The Weekly
Brief

Google's June 2026 frauds and scams advisory flags a sharp move toward attacks that defeat the protections people assume keep them safe. Top of the list is "quishing" — phishing hidden inside a QR code — often paired with adversary-in-the-middle pages that capture not just your password but your login session, side-stepping multi-factor authentication entirely.

The advisory also calls out "ClickFix" lures (fake browser-update or "verify you're human" prompts that trick you into running malware yourself), calendar-invite phishing that drops fake renewal notices straight into your diary, and malicious pages hidden inside cloud documents. Google puts global fraud losses near US$580 billion for 2025, with roughly one in five adults caught by a scam.

Microsoft has moved Copilot Cowork to general availability in Microsoft 365. Unlike the usual ask-a-question Copilot, Cowork is built for long-running, multi-step jobs — building a presentation, pulling data into a spreadsheet, or working through a task across several apps — that unfold over time rather than in a single reply.

Notably, Cowork runs on Anthropic's Claude models (Opus 4.8 and Sonnet 4.6), and Claude is now selectable inside Copilot Chat too — the first time Microsoft has shipped a non-OpenAI model as a core Copilot engine. The flip side is cost and governance: billing for Cowork began in June 2026, so this is a feature to switch on deliberately, not by accident.

New Zealand's Anti-Scam Alliance has rolled out a fresh wave of cross-sector measures. The banks' Confirmation of Payee name-check is being extended to fintechs and non-bank providers, a new NZ Online Scams Code backed by Google, Meta and TikTok takes aim at fraudulent content, and an updated telco code aims to block scam calls and texts before they reach you.

The push is already showing results: a cross-sector pilot involving major banks, telcos and Trade Me blocked more than 23,000 malicious domains over six months, heading off an estimated NZ$23.8 million in fraud losses. Changes to the Fair Trading Act will also let online platforms pull suspected scam content down faster.

A new information privacy principle — IPP 3A — is now in force under the Privacy Act, having taken effect on 1 May 2026. It targets a gap many businesses overlook: when you collect personal information about someone indirectly (from a third party rather than the person themselves), you generally now have to take reasonable steps to tell that individual you've done so — and why.

In practice that means auditing where your customer and prospect data actually comes from (marketing lists, referral partners, data brokers, service providers), updating privacy statements to mention indirect collection, and tightening contracts with the parties who feed you data. The Privacy Commissioner has said the change keeps NZ "in line with other countries like Australia," the UK and Europe, and is taking a risk-based approach to enforcement.