AI Is Making Phishing Attacks Much Harder to Spot. Here Is What That Means for Your Practice.

It is 9.15am on a Tuesday. Your practice manager gets an email that looks like it is from your accountant. It references a real invoice, uses the right tone, and asks her to approve a payment to a new account. Nothing about it looks wrong. She approves it. The money is gone by the time anyone realises what happened.

This is not a hypothetical. It is how phishing attacks work now. AI has changed the game completely. Attackers no longer send clumsy mass emails full of spelling mistakes. They use AI to study how people write, pull information from LinkedIn and other sources, and craft messages that are personalised, plausible, and timed well. A study of AI-driven phishing attacks found a 60% increase in volume over a short period - and that number reflects attacks that were caught. The ones that worked are harder to count.

The most dangerous version of this is called spear phishing - attacks aimed at a specific person in your business, not a random sweep. AI makes spear phishing much easier to run at scale. An attacker can research your business, your staff, your clients, and your suppliers, then send a message that references real details. Deepfake audio and video add another layer, making it possible to fake a voice call or video message from someone your staff would trust. Traditional spam filters were not built for this. They look for patterns, and AI-generated messages are specifically designed to avoid those patterns.

When phishing works, the damage goes beyond the immediate financial loss. Client data gets exposed. Operations get disrupted. Under the NZ Privacy Act 2020, a breach that affects personal information may need to be reported to the Office of the Privacy Commissioner. For a healthcare practice or legal firm, that is not just embarrassing - it can affect your professional standing and your client relationships in ways that are hard to recover from.

The good news is that most successful phishing attacks rely on a gap somewhere - an email account that is not properly authenticated, a staff member who has not been shown what to look for, or a business that has never had its email security properly configured. Multi-factor authentication stops a large proportion of attacks even when login credentials are stolen. Email authentication settings - technical configurations that verify your domain is legitimate - reduce the chance of attackers successfully impersonating your business. Regular, practical staff training makes a real difference, not a once-a-year checkbox but short, relevant sessions that reflect the kind of messages people actually receive.

If you have not had your email security reviewed recently, that is the place to start. A good IT support provider will check your authentication settings, your spam filtering, your staff training approach, and whether your team knows what to do when something looks suspicious. If you want to know what that looks like in practice, ITstuffed's approach to cybersecurity for NZ businesses covers the key layers without the technical jargon.

If something does happen, report it to CERT NZ and, if funds have been stolen, to NZ Police. Speed matters in those situations.

ITstuffed works with professional services businesses across Canterbury. If you want a quick, no-fuss sense of where your business stands, book a 15-minute IT Fit Check at /booking.