025–2026.
AI-generated phishing is particularly effective at impersonating known contacts. By feeding an AI model with samples of genuine email communication — obtained through prior email account compromise — criminals can replicate the tone, style and language patterns of real colleagues, clients and suppliers in fraudulent emails.
Deepfake Voice and Video: The New Face of Social Engineering
Voice cloning and video deepfake technology has become accessible enough that cybercriminals are using it to enhance social engineering attacks. New Zealand businesses have reported incidents where employees received phone calls that appeared to be from their CEO or CFO — using convincing voice replicas generated from publicly available audio — requesting urgent payment transfers. Combined with a spoofed caller ID, these attacks are extremely difficult for staff to detect without verification procedures.
The financial services and professional services sectors have seen the most reported deepfake fraud attempts, but the technology is now available to any criminal with moderate technical ability. Any NZ business that handles large payments or has staff with payment authorisation authority should implement verbal verification procedures that cannot be defeated by phone impersonation.
AI-Assisted Vulnerability Discovery
Beyond social engineering, AI tools are dramatically accelerating the discovery and exploitation of software vulnerabilities. Automated AI-powered scanning tools can probe thousands of systems simultaneously, identifying unpatched vulnerabilities at a scale and speed that was previously impossible. NZ businesses with unpatched software — whether operating systems, web applications or remote access tools — face higher risk of automated exploitation than ever before.
AI Threats and Cyber Insurance Coverage
A key question for NZ businesses is whether AI-assisted attacks are covered under standard cyber insurance policies. The good news is that most AI-related attack vectors — including AI-enhanced phishing, deepfake-enabled social engineering fraud, and AI-assisted ransomware — are covered under existing cyber policy terms, as the policy covers the type of incident (e.g., social engineering fraud, ransomware, data breach) rather than the tools used to perpetrate it.
The exception to watch is deepfake-enabled CEO fraud: this may fall under the "social engineering fraud" or "cyber crime" sections of a policy, which often have specific conditions — such as requiring verification procedures to be in place. Check your policy conditions carefully to ensure your internal controls meet the requirements for social engineering fraud cover to be triggered.
Practical Steps for NZ Businesses
The AI threat landscape reinforces several core security practices: implement multi-factor authentication everywhere (AI cannot bypass MFA), establish verbal verification protocols for payment instructions that involve a callback to a known number, train staff specifically on AI-enhanced phishing (no visual tells), and implement email authentication (DMARC, DKIM, SPF) to reduce successful impersonation. These controls both reduce your risk and support the conditions for your cyber insurance cover to respond when an attack succeeds.
About the Author
CyberCover Team is part of the CyberCover team — dedicated to making cyber insurance transparent and accessible for NZ businesses of all sizes.