Thousands of Kiwi mobile phone users are being warned to be vigilant when scanning QR codes as mobile devices rapidly emerge as a new entry point for scams.
New data from Eset, one of Europe’s largest cybersecurity companies, shows almost 200,000 cyber threats were detected across its New Zealand user base in the year to March 2026, or roughly one every three minutes.
Phishing remains the most common threat, but attacks are increasingly being delivered across multiple formats, including emails, documents, PDFs and QR codes, making them harder to detect.
QR code-based scams, known as ‘quishing’, have only emerged at scale locally in the past six months but already account for about one in every 10 cyber attacks over the company’s base of over 250,000 New Zealand users – more than doubling in frequency since March.
Cybersecurity experts say the trend reflects a more sophisticated threat landscape, with attackers testing different approaches and scaling those that are most effective, and that the data is indicative of wider cyberattack patterns occurring across New Zealand.
The surge also coincides with changes to low-value imports, often referred to as the “Temu tax”, which came into effect in recent weeks. The levy applies a $2.54 charge on parcels valued under $1,000 and could lead to more consumers being contacted about additional courier charges once goods arrive in New Zealand.
Experts say the shift is creating a new layer of risk, as consumers who are not used to dealing with post-purchase courier fees may be more likely to engage with unexpected messages or payment requests.
Scott Leman, New Zealand country manager for Eset at Chillisoft, says these scams are engineered to align with normal user behaviour, making them far more difficult to detect and increasing the likelihood of compromise.
He says the timing is significant, with scammers quick to exploit changes in consumer behaviour.
“We’re now seeing a situation where people are receiving legitimate requests for courier payments they may not have expected, and that creates confusion. Attackers can leverage that uncertainty to insert fraudulent messages that look almost identical.
“When someone thinks a payment might be legitimate, they’re far more likely to click a link or scan a QR code without stopping to verify it.
“This is now being reported across New Zealand, from fake NZ Post payment requests to unsolicited parcels containing QR codes designed to prompt interaction, as well as fraudulent codes placed in public settings such as parking meters or shopfronts offering free Wi-Fi.
“These attacks are effective because they mirror routine actions people trust. When a QR code appears in a familiar context, whether it’s paying for parking or tracking a delivery, people are far less likely to question it, which increases the likelihood of compromise.”
Leman says hackers are no longer relying on a single method to breach systems, instead combining multiple approaches to improve their chances of success.
“One of the biggest changes we’re seeing is the shift toward mobile and multi-format attacks, moving away from single-format phishing toward more complex approaches that span email, documents, web and mobile interactions, with QR code scams emerging as a significant new threat.
“Cyber criminals are now combining different formats to get around security controls and reach users more effectively. That might involve an email with a PDF attachment prompting a QR code scan using a mobile device, which then directs users to a fake website.
“Attacks are also increasingly being launched in coordinated waves targeting specific countries, with hackers focusing on one market at a time and sending large volumes of emails, texts or QR code scams in short bursts.
“The inherent risk with this new form of attack is that QR codes are not commonly perceived as a threat, so people tend to scan them without hesitation, often on mobile devices where it is harder to verify links before opening them,” he says.
The research shows April detections were down 25 percent year-on-year, but Leman says the decline risks creating a false sense of security and masks a shift in how cyber criminals are operating.
“A decline in total attack numbers can create complacency, but what we’re actually seeing is a shift in how attacks are delivered and who they are targeting,” he says.
Leman says because the malicious link is embedded within the QR code, it can bypass traditional security filters.
“People should avoid scanning QR codes from unknown sources, be cautious of unexpected messages, and consider using security tools that can scan and block malicious links before they are opened, and avoid entering sensitive information unless they are certain a website is legitimate,” he says.
Notes:
1. Data is based on threats detected across Eset’s New Zealand base of over 250,000 users for the 12 months to April 2026. As this reflects activity within Eset-protected systems only, it should be treated as indicative of broader trends rather than a measure of total cyber attacks across New Zealand.