Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

QR code scams surge across New Zealand as quishing attacks double

Wednesday, 13 May 2026

QR codes are not commonly perceived as a threat, which is why more people are now falling victim to these type of scams.
QR codes are not commonly perceived as a threat, which is why more people are now falling victim to these type of scams.

As online shopping continues to become more convenient, so too are the ways scammers are working to lure their victims.

QR code scams - the newest wave of cyber fraud - are surging across New Zealand, with attacks rising sharply over the past six months, according to European cyber security software firm Eset.

Also known as “quishing”, the scams have scaled up rapidly and now account for one in every 10 cyber attacks detected in the local market.

More than 165,000 cyber threats were detected across Eset’s New Zealand user base in the year to April — the equivalent of roughly one attack every three minutes.

Read more:

Scott Leman, New Zealand country manager for Eset at Chillisoft, said QR code scams were far harder to spot than typical phishing emails, which often contain typos or come from suspicious-looking addresses that gave them away.

He said the scams were made more convincing by the introduction of the new low-value tax — a $2.21 charge on parcels under $1000 — brought in to help fund processing and slow the flood of small packages entering the country.

Leman said the levy — often dubbed the “Temu tax” — was sometimes charged separately from the purchase transaction, depending on the merchant. That inconsistency, he said, was adding to the confusion about which payment requests were legitimate and which were scams.

Some merchants charged the $2.21 as part of the total cost, others did not.

“Scammers are finding QR codes to be effective, so when things start to work, they start to use them more,” Leman told The Post.

Scott Leman, New Zealand country manager for Eset at Chillisoft, says QR code scams now make up a tenth of all cyber attacks in NZ.
Scott Leman, New Zealand country manager for Eset at Chillisoft, says QR code scams now make up a tenth of all cyber attacks in NZ.

“That’s why we've seen big spikes in the last couple of months. In April, the numbers pretty much doubled from March.”

Prior to April 1 when the tax was introduced, QR codes were far less prevalent. In April they accounted for 9.3% of all cyber threats, up from just 4% in March.

He said thousands of packages were arriving in New Zealand each day and people were suddenly being asked to make extra payments, creating an opening for scammers. That shift, he said, had encouraged offenders who were now seeing their fake courier QR codes succeed locally and were “pumping more into the market” as they stole credentials from increasing numbers of people.

QR code scams were typically arriving in the form of an email or text messages that said “You have a payment due for a package that has arrived into New Zealand. Please scan this QR code to make payment,” presented in a way that looked like it was an official communication from NZ post or a DHL, he said.

Experts say the shift has created a new layer of risk, with consumers unfamiliar with post‑purchase courier fees more likely to engage with unexpected messages or payment requests.

Leman said that previously, when people ordered from Temu or AliExpress, parcels simply arrived with no extra charges. Now, almost every package was triggering an email requesting the $2.21 levy, creating an extra layer of communication and payment. That shift meant people were unsure whether they should be paying the fee, or who should be asking for it, increasing the risk they would click on fraudulent messages.

Leman encouraged shoppers to be mindful of the rise in QR code scams and to not to scan codes or click on links from unknown sources.

The scams were also being presented in the form of unsolicited parcels containing QR codes designed to prompt interaction, as well as fraudulent codes placed in public settings at places such as parking meters or shopfronts offering free Wi-Fi, he said.

“The inherent risk with this new form of attack is that QR codes are not commonly perceived as a threat, so people tend to scan them without hesitation, often on mobile devices where it is harder to verify links before opening them.

“Gone are the days where people are clicking on the ‘You've won $10 million from the Nigerian lottery’, those things have lost a lot of effectiveness, but we're seeing QR codes as a vector, scammers are sending more because it's working and people are losing money - or their data or credentials - because they perform so well.'