QR code scams now one in 10 threats in New Zealand

Eset has warned that QR code scams now account for about one in 10 cyber threats detected across its New Zealand user base, with their share more than doubling since March.

The cybersecurity group detected almost 200,000 cyber threats across its New Zealand users in the year to March 2026, equal to roughly one every three minutes. Phishing remained the most common threat, but attacks are increasingly being delivered through emails, documents, PDFs and QR codes.

The figures suggest a shift toward attacks aimed at mobile phones, where people are more likely to scan a code or open a prompt without checking where it leads. QR code scams, often referred to as quishing, have emerged locally at scale over the past six months.

A change in import charges is also creating fresh opportunities for scammers. The levy on parcels valued under $1,000, widely referred to as the "Temu tax", adds a $2.54 charge and may lead to more consumers receiving requests for courier payments after goods arrive in New Zealand.

That matters because many shoppers are unfamiliar with post-purchase courier fees. Security specialists say the uncertainty can make fraudulent payment requests look plausible, especially when they imitate delivery messages from known brands or use QR codes in everyday settings.

Reported examples in New Zealand include fake NZ Post payment requests, unsolicited parcels containing QR codes, fraudulent parking meter codes and fake public Wi-Fi prompts. In each case, the scam relies on the user treating the interaction as routine.

Scott Leman, New Zealand country manager for Eset at Chillisoft, said the changing pattern showed attackers were adapting quickly to normal consumer behaviour.

"We're now seeing a situation where people are receiving legitimate requests for courier payments they may not have expected, and that creates confusion. Attackers can leverage that uncertainty to insert fraudulent messages that look almost identical.

"When someone thinks a payment might be legitimate, they're far more likely to click a link or scan a QR code without stopping to verify it.

"This is now being reported across New Zealand, from fake NZ Post payment requests to unsolicited parcels containing QR codes designed to prompt interaction, as well as fraudulent codes placed in public settings such as parking meters or shopfronts offering free Wi-Fi.

"These attacks are effective because they mirror routine actions people trust. When a QR code appears in a familiar context, whether it's paying for parking or tracking a delivery, people are far less likely to question it, which increases the likelihood of compromise," Leman said.

Changing tactics

Leman said attackers were no longer relying on a single route to trick users. Instead, they were combining formats so one action on a computer could push a user toward a second action on a mobile phone, making the attack chain harder to detect.

"One of the biggest changes we're seeing is the shift toward mobile and multi-format attacks, moving away from single-format phishing toward more complex approaches that span email, documents, web and mobile interactions, with QR code scams emerging as a significant new threat.

"Cyber criminals are now combining different formats to get around security controls and reach users more effectively. That might involve an email with a PDF attachment prompting a QR code scan on a mobile device, which then directs users to a fake website.

"Attacks are also increasingly being launched in coordinated waves targeting specific countries, with hackers focusing on one market at a time and sending large volumes of emails, texts or QR code scams in short bursts.

"The inherent risk with this new form of attack is that QR codes are not commonly perceived as a threat, so people tend to scan them without hesitation, often on mobile devices where it is harder to verify links before opening them," he said.

Eset's research also showed April detections were down 25 per cent from a year earlier. Leman said that decline should not be read as a sign the threat has eased, because the composition of attacks is changing even when total volume falls.

In practice, that means fewer detections overall can still coincide with more targeted or more convincing scams. A malicious link hidden inside a QR code may also bypass some traditional filters because the destination is not visible in plain text until after the code is scanned.

"A decline in total attack numbers can create complacency, but what we're actually seeing is a shift in how attacks are delivered and who they are targeting," Leman said.

He urged users to be cautious with codes from unknown sources and with unexpected payment requests on mobile devices.

"People should avoid scanning QR codes from unknown sources, be cautious of unexpected messages, consider using security tools that can scan and block malicious links before they are opened, and avoid entering sensitive information unless they are certain a website is legitimate," Leman said.