Quishing (short for “QR phishing”) is a newer type of scam that’s becoming part of everyday life in ways most people don’t expect. Instead of asking you to click a dodgy link, scammers get you to scan a QR code that quietly takes your phone to a fake website designed to steal your details. Because QR codes hide the actual web address until after you’ve scanned them, it’s much harder to tell where you’re really going until it’s almost too late.
The worrying part is how quickly this is taking off in NZ. Recent findings from cybersecurity company ESET show that QR code scams now make up around one in every ten cyber threats detected in NZ, and the numbers have more than doubled in a short time. These scams have only really started appearing at scale over the past six months, but they’re spreading fast as attackers shift their focus to mobile phones and everyday habits. Instead of sticking to email, scams are now popping up in messages, PDFs, and QR codes you might see in the real world, making them much harder to spot.
What makes quishing so effective is how normal it feels. In NZ, examples already include fake NZ Post payment requests, QR codes in unexpected parcels, and even fraudulent stickers placed on parking meters or public Wi‑Fi signs. These scams work because they mimic everyday tasks, like paying for parking or tracking a delivery, so people don’t think twice before scanning. As QR codes become more common, this trend is likely to keep growing unless people become more aware of the risks.
The good news is that avoiding quishing doesn’t require technical knowledge, just a bit of caution. Be wary of scanning QR codes you weren’t expecting, especially if they ask you to make a payment or enter personal details. Pause for a second after scanning and check the web address before proceeding; if it looks unusual, don’t continue. Avoid scanning codes on random posters, stickers, or parcels, and go directly to official websites or apps when you can. Most importantly, trust your instincts; if something feels rushed or out of place, it’s better to stop and double-check than to risk handing over your information.
