Business Scams — If You Run a Business or Work in One — AI Scams — How to Protect Yourself and Your Family

If you run a small business, work in accounts, or handle payments for anyone, this lesson is directly relevant to you.

Business scams have always existed, but AI has made them significantly more dangerous. The messages are now grammatically perfect. The voices can sound like your actual boss. The fake invoices look identical to the real ones. And New Zealand's small-to-medium businesses are actively being targeted.

Business Email Compromise

Business Email Compromise — often shortened to BEC — is when a scammer impersonates someone inside or connected to your business in order to redirect money.

The most common version looks like this: someone in accounts receives an email that appears to come from the CEO, a director, or a senior manager. The email requests an urgent payment — to a new supplier, a different bank account, or to settle a deal that is time-sensitive. The tone is authoritative. The email looks legitimate. The payment is made.

The money goes to the scammer.

AI makes these emails convincing because it can generate professional, context-aware writing instantly. Scammers also research their targets first — finding out the names of real executives, suppliers, and staff from LinkedIn and company websites — so the emails feel specific and credible.

Red flags:

An urgent payment request from a senior person, especially just before a weekend or holiday
A request to keep the transaction confidential until it is complete
Bank account details that differ from previous payments to the same supplier
An email address that is close to the real one but slightly different (e.g. one letter swapped or a domain like "company-nz.com" instead of "company.co.nz")
A follow-up phone call that sounds like your boss confirming the instruction

Fake invoice scams

A related scam targets businesses with fake invoices. A supplier you already deal with appears to send an updated invoice — often with new bank account details — asking you to redirect future payments. The email arrives from what looks like the supplier's address, written in natural English, with the right logo and formatting.

In reality, the supplier's email has been compromised, or the scammer has set up a convincing lookalike address. The payments go to the scammer's account. By the time the real supplier chases the overdue invoice, the money is gone.

Deepfake CEO and CFO fraud

This is the more sophisticated version of BEC. Instead of — or in addition to — a spoofed email, the scammer uses voice cloning or deepfake video to impersonate a senior executive directly.

A finance manager receives a voice message that sounds exactly like the CEO, instructing them to process an urgent transfer. Or a video call is arranged in which a convincing deepfake version of the CFO walks through the payment details.

This has happened to companies around the world, including in the Asia-Pacific region. NZ businesses are not immune.

Why small NZ businesses are targeted

Smaller businesses typically have less formal financial controls than large corporates. There may be no two-person approval requirement for payments. Staff know and trust each other, which makes an urgent personal request from the boss feel entirely normal. There is less dedicated IT security. And the amounts involved — tens of thousands of dollars — are significant enough to be worth targeting but small enough to fly under the radar.

None of this is a criticism. It is simply the reality of how small businesses operate. The good news is that the protections are straightforward.

Practical steps to protect your business

Establish a verbal verification rule. Any payment request above a set threshold — decide what is right for your business — requires a phone call to a known number to confirm. Not a reply to the email. A separate call.
Never change bank account details based on email alone. Call the supplier directly on a number you already have, not one provided in the email.
Implement two-person approval for large transfers. Two sets of eyes make it far harder for a scammer to succeed.
Train your team. Anyone who handles payments should know what BEC looks like. Run a quick team briefing using this lesson as a starting point.
Check email addresses carefully. Look at the actual sending address, not just the display name.
Slow down on urgent requests. A real CEO understands that financial controls exist. If the request cannot wait ten minutes for a verification call, that is itself a red flag.

If your business has been targeted or affected by BEC or a fake invoice scam, report it to CERT NZ at cert.govt.nz. They can provide advice and track patterns across NZ businesses.