QR Code Scams Surge in New Zealand as Mobile Threats Rise
Thousands of New Zealand mobile phone users are being warned to take extra care when scanning QR codes, with new cybersecurity data showing that QR code scams are becoming a fast-growing entry point for cyber criminals.
New figures from Eset, one of Europe’s largest cybersecurity companies, show almost 200,000 cyber threats were detected across its New Zealand user base in the year to March 2026. That equates to roughly one threat every three minutes.
While phishing remains the most common form of attack, cyber criminals are increasingly using a wider mix of channels to reach victims. These include emails, documents, PDFs, websites and QR codes. This makes attacks harder for consumers and businesses to identify before they engage.
QR code-based scams, also known as quishing, have only emerged at scale in New Zealand over the past six months. However, they already account for around one in every 10 cyber attacks across Eset’s base of more than 250,000 New Zealand users. Their frequency has more than doubled since March.
Why QR Code Scams Are Becoming a Bigger Threat
Cybersecurity experts say the rise in QR code scams reflects a more sophisticated threat environment. Attackers are testing different methods, identifying which ones work best and scaling them quickly across markets.
The timing is also important. The surge in QR code-related threats coincides with recent changes to low-value imports, often referred to as the “Temu tax”. New border levy changes apply to low-value goods valued at $1,000 or less, creating a new layer of complexity for consumers receiving goods from offshore retailers. More information on these import changes is available from New Zealand Customs.
As more consumers receive unexpected courier fee requests or payment prompts, scammers have a new opportunity to insert fraudulent messages that look credible. This is particularly risky when people are already expecting a parcel or are unsure whether a courier charge is genuine.
Scott Leman, New Zealand country manager for Eset at Chillisoft, says these scams are designed to match normal user behaviour, making them harder to identify.
“We’re now seeing a situation where people are receiving legitimate requests for courier payments they may not have expected, and that creates confusion. Attackers can leverage that uncertainty to insert fraudulent messages that look almost identical.
“When someone thinks a payment might be legitimate, they’re far more likely to click a link or scan a QR code without stopping to verify it.
“This is now being reported across New Zealand, from fake NZ Post payment requests to unsolicited parcels containing QR codes designed to prompt interaction, as well as fraudulent codes placed in public settings such as parking meters or shopfronts offering free Wi-Fi.
“These attacks are effective because they mirror routine actions people trust. When a QR code appears in a familiar context, whether it’s paying for parking or tracking a delivery, people are far less likely to question it, which increases the likelihood of compromise.”
QR Code Scams Move Cyber Threats Onto Mobile Devices
One of the reasons QR code scams are so concerning is that they often shift the attack from a desktop or business email environment onto a mobile device. On a phone, users are more likely to act quickly, less likely to inspect a link carefully and may not have the same security layers in place.
Leman says hackers are no longer relying on one method to breach systems. Instead, they are combining multiple formats to improve their chances of success.
“One of the biggest changes we’re seeing is the shift toward mobile and multi-format attacks, moving away from single-format phishing toward more complex approaches that span email, documents, web and mobile interactions, with QR code scams emerging as a significant new threat.
“Cyber criminals are now combining different formats to get around security controls and reach users more effectively. That might involve an email with a PDF attachment prompting a QR code scan using a mobile device, which then directs users to a fake website.
“Attacks are also increasingly being launched in coordinated waves targeting specific countries, with hackers focusing on one market at a time and sending large volumes of emails, texts or QR code scams in short bursts.
“The inherent risk with this new form of attack is that QR codes are not commonly perceived as a threat, so people tend to scan them without hesitation, often on mobile devices where it is harder to verify links before opening them,” he says.
Lower Attack Volumes May Create False Confidence
The Eset research shows April cyber threat detections were down 25 percent year-on-year. However, Leman says the drop in overall volume should not be mistaken for a reduction in risk.
“A decline in total attack numbers can create complacency, but what we’re actually seeing is a shift in how attacks are delivered and who they are targeting,” he says.
This shift matters because a lower number of attacks does not necessarily mean consumers or businesses are safer. If criminals are becoming more targeted and using formats that are harder to detect, the impact of each attack can still be significant.
QR codes can be particularly difficult for traditional security systems to assess because the malicious link is hidden inside the code itself. That allows the attack to move past some filters and reach the user directly.
Leman says people need to slow down before scanning codes, especially when the request is unexpected.
“People should avoid scanning QR codes from unknown sources, be cautious of unexpected messages, and consider using security tools that can scan and block malicious links before they are opened, and avoid entering sensitive information unless they are certain a website is legitimate,” he says.
How New Zealanders Can Reduce Their Risk From QR Code Scams
Consumers should be cautious of any QR code that arrives through an unexpected text, email, parcel insert or printed sticker in a public place. This is especially important if the code leads to a payment page, login screen or delivery confirmation form.
Where possible, users should go directly to the official website or app of the courier, retailer, bank or service provider rather than following a QR code or link in a message. Businesses should also review how QR codes are used in customer communications, signage, invoices and payment processes.
For organisations, the rise of quishing is a reminder that cybersecurity awareness needs to extend beyond email. Staff should be trained to treat unexpected QR codes with the same caution as suspicious links or attachments. Mobile device protection, secure browsing tools and clear reporting processes are also becoming more important.
The story has already gained national technology and business media attention, including coverage in SecurityBrief and ODT/RNZ, reflecting growing concern about how quickly QR code scams are becoming part of New Zealand’s cyber threat landscape.
Impact PR Supports Cybersecurity, Technology and Risk Communications
Impact PR works with technology, cybersecurity and digital businesses to turn complex technical issues into clear stories that media, customers and stakeholders can understand. As one of the top PR agencies new zealand businesses turn to for specialist communications support, we help brands explain emerging risks in a way that is credible, timely and commercially relevant.
Cybersecurity communication requires more than technical accuracy. It needs strong messaging, clear public education and a sharp understanding of how risk affects households, businesses and policymakers. Impact PR has experience developing media strategies for companies operating in technology, finance, health and other sectors where trust is critical. Our team helps clients identify newsworthy data, build media-ready commentary and position spokespeople as authoritative voices in their fields. For cybersecurity brands, that means turning threat intelligence into stories that raise awareness, support customer education and strengthen market credibility.