QR code fraud surges in New Zealand as quishing threats double in two months

Cybersecurity threats in New Zealand are undergoing a significant transformation as fraudulent QR codes, a method known as 'quishing', now account for approximately 1 in 10 cyber threats detected across the country. This surge represents a rapid escalation in digital risk, with the proportion of QR code-related scams more than doubling in a matter of weeks. In March 2026, these attacks comprised 4% of threats, but by April 2026, that figure had climbed to 9.3% of threats. This trend highlights a shift toward more targeted, image-based deception that exploits the ubiquity of mobile devices and the inherent trust consumers place in quick-response technology.

Data from the year leading up to March 2026 reveals the scale of the digital landscape being navigated by New Zealanders. During this period, 200,000 cyber threats were detected across the local user base of cybersecurity firm Eset, which is distributed locally by Chillisoft. This volume equates to an average of one threat every three minutes. While the total number of detections in April 2026 actually saw a 25% decrease in overall detections compared to the previous year, the sharp rise in quishing suggests that attackers are moving away from high-volume, generic campaigns in favour of more sophisticated and successful methodologies.

Exploiting the New Import Charge

A primary driver for the recent spike in quishing is the introduction of a new NZ$2.54 charge on imported parcels valued under NZ$1,000. This fee, colloquially referred to as the 'Temu tax', came into effect in March 2026 and has provided a plausible pretext for fraudulent activity. Scammers are leveraging consumer confusion surrounding this new regulation by sending fake payment requests that appear to originate from legitimate organisations such as NZ Post.

These attacks often involve unsolicited parcels delivered to households containing a QR code that the recipient is prompted to scan to pay the outstanding NZ$2.54 charge. Once scanned, the code directs the user to a sophisticated fake payment page designed to harvest credit card details and personal information. The timing of these scams, coinciding with the implementation of the new tax, demonstrates how quickly cybercriminals adapt their tactics to exploit changes in the regulatory and economic environment.

The Mechanics of Quishing

The danger of quishing lies in its ability to bypass traditional security measures that typically protect users from malicious links. Because the malicious URL is embedded within an image—the QR code itself—it is often invisible to standard email and network security filters. These filters are designed to scan text-based links, but they frequently fail to analyse the contents of an image until it is scanned by a user. This allows quishing attempts to reach inboxes and physical mailboxes that would otherwise be protected.

Furthermore, the shift toward mobile device usage has created a vulnerability that attackers are eager to exploit. On a desktop computer, users can often hover over a link to verify its destination before clicking. On a mobile device, verifying the destination of a QR code is significantly more difficult, and many users scan these codes without hesitation. This behaviour is being targeted through various formats, including: