The festive shopping season is in full swing. This period tends to see more spam as threat actors attempt to phish credentials and credit card details. You might receive a message about a delayed package that requires you to pay a customs charge to ensure its safe delivery. Or an email from your bank alerting you to suspicious activity that asks you to log into their online portal. These common phishing scenarios are known the world over. However, we also see phishing campaigns that differ significantly based on the targeted region, language and culture. In this article, we highlight a curious Chinese-language phishing campaign that abuses QR codes to steal credit card details and other sensitive information.