Free Module: Staying Safe from AI Fraud

Free module · AI fraud protection

AI fraud is targeting NZ organisations right now

Deepfake video calls, voice cloned payment requests, AI written phishing emails. This free module teaches your team the one rule that stops every attack before any money leaves. Enter your work email and it opens immediately.

Your name

Work email

No password. No account. Share this module with your whole team today.

NZ specific examples throughout

CERT NZ guidance included

20 minutes

It happened in New Zealand

A Taranaki woman lost $224,000 to a scheme that used a deepfake video of Prime Minister Christopher Luxon. It looked real. It sounded real. New Zealand's Financial Markets Authority has also flagged deepfake impersonations of Winston Peters, Kiwibank CEO Steve Jurkovich, and Westpac CEO Catherine McGrath. All were used to push fraudulent investment platforms carrying the logos of trusted NZ media outlets like RNZ and the NZ Herald.

This is not a future threat. It is happening right now, in Aotearoa, targeting real people and real organisations.

What has actually changed

For years, spotting a scam was relatively straightforward. Poorly written emails. Obvious fake sender addresses. Requests that felt off. Your instincts were enough.

That world no longer exists.

AI has not invented new types of fraud. It has made existing fraud dramatically more convincing, faster to produce, and cheaper to run. The scams targeting NZ organisations in 2026 combine tools your attacker can access for free, produce in seconds, and refine endlessly until they work.

$5.7M

lost by NZ organisations to scams and fraud in a single quarter of 2025

Source: NCSC NZ 2025

3 sec

of audio is all an attacker needs to clone someone's voice with current AI tools

Source: Norton 2025

1,300%

increase in voice based fraud attacks in enterprise environments in 2025

Source: SQ Magazine 2026

The five AI scams targeting NZ organisations right now

You need to know what these actually look like. Not in theory. In practice, the way they show up in your inbox, your phone, and your video calls.

Voice cloning and CEO fraud

An attacker uses a few seconds of audio from a public speech, interview, or social media clip to clone your CEO's voice. They then call a finance staff member asking for an urgent transfer.

NZ example: Multiple NZ executives have had their voices cloned using publicly available recordings from media appearances.

AI phishing emails

Phishing emails used to be easy to spot. Odd grammar, suspicious domains, generic greetings. AI writes perfect English, researches your organisation, and personalises each email to its target.

CERT NZ: Phishing emails are increasingly difficult to distinguish from legitimate communications due to AI generated content.

Deepfake video calls

The next level of CEO fraud. Not just a phone call but a full video meeting where everyone you can see is AI generated. This has already happened at major organisations globally.

Global case: A finance worker attended a video call where every participant including the CFO was a deepfake. He transferred the equivalent of NZ$40 million.

Fake invoices and supplier fraud

AI generates perfect looking invoices, supplier communications, and contract documents. Logos, formatting, and language all look legitimate. The only thing different is the bank account number.

Pattern: An email from a known supplier saying their bank account has changed. The email is AI written and looks identical to previous real communications.

AI generated fake investment platforms

Fake websites with professional design, fabricated news articles, and deepfake video endorsements from NZ public figures. The FMA has specifically warned about fake platforms using deepfakes of NZ executives and politicians.

NZ specific: The FMA flagged deepfake videos impersonating Winston Peters, Kiwibank CEO Steve Jurkovich, and Westpac CEO Catherine McGrath promoting fake investment platforms.

Why your instincts are no longer enough

Human beings are remarkably bad at detecting high quality deepfakes. Research shows that human detection accuracy for high quality video deepfakes is only 24.5%. That is barely better than a coin flip.

Voice cloning is even harder. Our brains are wired to trust familiar voices. When you hear what sounds like your CEO or your manager, you do not naturally question whether it is real. That is precisely what the attackers count on.

The uncomfortable truth

Your instincts were built for a world where hearing someone's voice meant it was them. That world ended when AI voice cloning became available for free online. The only defence is procedural, not perceptual. You cannot train your ear to spot a good deepfake. You can build a process that makes the deepfake irrelevant.

What this actually looks like in real life

Here is how this plays out in a real NZ workplace. Read it carefully because this is not hypothetical. Variations of this scenario have happened at NZ organisations.

A real scenario in 90 seconds

9.47am. Sarah is the finance coordinator at a Christchurch construction firm with around 80 staff. She is processing invoices when her phone rings. The number shows as the CEO's mobile. She answers.

The voice is unmistakably her CEO, David. Same tone, same way he says her name, same slight Canterbury accent. He sounds slightly stressed. He explains there is a supplier payment that needs to go out today or the firm loses a critical materials order for a major project. It is $18,500. He needs it processed in the next 20 minutes before he goes into a client meeting. He says not to mention it to anyone else yet because the contract negotiation is still being finalised.

Sarah feels the pressure immediately. The urgency. The secrecy. The trust she has in Mark's voice. Every instinct says this is real.

Then she remembers the red flags. Urgency. Secrecy. Money. All three together. She tells the caller she will call him back in five minutes to confirm the details. The caller says there is no time and pushes back.

That pushback is the signal. A legitimate CEO would say of course, call me back. Sarah hangs up, looks up Mark's number from her internal directory, and calls him directly. Mark has no idea what she is talking about. He is in a meeting and has not called anyone.

The voice was cloned from a podcast interview Mark did three months ago. The attackers needed less than 60 seconds of that audio to build a convincing replica. The entire call cost them almost nothing to produce.

Sarah saved her organisation $18,500 and potentially much more by doing one thing. She paused, used a known number, and verified through a separate channel. David confirmed he was in a client meeting and had not called anyone. The voice had been cloned from a business interview he gave to a Canterbury trade publication three months earlier. That is all it took.

The six red flags to look for

Even though AI makes scams more convincing, there are still patterns to watch for. These are not foolproof detectors but they should trigger your verification protocol immediately.

Urgency and secrecy combined. Any request that is urgent, confidential, and involves money is a red flag regardless of who it appears to come from. Legitimate urgent requests can wait five minutes for a callback.

A request to change banking details. Any communication asking you to pay to a new account or update supplier banking information should trigger immediate phone verification using a number you already have on file, not one provided in the message.

An executive making an unusual financial request. Real executives use proper channels. An unexpected call or email asking for a transfer outside normal process is suspicious even if it sounds or looks exactly like the real person.

Slightly odd audio or visual quality. Voice clones sometimes have very subtle digital artifacts, unusual breathing patterns, or a slightly flat quality. Video deepfakes may have minor glitches around the hairline, eyes, or when the person turns their head. Do not rely on this as your main check but treat it as an additional signal.

Communication that does not follow normal patterns. If someone who usually emails you is now calling. If someone who usually calls is now texting. If the tone or vocabulary feels slightly different to how they normally write or speak. Trust that instinct and verify separately.

Pressure not to verify. Any message that says do not call them, do not tell anyone else, or handle this discreetly is a major red flag. Legitimate requests welcome verification. Scams rely on you skipping it.

The one rule that stops every scam

The verification protocol

Never authorise a financial transaction based on a single communication channel.

If you receive a call, email, or message requesting money or banking changes, you must verify through a completely separate channel before acting. Call the person back on a number you already have. Not the number that just called you. Not a number from the email. A number from your own records.

This single rule makes voice cloning, deepfake video calls, fake emails, and AI phishing irrelevant. It does not matter how convincing the fake is. If you verify through a separate channel before acting, the fraud fails.

The verification steps for your organisation

Pause before acting. Any financial request, no matter how urgent it sounds, can wait five minutes. Tell the caller you will call them back. A legitimate request will still be there in five minutes.

Use a known number from your own records. Look up the number yourself from your internal directory, a previous verified email, or the organisation's official website. Do not use any number provided in the suspicious communication.

Use a different channel to the one the request came through. If the request came by phone, verify by email. If it came by email, verify by phone. If it came from both, verify in person or through an internal messaging system.

Confirm the specific details. Do not just confirm identity. Confirm the specific transaction. A real person will know exactly what they asked for. A scammer cannot predict what the real person would say.

If you cannot verify, do not proceed. There is no financial transaction urgent enough to justify skipping verification. If the requestor is genuine they will understand. If they are not, you have just avoided a potentially catastrophic loss.

What to do if your organisation is targeted

NZ reporting channels

If your organisation receives or falls victim to an AI assisted scam, report it immediately. Do not wait and do not be embarrassed. These attacks are sophisticated and reporting helps protect other NZ organisations.

CERT NZ: cert.govt.nz or 0800 CERTNZ. Report cyber security incidents including phishing and fraud. CERT NZ is the primary point of contact for cyber incidents affecting NZ businesses.

NZ Police: Report financial fraud at police.govt.nz or call 105. For anything involving immediate financial loss, report immediately so potential account freezing can happen fast.

Financial Markets Authority: fma.govt.nz for investment scams and anything involving fake financial products or fake endorsements by NZ public figures.

Netsafe: netsafe.org.nz or 0508 NETSAFE for general online safety advice and support after an incident.

Three things to do in your organisation this week

You do not need a large budget or a dedicated IT team to meaningfully reduce your organisation's exposure. These three actions cost nothing and take less than an hour.

Agree on a verification code word with your finance team and leadership. A simple, privately agreed word that only your team knows. If a call comes in without the code word, no transfer is made. This defeats voice cloning entirely.
Check your public audio and video footprint. Search for your CEO's name on YouTube and social media. Every public recording is training data for a voice clone. Being aware of what is out there is the first step to managing the risk.
Forward this module to every person in your organisation who handles payments or approves transactions. One educated person in your finance team is more valuable than any technical security tool.

What comes next in AiReady NZ

This is Module 8. Modules 1 through 7 cover what AI actually is, which tools to use for which tasks, how to use AI for writing and admin, and the NZ Privacy Act in plain language. Modules 9 through 12 cover copyright, AI and your career, building team AI habits, and what becomes possible when AI is connected directly to your organisation's workflows. The full programme is $3,000 per year for NFPs and charities, or $5,000 per year for businesses and councils. One flat fee covers your whole organisation.

Module 8 · Knowledge check

Let us see what landed

Five questions. Wrong answers always show you the correct answer and explain why. Take your time.

Question 1 of 5

Your finance manager receives a phone call. It sounds exactly like the CEO asking for an urgent $15,000 transfer to a new supplier. What should she do?

Process the transfer. The voice sounds genuine and the CEO is trustworthy.

Tell the caller she will call back, then phone the CEO directly on a number from her own records before proceeding.

Ask the caller to send a follow up email to confirm the request.

Question 2 of 5

Your regular stationery supplier sends an email saying their bank account has changed and requests all future payments go to a new account. The email looks identical to every other email from them. What do you do?

Update the account details. The email looks exactly like their normal communications.

Reply to the email asking them to confirm the change.

Call the supplier directly on a number from your own records to verbally confirm the banking change before updating anything.

Question 3 of 5

You join a video call and can see your CEO and two other senior colleagues. They ask you to approve an urgent invoice before the meeting ends. What is the red flag here?

The call is at an unusual time of day.

The people on the video call could be AI generated deepfakes, even though they look and sound real.

The invoice amount seems high for that type of purchase.

Question 4 of 5

A staff member wants to set up a code word system with the leadership team to protect against voice cloning fraud. Your CEO says it sounds paranoid. What is the best response?

Drop it. If the CEO thinks it is unnecessary there is no point pushing it.

Share the NZ data with the CEO. New Zealanders lost over $5.7 million to scams and fraud in a single quarter of 2025 and voice cloning fraud is one of the fastest growing categories. A code word costs nothing and takes five minutes to set up.

Invest in a technical voice authentication system instead.

Question 5 of 5

Your organisation just received what looks like a highly convincing phishing email. You did not click anything but you are not sure if others did. What is the first thing to do?

Wait to see if anything actually goes wrong before reporting it.

Delete the email from everyone's inbox to prevent anyone clicking it.

Report immediately to CERT NZ and alert your team. Fast reporting allows potential damage to be limited and protects other NZ organisations.

5/5

Outstanding. Share this with your whole team.

Module 8 · Your cheat sheet

AI scam spotter

Print this, stick it up near the people who handle payments and approvals, and share it with your whole team. It costs nothing and it works.

AI scam spotter for NZ organisations

AiReady NZ · Module 8 · Updated 2026 · aireadynz.co.nz

NZ organisations lost over $5.7 million to scams and fraud in a single quarter of 2025. Voice cloning, deepfake video, and AI phishing are all being used against NZ businesses right now. This card gives every staff member what they need to protect your organisation.

Never authorise a financial transaction based on a single communication channel.

Call back on a number from your own records. Not the number that just called you.

The 6 red flags

Urgency plus secrecy plus money. Any combination of these three is a red flag. Legitimate requests can wait five minutes for verification.

A request to change banking details. Never update supplier or payment details without calling the organisation on a number from your own records.

An executive making an unusual financial request. Real executives use proper channels. An unexpected call or email requesting a transfer outside normal process is suspicious even if it sounds or looks exactly like the real person.

Slightly odd audio or visual quality. Subtle glitches around the hairline, eyes, or unnatural breathing patterns in a call. Not reliable on its own but treat it as an extra signal to verify.

Communication that does not follow normal patterns. Different channel to usual, different tone to usual, different level of detail to usual. Trust that instinct and verify separately.

Pressure not to verify. Any request that discourages you from checking with someone else is a major red flag. Legitimate requests welcome verification.

If you receive a suspicious request

Pause. Tell the caller you will call them back. Any legitimate request can wait five minutes.

Look up their number yourself. Use your internal directory or the organisation's official website. Do not use any number from the suspicious message.

Use a different channel. If the request came by phone verify by email or in person. If it came by email verify by phone.

Confirm the specific details. Ask them to confirm exactly what they asked for. A real person will know. A scammer cannot predict it.

If you cannot verify, do not proceed. No transaction is urgent enough to skip this process.

Report to these NZ organisations

CERT NZ

cert.govt.nz · 0800 CERTNZ
Cyber security incidents including phishing and fraud

NZ Police

police.govt.nz · 105
Financial fraud and cybercrime

Financial Markets Authority

fma.govt.nz
Investment scams and fake financial products

Netsafe

netsafe.org.nz · 0508 NETSAFE
Online safety advice and incident support

Your organisation's code word for verifying urgent financial requests:

Agree this with your team privately. Use it on every urgent call.

Module 8 complete

You now understand the verification protocol that stops most AI enabled fraud attacks. Most NZ organisations have never formally trained their staff on this. You have. That matters.

Most scam victims are not careless

They are responding under pressure using the information available to them. The attackers rely on that. What you have just learned is not obvious. It runs against instincts that have served people well for decades. The fact that you now know to pause and verify is genuinely protective. Share this module with your team today.

The gap your organisation likely has right now

You now know how to spot AI fraud. But research shows most NZ organisations are already committing Privacy Act breaches with free AI tools right now, without realising it. Module 7 covers exactly what data must never go into ChatGPT or Gemini, in plain language, with real NZ examples. It takes 20 minutes. The legal exposure it closes is significant.

The full AiReady NZ programme

Module 7 alone is worth the subscription for any organisation handling personal data.

✓Module 7: NZ Privacy Act 2020 and AI — what data must never go near a free AI tool. Plain language. Real consequences.

✓Modules 1 to 6: AI tools, prompting, writing, admin, and research — practical skills staff use every day

✓Modules 9 to 12: copyright, careers, org AI habits, and what automation looks like for your organisation

✓Manager dashboard, completion certificates, and board-ready CSV export

✓From $3,000/year for NFPs and charities. $5,000/year for businesses and councils. One flat fee. No per person charges.

Close the Privacy Act gap for your organisation

Or email Lee directly at lee@purelayer.co.nz to ask about pricing for your organisation.

Share this free module with your team

Email to team Back to home

Staying safe: deepfakes, phishing and AI fraud in NZ workplaces