Author Royden McGee AML/CFT Consultant
About author

I am an AML/CFT specialist with expertise in audit, risk assessment, compliance frameworks, financial investigations, and practical fraud-prevention strategies. I assists reporting entities design and embed effective, business as usual AML/CFT processes tailored to their operations, ensuring obligations are met in a clear and sustainable way.

Introduction

You receive a call from your bank manager with an urgent transfer request requiring your authorisation. You willingly give all the appropriate information, but there is one small issue. It wasn’t your bank manager; it was an AI-generated deepfake scam. By the time you realise, You receive a call from your bank manager with an urgent transfer request requiring your authorisation. You willingly give all the appropriate information, but there is one small issue. It wasn’t your bank manager; it was an AI-generated deepfake scam. By the time you realise, the money is gone.

AI-enabled fraud uses technology like deepfakes, advanced phishing emails, and automated malware to impersonate trusted people and bypass traditional security checks.

How can my business be impacted by fraud?

In New Zealand, fraud is the most commonly experienced crime, according to the Serious Fraud Office’s (SFO) Staying Ahead of the Curve report.

Key statistics about fraud in New Zealand:

  • $194.3 million was lost to fraud and scams between 1 October 2022 and 30 September 2023 (SFO).
  • Globally companies lose 5% of their annual revenue to fraud each year (SFO).
  • 53% of SMEs experienced a cyber threat in 2025 (National Cyber Security Centre (NCSC))
  • 61% of large businesses reported a serious disruption from cyber incidents, (Kordia’s 2025 report)

Fraud is one of the most common and disruptive risks facing New Zealand businesses today. The impacts go beyond inconvenience. Kordia’s 2025 report also found in 17% of cases, personally identifiable information (such as names, addresses and ID numbers) were leaked, and 8% of affected businesses admitted to paying a ransom.

How AI is making fraud harder to spot

Cyber criminals have been using AI to create more sophisticated schemes. The most common types of AI-enabled fraud affecting businesses include:

Advanced Phishing

Phishing is when a scammer mimics a trusted organisation through email.

Cyber criminals can use AI to remove the stereotypical ‘tells’ that we are all taught to protect us from malicious messages, such as mistakes in spelling or grammar, and mimic trusted personnel. Recent attacks have also seen highly accurate Te Reo Māori Phishing to specifically target New Zealand businesses.

Deepfakes

Deepfakes are AI-generated images, audio and video that can accurately mimic trusted personnel.

From a short clip of someone’s voice or video, cyber criminals are able to use AI to call unsuspecting victims and pretend to be relatives, colleagues or a representative from financial institutions. They use a mix of emails (business email compromise, where a scammer impersonates a colleague or supplier by email to redirect payments), calls and urgency to manipulate the victim.

Derivative Malware

Cyber criminals use AI to modify existing malicious software, such as viruses, trojans and worms, so it can slip past your security tools. These modified versions are harder to detect because they look different from the originals.

Ungoverned AI Use

As more businesses use AI within their teams, the risk of unintentional data leaks into the AI’s public models grows. Most of the time these leaks are accidental with employees not realising what they are inputting is being retained and reused by AI, such as client details, financial data or internal documents.

Common fraud risks for SMEs

For many SMEs, they lack formal controls for their staff and are unable to keep up with the rapidly evolving risks.

  • Remote working relies on unsecured networks and isolated staff which can increase the success rate of phishing attacks. While remote working has seen many benefits, it does increase the risk of cyberattacks. This is through unsecured home and public networks, vulnerable devices creating easy entry points and isolation being manipulated to increase the success of phishing attacks. If your team works remotely, require the use of a VPN (virtual private network), enforce multi-factor authentication on all business accounts, and set clear rules about which devices can access company systems.
  • Payment Fraud and Investment Scams driven by AI increases the likelihood of fraudulent payment requests being approved. The use of AI has created far more sophisticated payment fraud and investment scams, through using deepfakes and advanced phishing. The success rate of payment fraud has increased. Investment scams are also targeting those most heavily impacted by the current economic conditions. It is important to verify through separate means anyone asking for money, and if someone is applying pressure always double check.
  • Weak Internal Governance and operating without formal approval frameworks increases their risk. If your business doesn’t have a dedicated IT team, you’re not alone. Most New Zealand SMEs are in the same position. The good news is that the most effective protections don’t require specialist expertise.

How to know if you are being defrauded?

There are a few signs your business may be experiencing fraud.

  • Urgent payment requests that pressure you to act quickly
  • Changes to supplier bank account details
  • Transactions you cannot explain

What forensic accounting actually does

Forensic accounting is the process of identifying fraud risks, investigating suspicious activity, and strengthening financial controls within a business.

Forensic accounting isn’t just for reactive investigations into incidents but is also proactive. Forensic accountants are a valuable part of how you protect your business. For a small business, this might mean reviewing who has authority to approve payments, checking whether your accounting software access is properly restricted, or testing whether your team can spot a fraudulent invoice.

It is not just about cleaning up after a fraud has occurred, this work can be both preventative and responsive. They also help:

  • Review internal controls.
  • Identify vulnerabilities.
  • Investigate suspicious transactions.
  • Strengthen fraud prevention processes.

Five things you can do right now

These steps can reduce your exposure to fraud immediately:

  1. Two Person Payment Authentication: Prevents a single employee from authorising high-risk transactions.
  2. Transaction Monitoring: Helps detect unusual or unexplained financial activity early.
  3. Whistleblower Channels: Provide a confidential way for staff to report concerns, even an anonymous email address or a direct line to a senior manager count.
  4. Regular Reviews: Help your team stay up to date with evolving fraud risks.
  5. Knowing When to Call: If something doesn’t feel right, an unusual payment request, a suspicious email, or a transaction you can’t explain, act quickly. Report cyber incidents to the NCSC (report.ncsc.govt.nz), contact your bank immediately if money has moved, and speak to a forensic accountant if you suspect internal fraud. Moore Markhams’ forensic team can help you assess the situation and decide on next steps.

Many effective fraud prevention steps can be implemented at little or no cost.

When should you involve a forensic accountant?

  • When you notice unusual or unexplained transactions.
  • When a payment cannot be verified.
  • When you suspect internal fraud.
  • When controls have failed or been bypassed.
  • If you don’t currently have a strong framework and training in place.

Moore Markhams is Here

Fraud risks are evolving quickly, and many businesses only identify weaknesses after an incident occurs.

At Moore Markhams, our forensic accounting specialists help businesses across New Zealand:

  • identify fraud risks
  • investigate suspicious activity
  • strengthen internal controls

If something doesn’t feel right, getting independent advice early can reduce financial loss and disruption.

This article is general in nature and does not constitute professional advice. Attendees should seek specific advice from a qualified adviser on the application of any of the measures discussed above to their individual circumstances.