More than half of New Zealand businesses fell victim to identity fraud over the past year, with each affected organisation losing an average of $2.2 million annually, according to survey data released by Christchurch-based document workflow company Lumin, cited by Security Brief. The findings carry direct relevance for insurers pricing cyber, crime, and professional indemnity risks in the New Zealand market.
Lumin commissioned research firm Sapio Research to survey 1,000 business decision-makers across New Zealand, Australia, and the US in December 2025. The results, published in May 2026 under the title “Digital Identity in Business,” showed that 55% of New Zealand organisations reported at least one identity fraud incident in the preceding 12 months. Nine in 10 respondents said they considered their own document signing and verification processes to be vulnerable to AI-driven fraud – a figure that points to a gap between perceived security and actual exposure across agreement workflows.
When those workflows are breached, the consequences extend beyond the immediate financial loss to include the potential leakage of financial records, corporate data, and personal information. The commercial fallout from fraud events is not limited to the organisation directly affected. Close to 70% of New Zealand businesses said they would reconsider working with a partner that had recently experienced an identity fraud incident. That dynamic introduces a secondary layer of risk: a single breach event can reduce a policyholder’s ability to retain clients or win new business, compounding the insured loss.
Lumin attributed much of the escalation in fraud severity to increasingly convincing impersonation attempts and fake communications. The company said businesses can no longer limit their verification practices to confirming the presence of a signature – they must also establish the identity of the person behind it. The survey found that 90% of New Zealand organisations considered their document signing and verification processes vulnerable to AI-driven fraud, suggesting the threat is already being felt at the operational level across a broad cross-section of businesses.
Max Ferguson, chief executive officer and founder of Lumin, said the scale of the problem is one he encounters in his own organisation. “I see the reality of this threat every day, with scammers impersonating me to my staff and targeting our accounts team with fake invoices. AI has sharpened these fraud tactics to the point where they directly threaten the trust that keeps our business ecosystem interconnected and operating smoothly,” Ferguson said, as reported by Security Brief. He said the response to this threat needs to extend well beyond technology teams. “Preventing identity fraud is no longer just an IT responsibility. Businesses need to acknowledge that it can strike any department and must be addressed at the boardroom level. Industries have to move beyond simply capturing a signature and shift toward verifying the person signing. By evolving how we secure identities now, we can protect our reputation and our future,” he said.
New Zealand organisations are planning to direct more funds toward identity verification, but the rate of planned investment falls short of what peers in comparable markets intend to spend. The Lumin survey found 67% of New Zealand businesses expected to increase investment in identity verification technology and processes over the next two years. That compares with 82% in Australia and 78% in the US – a gap that may leave domestic organisations more exposed during a period when fraud methods are becoming harder to detect. On the policy side, 85% of New Zealand firms surveyed expressed support for a government-issued digital identity framework, with streamlined verification cited as the main reason. The absence of such infrastructure has been a recurring point of discussion in New Zealand’s broader digital economy debate.
Data from the National Cyber Security Centre (NCSC) adds weight to the picture painted by the Lumin survey. In its Q3 2025 report, the NCSC recorded $12.4 million in direct financial losses – a 118% rise from the $5.7 million recorded in Q2 2025. The increase was driven by a small number of large-value incidents involving fraudulent fund transfers. Mike Jagusch, the NCSC’s chief operating officer, identified business email compromise as a recurring mechanism behind those losses. Scams and fraud accounted for the highest number of reported incidents during the quarter at 446, followed by phishing and credential harvesting at 355. The NCSC also noted a 50% increase in scams involving employment and business opportunities and flagged the growing complexity of malware tools available to criminals with limited technical knowledge.
At the global level, a December 2025 report from Marsh found that 66% of organisations across 20 countries planned to increase cybersecurity spending in 2026, with more than a quarter intending to raise budgets by 25% or more. The report, which drew on responses from more than 2,200 cyber risk leaders, also found that 70% of organisations had experienced at least one material third-party cyber incident in the past year – reinforcing the supply chain risk dimension visible in Lumin’s domestic findings. Ransomware and privacy breaches were ranked as the top cyber concern by 29% of global respondents.
Taken together, the data from Lumin, the NCSC, and Marsh describes a risk environment in New Zealand where identity fraud losses are measurable, AI is lowering the barrier to sophisticated attacks, domestic investment lags peer markets, and third-party exposure is widespread. Those conditions are relevant to underwriting decisions across multiple commercial lines, as well as to the risk management guidance provided to policyholders operating in sectors where contract execution and document verification are central to daily operations.
