{"id":13012,"date":"2026-05-14T10:00:00","date_gmt":"2026-05-13T22:00:00","guid":{"rendered":"https:\/\/cvnznews.com\/?p=13012"},"modified":"2026-05-13T17:36:06","modified_gmt":"2026-05-13T05:36:06","slug":"qr-code-scams-now-one-in-10-threats-in-new-zealand","status":"publish","type":"post","link":"https:\/\/cvnznews.com\/?p=13012","title":{"rendered":"QR code scams now one in 10 threats in New Zealand"},"content":{"rendered":"\n<p>By Sarah McMillan\/cvnznews.com<\/p>\n\n\n\n<p>Kiwis who use mobile phones should be careful when scanning QR codes. Scammers are increasingly targeting phones through these codes.<\/p>\n\n\n\n<p>Cybersecurity firm Eset reported that its New Zealand customers experienced about 200,000 cyber attacks in the year ending March 2026, which averages to one attack every three minutes.<\/p>\n\n\n\n<p>Phishing is still the biggest threat, but attacks are now happening in more ways than just email. They can come through documents, PDFs, and QR codes too, which makes them trickier to spot.<\/p>\n\n\n\n<p>QR code-based scams, known as \u2018quishing\u2019, have only emerged at scale locally in the past six months but already account for about one in every 10 cyber attacks over the company\u2019s base of over 250,000 New Zealand users &#8211; more than doubling in frequency since March.<\/p>\n\n\n\n<p>Cybersecurity experts say the trend reflects a more sophisticated threat landscape, with attackers testing different approaches and scaling those that are most effective, and that the data is indicative of wider cyberattack patterns occurring across New Zealand.<\/p>\n\n\n\n<p>Reported examples in New Zealand include fake NZ Post payment requests, unsolicited parcels containing QR codes, fraudulent parking meter codes and fake public Wi-Fi prompts. In each case, the scam relies on the user treating the interaction as routine.<\/p>\n\n\n\n<p>The surge also coincides with changes to low-value imports, often referred to as the \u201cTemu tax\u201d, which came into effect in recent weeks. The levy applies a $2.54 charge on parcels valued under $1,000 and could lead to more consumers being contacted about additional courier charges once goods arrive in New Zealand.<\/p>\n\n\n\n<p>Experts say the shift is creating a new layer of risk, as consumers who are not used to dealing with post-purchase courier fees may be more likely to engage with unexpected messages or payment requests.<\/p>\n\n\n\n<p>Scott Leman, New Zealand country manager for Eset at Chillisoft, says these scams are engineered to align with normal user behaviour, making them far more difficult to detect and increasing the likelihood of compromise.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img fetchpriority=\"high\" decoding=\"async\" width=\"881\" height=\"585\" src=\"https:\/\/cvnznews.com\/wp-content\/uploads\/2026\/05\/z2j50sDsZRJ0xEmE.jpg\" alt=\"\" class=\"wp-image-13014\" srcset=\"https:\/\/cvnznews.com\/wp-content\/uploads\/2026\/05\/z2j50sDsZRJ0xEmE.jpg 881w, https:\/\/cvnznews.com\/wp-content\/uploads\/2026\/05\/z2j50sDsZRJ0xEmE-300x199.jpg 300w, https:\/\/cvnznews.com\/wp-content\/uploads\/2026\/05\/z2j50sDsZRJ0xEmE-768x510.jpg 768w, https:\/\/cvnznews.com\/wp-content\/uploads\/2026\/05\/z2j50sDsZRJ0xEmE-150x100.jpg 150w, https:\/\/cvnznews.com\/wp-content\/uploads\/2026\/05\/z2j50sDsZRJ0xEmE-450x299.jpg 450w\" sizes=\"(max-width: 881px) 100vw, 881px\" \/><figcaption class=\"wp-element-caption\"><em>Scott Leman (Photo\/Supplied)<\/em><\/figcaption><\/figure>\n\n\n\n<p>He says the timing is significant, with scammers quick to exploit changes in consumer behaviour.<\/p>\n\n\n\n<p>\u201cWe\u2019re now seeing a situation where people are receiving legitimate requests for courier payments they may not have expected, and that creates confusion. Attackers can leverage that uncertainty to insert fraudulent messages that look almost identical.<\/p>\n\n\n\n<p>\u201cWhen someone thinks a payment might be legitimate, they\u2019re far more likely to click a link or scan a QR code without stopping to verify it.<\/p>\n\n\n\n<p>\u201cThis is now being reported across New Zealand, from fake NZ Post payment requests to unsolicited parcels containing QR codes designed to prompt interaction, as well as fraudulent codes placed in public settings such as parking meters or shopfronts offering free Wi-Fi.<\/p>\n\n\n\n<p>\u201cThese attacks are effective because they mirror routine actions people trust. When a QR code appears in a familiar context, whether it\u2019s paying for parking or tracking a delivery, people are far less likely to question it, which increases the likelihood of compromise.\u201d<\/p>\n\n\n\n<p>Leman says hackers are no longer relying on a single method to breach systems, instead combining multiple approaches to improve their chances of success.<\/p>\n\n\n\n<p>\u201cOne of the biggest changes we\u2019re seeing is the shift toward mobile and multi-format attacks, moving away from single-format phishing toward more complex approaches that span email, documents, web and mobile interactions, with QR code scams emerging as a significant new threat.<\/p>\n\n\n\n<p>\u201cCyber criminals are now combining different formats to get around security controls and reach users more effectively. That might involve an email with a PDF attachment prompting a QR code scan using a mobile device, which then directs users to a fake website.<\/p>\n\n\n\n<p>\u201cAttacks are also increasingly being launched in coordinated waves targeting specific countries, with hackers focusing on one market at a time and sending large volumes of emails, texts or QR code scams in short bursts.<\/p>\n\n\n\n<p>\u201cThe inherent risk with this new form of attack is that QR codes are not commonly perceived as a threat, so people tend to scan them without hesitation, often on mobile devices where it is harder to verify links before opening them,\u201d he says.<\/p>\n\n\n\n<p>The research shows April detections were down 25 percent year-on-year, but Leman says the decline risks creating a false sense of security and masks a shift in how cyber criminals are operating.<\/p>\n\n\n\n<p>\u201cA decline in total attack numbers can create complacency, but what we\u2019re actually seeing is a shift in how attacks are delivered and who they are targeting,\u201d he says.<\/p>\n\n\n\n<p>Leman says because the malicious link is embedded within the QR code, it can bypass traditional security filters.<\/p>\n\n\n\n<p>\u201cPeople should avoid scanning QR codes from unknown sources, be cautious of unexpected messages, and consider using security tools that can scan and block malicious links before they are opened, and avoid entering sensitive information unless they are certain a website is legitimate,\u201d he says.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Sarah McMillan\/cvnznews.com Kiwis who use mobile phones should be careful when scanning QR codes. Scammers are increasingly targeting phones through these codes. Cybersecurity firm Eset reported that its New Zealand customers experienced about 200,000 cyber attacks in the year ending March 2026, which averages to one attack every three minutes. Phishing is still the<\/p>\n","protected":false},"author":1,"featured_media":13013,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[41],"tags":[113,1156,1157],"coauthors":[380],"class_list":{"0":"post-13012","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-new-zealand","8":"tag-new-zealand","9":"tag-qr-codes","10":"tag-scams"},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/cvnznews.com\/wp-content\/uploads\/2026\/05\/QR-Code-Scam.webp","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/cvnznews.com\/index.php?rest_route=\/wp\/v2\/posts\/13012","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cvnznews.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cvnznews.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cvnznews.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cvnznews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13012"}],"version-history":[{"count":1,"href":"https:\/\/cvnznews.com\/index.php?rest_route=\/wp\/v2\/posts\/13012\/revisions"}],"predecessor-version":[{"id":13015,"href":"https:\/\/cvnznews.com\/index.php?rest_route=\/wp\/v2\/posts\/13012\/revisions\/13015"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cvnznews.com\/index.php?rest_route=\/wp\/v2\/media\/13013"}],"wp:attachment":[{"href":"https:\/\/cvnznews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cvnznews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cvnznews.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13012"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/cvnznews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcoauthors&post=13012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}