| A phishing scam is a cyber attack in which criminals impersonate a trusted person or organisation to trick your staff into handing over credentials, approving fraudulent payments, or clicking malicious links. In 2026, AI has made these attacks faster to create, harder to detect, and significantly more convincing than anything seen before. |
The old advice about spotting phishing scams — look for poor grammar, suspicious links, and unfamiliar senders — no longer holds. In 2026, the phishing scam emails reaching NZ businesses are indistinguishable from legitimate correspondence. They reference real colleagues by name, mirror your company’s writing style, and arrive from addresses that pass every standard filter.
This guide covers what phishing scams look like now, the specific AI-powered techniques being used against NZ businesses, and the practical steps that actually reduce risk in the current threat environment.
Why Phishing Scams Are More Dangerous in 2026
Phishing scams have always been the most common entry point for cyber attacks. What has changed is the scale, speed, and sophistication with which those attacks are now executed.
| NZ Business Cyber Security Report 2026: over 80% of phishing scam emails now contain AI-generated content that is difficult to detect. AI-assisted phishing scams achieve a 54% click-through rate — compared to 12% for traditional phishing. |
That gap — 54% versus 12% — is the clearest indication of how much the threat has changed. Nearly one in two recipients of an AI-crafted phishing email will click the link. That is not a training failure. That is a fundamentally different kind of attack.
The reason is straightforward. Attackers now use large language models to generate personalised, grammatically perfect, contextually accurate messages in seconds. A campaign that previously took a skilled criminal team 16 hours to craft can be produced in under five minutes. According to CERT NZ, NZ businesses lost $7.8 million to cybercrime in Q1 2025 alone — a 14.7% increase on the previous quarter. Phishing scams are the primary entry point for the majority of those incidents. Our guide on how cyber attacks unfold explains how attackers move from phishing to full system compromise.
What AI-Powered Phishing Scams Look Like
Understanding the specific phishing scam techniques being deployed is the first step toward defending against them. These are the AI-powered methods currently targeting NZ businesses.
Hyper-personalised spear phishing scams
Traditional phishing scams sent the same message to thousands of recipients. AI-powered spear phishing generates a unique, personalised message for each target. Attackers scrape LinkedIn, company websites, and social media to build a profile — then craft an email that references your role, your colleagues, your recent projects, and your company’s language and tone.
The result reads exactly like a message from someone who knows you. There are no generic greetings, no obvious errors, and no red flags that traditional training would catch.
Deepfake voice and video attacks
Voice cloning attacks increased 81% in 2025. Attackers use AI to replicate the voice of a known executive or supplier and make phone calls or leave voicemails instructing staff to approve payments, share credentials, or bypass normal verification processes.
Video deepfakes — where a senior leader appears on a video call requesting urgent action — are emerging as the highest-impact variant. These attacks prey on authority and urgency. The instruction comes from a face and voice your staff recognise. The standard response is to comply.
Adversary-in-the-middle attacks bypassing MFA
Adversary-in-the-middle (AiTM) attacks intercept your session cookie after you have already authenticated — including after completing MFA. Surging 146% in 2024, these attacks mean that multifactor authentication alone is no longer a complete defence. Once the attacker has the session cookie, they access your account without needing your password or second factor. Our employee security awareness guide covers how to train staff to recognise and respond to these advanced phishing scam techniques.
Business email compromise via AI phishing scams
Business email compromise (BEC) uses AI phishing scams to impersonate executives, suppliers, or clients with enough accuracy to convince accounts staff to approve fraudulent invoices or transfers. The Microsoft Digital Defence Report 2025 found AI-assisted BEC phishing scams are now responsible for the majority of financial losses from these attacks globally.
| Warning Sign | What It Looks Like in 2026 |
| Perfect grammar and tone | AI generates flawless, professional prose. Poor spelling is no longer a reliable warning sign. |
| Correct sender details | AI tools help attackers register near-identical domains and spoof display names accurately. |
| Personalised content | The email references your name, role, colleagues, or recent activity — scraped from public sources. |
| Urgent but plausible requests | AI crafts urgency that feels proportionate to the request — not obviously alarming. |
| Familiar voice or face | Deepfake calls and videos impersonate people your staff know and trust. |
| Passes email filters | AI-generated content is specifically designed to avoid triggering standard spam and phishing filters. |
The Most Common Types of Phishing Scams in NZ
While AI has changed how phishing scams are crafted, the categories remain consistent. Knowing which type of phishing scam is being used helps you apply the right response.
Email phishing scams
Still the most common vector. Email phishing scams involve attackers sending messages impersonating trusted organisations — banks, government agencies, courier companies, or your own IT team. In 2026, these emails are AI-generated and visually identical to legitimate correspondence from those organisations.
Spear phishing
Targeted at a specific person or business. The attacker researches the target in advance and crafts a message that references real, specific details. Spear phishing scams account for a disproportionately high share of successful attacks despite being lower in volume than generic email phishing scams.
Whaling phishing scams
Whaling phishing scams target senior executives specifically. The goal is typically to access financial systems, approve large transfers, or obtain credentials that give access to high-privilege accounts. Whaling attacks now frequently use deepfake voice impersonation of board members or investors.
Smishing and vishing phishing scams
Text message phishing scams (smishing) and voice call phishing scams (vishing) have grown significantly as email filtering has improved. AI voice cloning makes vishing attacks particularly convincing — the caller sounds exactly like a known contact. The NCSC issued a specific warning in March 2026 about credential harvesting via phone-based social engineering targeting NZ businesses.
Clone phishing scams
Clone phishing scams involve attackers intercepting a legitimate email your business has sent or received, cloning it exactly, and resending it with a malicious link or attachment substituted for the original. Because the email references a real previous interaction, recipients rarely question its authenticity.
How Phishing Scams Damage NZ Businesses
The impact of a successful phishing scam extends well beyond the immediate incident.
Financial theft
AI-powered BEC attacks trick accounts staff into approving payments to attacker-controlled accounts. Losses can reach hundreds of thousands of dollars from a single incident. Recovery through banks is not guaranteed — once the transfer is made, it is often unrecoverable.
Credential theft and account takeover
Stolen credentials give attackers persistent access to your email, cloud services, and internal systems. This access is frequently used to launch further attacks from within your own environment — including ransomware deployment and data exfiltration for double extortion.
Data theft and regulatory exposure
NZ Privacy Act 2020 requires notification to the Office of the Privacy Commissioner when a breach is likely to cause serious harm. A phishing-enabled data breach that exposes client records triggers this obligation. Our cybersecurity risk assessment guide explains how to identify and address the gaps that make phishing scams most damaging.
Reputational damage
If attackers use your compromised email account to send phishing messages to your clients or suppliers, the reputational cost extends to every relationship you have. For professional services firms and healthcare providers, this can be practice-ending.
What Actually Protects Against AI-Powered Phishing Scams
Traditional defences — spam filters, basic training, and email rules — are not sufficient against AI-generated phishing scams. These are the controls that provide meaningful protection in 2026.
Advanced email filtering with AI-based detection
Email security tools that use AI to detect AI-generated phishing scam content are now a baseline requirement, not a premium add-on. Standard spam filters trained on older phishing scam patterns will not catch the new generation of attacks. Exodesk’s email security service includes advanced filtering designed for the current threat environment.
Updated and frequent security awareness training
Annual training is no longer adequate. The threat landscape changes quarterly. Staff need to understand AI phishing scams specifically — not just the generic warning signs that no longer apply. Training should include examples of AI-generated phishing scams, deepfake voice scenario awareness, and a clear verification protocol for any request involving payments, credentials, or data access.
Verification protocols for financial and access requests
Any request to approve a payment, transfer funds, share credentials, or grant access should require verification through a second, independent channel — a phone call to a known number, not a reply to the requesting email. This single process change prevents the majority of BEC losses.
Phishing-resistant MFA
Standard MFA — SMS codes or authenticator apps — can be bypassed by AiTM attacks. Phishing-resistant MFA using hardware security keys or passkeys provides meaningful protection against session hijacking. For any account with financial or administrative access, hardware MFA should be the standard.
Privileged access controls
Limiting which staff can approve payments, access sensitive data, or modify system configurations reduces the blast radius of a successful phishing scam. Our dark web monitoring service provides early warning when staff credentials have already been compromised — often before an attack is launched.
Incident response readiness
When a phishing attack succeeds — and statistically, one will — your response speed determines the outcome. Knowing who to contact, how to isolate affected accounts, and how to notify affected parties within the Privacy Act’s requirements is not something to work out under pressure. A tested response plan makes the difference between a contained incident and a business-disrupting one.
Is Your Business Protected Against AI-Powered Phishing?
Exodesk provides email security, security awareness training, and phishing simulation services to South Island businesses from our offices in Christchurch and Dunedin. If your current defences were designed for the phishing threats of 2022 rather than 2026, they are not providing the protection you think they are.
We offer an honest, no-obligation assessment of your current email security posture and staff awareness programme.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions About Phishing Scams
What is a phishing scam?
A phishing scam is a cyber attack in which criminals impersonate a trusted person, company, or organisation to trick recipients into handing over login credentials, approving fraudulent payments, or clicking malicious links. Phishing scams are the most common entry point for cyber attacks globally and the leading cause of data breaches and financial losses for NZ businesses.
How has AI changed phishing scams in 2026?
AI allows attackers to generate personalised, grammatically perfect phishing scam messages in seconds rather than hours. According to NZ Business Cyber Security 2026 Report, over 80% of phishing scam emails now contain AI-generated content that is difficult to detect, and AI-assisted phishing scams achieve a 54% click-through rate compared to 12% for traditional attacks. AI also enables deepfake voice and video impersonation, and AiTM attacks that bypass standard MFA.
Can you still spot phishing scams by looking for bad grammar and spelling?
No. This approach is no longer reliable for identifying phishing scams. AI generates flawless, professional prose indistinguishable from legitimate correspondence. Modern phishing scam emails are personalised, contextually accurate, and visually identical to real communications from the organisations they impersonate. Staff need updated training that reflects the current threat rather than the indicators that applied to older attacks.
What is an adversary-in-the-middle attack and why does it matter?
An adversary-in-the-middle (AiTM) attack intercepts your session cookie after you have authenticated — including after completing MFA. This allows the attacker to access your account without needing your password or second factor, bypassing standard multifactor authentication. These attacks surged 146% in 2024. Phishing-resistant MFA using hardware security keys provides meaningful protection where standard MFA does not.
What is business email compromise and how does it work?
Business email compromise (BEC) uses phishing or account takeover to impersonate an executive, supplier, or client convincingly enough to trick accounts staff into approving fraudulent payments or sharing sensitive data. AI has made BEC significantly more convincing by generating messages that precisely match the target’s writing style and organisational context. Verification protocols — confirming any payment or access request through an independent channel — are the primary defence.
How do deepfake phishing scams work?
Deepfake phishing scams use AI-generated audio or video to impersonate a known person — typically a senior executive, supplier, or colleague. The attacker calls a staff member using a cloned voice, or joins a video call as a deepfake version of a trusted contact, to request urgent action such as approving a payment or sharing credentials. Voice cloning attacks increased 81% in 2025. A strict callback verification protocol using a known direct number is the most effective defence against these phishing scams.
What should NZ businesses do immediately after a phishing attack?
Isolate the affected account by resetting credentials and revoking active sessions immediately. Notify your IT provider or managed security team. If financial transactions were involved, contact your bank as quickly as possible — recovery is time-sensitive. Assess whether any personal data was compromised, as NZ Privacy Act 2020 may require notification to the Office of the Privacy Commissioner if the breach is likely to cause serious harm. Document the incident for your insurer if you hold cyber insurance.
Is annual security awareness training enough to protect against phishing in 2026?
No. Annual training is no longer adequate given how quickly the threat landscape is evolving. Staff need to understand AI-specific phishing techniques, deepfake awareness, and current verification protocols. Quarterly training updates, combined with regular phishing simulations, provide meaningfully better protection. The goal is to build a habitual verification response rather than relying on staff to identify specific warning signs that no longer reliably apply.
What types of NZ businesses are most targeted by phishing scams?
All businesses are targeted by phishing scams, but professional services firms, healthcare providers, and financial services businesses are disproportionately targeted because of the value of the data they hold and the financial authority their staff carry. Small and medium businesses are increasingly targeted by phishing scams precisely because they are perceived as less well-defended than large enterprises. Exodesk works with South Island businesses across all these sectors to build layered defences proportionate to their specific risk profile.
How does Exodesk help NZ businesses protect against phishing scams?
Exodesk provides advanced email filtering that blocks AI-generated phishing scams and malicious attachments before they reach staff, security awareness training including phishing simulations, MFA configuration, access control reviews, and incident response planning. Our teams are based in Christchurch and Dunedin and work with South Island SMEs on fixed-price managed security arrangements that include ongoing monitoring and protection updates as the phishing scam threat landscape evolves.
