Mobile devices are becoming a more common entry point for cyber fraud in New Zealand, with QR code-based attacks now making up a measurable share of detected threats – a trend that carries implications for how insurers assess digital risk across their commercial books. Figures from cybersecurity company Eset, distributed locally by Chillisoft, put total cyber threat detections across its New Zealand user base at close to 200,000 in the 12 months to March 2026. That works out to roughly one detection every three minutes across a pool of more than 250,000 local users.
The term “quishing” describes phishing attacks carried out through QR codes rather than conventional links. While the method has existed for some time, Eset’s data indicates it has only reached meaningful volume in New Zealand in the past six months. It now accounts for around one in 10 of the cyberattacks the company detects locally – a share that has more than doubled since March. Scott Leman, New Zealand country manager for Eset at Chillisoft, said the format works in part because it does not register as a threat the way a suspicious email link might. “The inherent risk with this new form of attack is that QR codes are not commonly perceived as a threat, so people tend to scan them without hesitation, often on mobile devices where it is harder to verify links before opening them,” Leman said.
The underlying mechanism also creates problems for security software. A QR code’s destination URL is not visible until the code is scanned, which means filters that screen for known malicious links at the email or network level may not intercept it. For insurers reviewing the cybersecurity controls of commercial policyholders, that gap is worth noting. Quishing is appearing alongside a broader pattern of multi-channel attacks. Rather than relying on one delivery method, threat actors are combining formats – for example, sending an email with a PDF that instructs the recipient to scan a QR code, which then routes them to a fraudulent site. “Cyber criminals are now combining different formats to get around security controls and reach users more effectively. That might involve an email with a PDF attachment prompting a QR code scan using a mobile device, which then directs users to a fake website,” Leman said.
The timing of the quishing spike overlaps with a shift in how New Zealanders are interacting with courier and customs charges. A levy introduced in recent weeks applies a $2.54 fee to imported parcels valued below $1,000 – a change that has generated a new category of payment request that many consumers have not encountered before. That unfamiliarity creates an opening. Fraudsters are sending messages that mimic courier payment notifications, and recipients who are already expecting to pay unexpected fees have less reason to question whether a request is genuine.
“We’re now seeing a situation where people are receiving legitimate requests for courier payments they may not have expected, and that creates confusion. Attackers can leverage that uncertainty to insert fraudulent messages that look almost identical,” Leman said. The fraud is not limited to text messages or emails. Physical QR codes have been found on parking meters and at retail shopfronts, and some recipients have reported receiving unsolicited parcels containing QR codes intended to prompt a scan. Fake NZ Post payment pages are among the sites being used to harvest credentials and payment details. The range of environments in which these attacks occur – online, in public, and through physical mail – points to exposure across multiple lines, including cyber liability, crime, and potentially property if business operations are disrupted.
April 2026 detection numbers were down 25% compared with the same month a year earlier. Leman said that figure does not reflect a reduction in the underlying threat. “A decline in total attack numbers can create complacency, but what we’re actually seeing is a shift in how attacks are delivered and who they are targeting,” he said. Government data supports that reading. The National Cyber Security Centre (NCSC) published research in April 2026, conducted by The Research Agency (TRA) across a nationally representative sample of 1,011 adults in November 2025, which found that the share of New Zealanders who suffered harm after an online threat dropped from 36% in 2024 to 27% in 2025. Harm was defined to include financial loss, lost productivity, and stress.
Two-factor authentication use on primary accounts climbed from 38% to 43% over the period, and password manager adoption also increased. However, the NCSC survey found that 48% of adult New Zealanders still encountered an online threat in the six months prior – a figure that has barely moved since 2024. Reporting remains low. Only 56% of those who experienced a threat said they reported it, dropping to 47% among those aged 55 and over. The NCSC identified apathy as the main factor. Among those who experienced a harmful outcome, one in five suffered a direct financial loss. That financial loss rate is relevant to claims modelling. If nearly half the population is encountering threats annually and one in five affected individuals loses money, the pool of potential cyber-related claims – across personal and commercial lines – remains substantial regardless of whether headline detection volumes are rising or falling.
The shift toward mobile-delivered, multi-format attacks creates challenges that go beyond user awareness. Businesses whose staff regularly scan QR codes – in warehousing, retail, food service, or facilities management – face a category of risk that may not be adequately addressed by email-focused security training or filtering tools. Insurers writing cyber liability, crime, or professional indemnity cover for such businesses may need to consider whether existing risk assessments capture mobile device usage and QR code exposure. Standard controls questionnaires that focus on email security and patching cycles may not surface the relevant gaps.
Leman said individuals and organisations should treat QR codes from unverified sources with the same caution as unknown links, avoid entering payment or login details after scanning unless the destination has been independently confirmed, and use security tools that can assess a link’s destination before it loads. The NCSC directs New Zealanders to its Own Your Online platform for guidance on protective steps and asks that threats be reported through its website to help build a clearer picture of the local threat environment.
