QR Code Scams in Singapore: How to Stay Safe in 2026
QR codes are everywhere in Singapore — from hawker centre payment terminals and SimplyGo posters to condo notices and HDB lift announcements. They're fast, contactless and convenient. Unfortunately, that same convenience has made QR code scams in Singapore one of the fastest-growing cyber threats tracked by the Singapore Police Force (SPF) and the Cyber Security Agency of Singapore (CSA).
In recent years, victims have lost tens of millions of dollars to a tactic known as quishing (QR code phishing). This guide breaks down how these scams work in the local context, the most common variations targeting Singapore residents, and exactly what you can do to stay safe.
What Are QR Code Scams (Quishing)?
QR code scams, also called quishing, are phishing attacks that use a QR code as the delivery mechanism instead of a clickable link. When you scan the code, your phone is redirected to a malicious website — usually a fake login page, a fraudulent payment portal, or a site that silently downloads malware.
Scammers favour QR codes because:
- Humans cannot read a QR code with the naked eye, so the destination URL is hidden until you scan.
- Email and SMS filters that scan for malicious links often miss QR codes embedded in images.
- Mobile browsers show shorter URLs, making spoofed domains harder to spot.
- Singaporeans are highly conditioned to scan codes for PayNow, NETS QR, SGQR and government services.
Why Singapore Is a Prime Target
Singapore has one of the highest QR code adoption rates in the world. The unified SGQR standard, PayNow, and government platforms like Singpass have made scanning a daily reflex for most residents. Scammers exploit this trust in three main ways:
1. High digital payment volume
With NETS QR, PayNow and GrabPay accepted almost everywhere, victims rarely think twice before scanning to pay.
2. Strong trust in official channels
Letters appearing to come from IRAS, ICA, MOM, SPF or banks like DBS, OCBC and UOB are rarely questioned — especially when they include a QR code labelled "Scan to verify."
3. Multilingual, multicultural targets
Scammers tailor messages in English, Mandarin, Malay and Tamil, often impersonating delivery services like SingPost, Ninja Van or Shopee.
Common QR Code Scams in Singapore
The Bubble Tea / F&B Survey Scam
One of the most widely reported scams in 2023–2024 involved stickers placed at the entrances of bubble tea shops, cafes and restaurants offering a "free drink" or "$5 voucher" if customers scanned and completed a survey. Victims were redirected to fake apps that hijacked their banking credentials. In one widely reported case, a 60-year-old woman lost S$20,000 after scanning a QR code at a bubble tea shop in Bukit Timah.
Fake Parking Fine and LTA Notices
Scammers print realistic-looking "parking violation" notices and stick them on windscreens in HDB estates, complete with HDB or LTA logos and a QR code to "pay the fine immediately to avoid escalation." The QR leads to a cloned payment page that captures card details.
Overlay Stickers on Hawker Stalls and Retail Terminals
Fraudsters paste their own QR code sticker directly over a legitimate PayNow or SGQR code at hawker stalls, taxis or retail counters. Payments go to the scammer's account instead of the merchant. Stallholders only realise when customers complain hours later.
Phishing Emails Pretending to Be IRAS, CPF or Banks
Emails or SMS messages claim you have an unpaid tax bill, a CPF refund, or a suspicious bank transaction. Instead of a link (which corporate filters block), they include a QR code to "verify your identity via Singpass." The fake Singpass page steals your credentials and 2FA codes.
Delivery and Parcel Scams
Fake "missed delivery" notices left in HDB letterboxes or pasted on doors include a QR code to "reschedule delivery." The destination site asks for a small redelivery fee — and your full card details.
Fake Charity and Donation Drives
During festive periods like Chinese New Year, Hari Raya or Deepavali, scammers distribute flyers impersonating registered charities, with QR codes that route donations to personal PayNow accounts.
How a QR Code Scam Actually Unfolds
- Lure: You see a QR code on a sticker, email, flyer or notice with a compelling reason to scan (free gift, urgent fine, account problem).
- Scan: Your phone opens a URL that looks legitimate — for example,
dbs-secure-login.comorsingpass-verify.sg. - Capture: The fake site harvests your username, password, OTP, NRIC or card details.
- Drain: Within minutes, scammers log into your real bank or Singpass account and transfer funds, often through mule accounts overseas.
- Cover-up: Some malicious apps remain installed and intercept future SMS OTPs, allowing repeat theft.
Red Flags: How to Spot a Suspicious QR Code
| Red Flag | What It Means |
|---|---|
| QR code is a sticker pasted over another code | Likely an overlay fraud — do not scan |
| QR code arrives via unsolicited email or SMS | Treat as phishing until proven otherwise |
| Preview URL uses unfamiliar or misspelled domain | e.g. dbs-sg.com instead of dbs.com.sg |
| Site asks for Singpass + bank login + OTP together | No legitimate Singapore service does this |
| You're pressured to act "within 24 hours" | Classic urgency tactic used by scammers |
| Scanned link asks you to download an APK or sideload an app | Almost always malware on Android |
| Payment QR shows a personal name, not the business | Verify with the merchant before paying |
10 Practical Steps to Stay Safe
- Always preview the URL before opening. Both iOS and Android show a preview when you scan with the native camera. Read it carefully.
- Check for sticker tampering. At hawker stalls and shops, look for a sticker layered over another or a QR code that looks freshly placed.
- Verify the merchant name on PayNow/NETS. Before confirming payment, ensure the receiving name matches the business — not an individual.
- Never download apps via QR codes. Singapore banks have rolled out anti-malware measures that block sideloaded apps from accessing banking apps. Use Google Play or the App Store only.
- Don't enter Singpass credentials from a QR-scanned link. Open the official Singpass app directly instead.
- Enable Money Lock with your bank. DBS, OCBC and UOB allow you to ring-fence funds that cannot be transferred digitally.
- Use ScamShield. Install the SPF's ScamShield app to filter scam SMS and check suspicious links and numbers.
- Cross-check official notices. If you receive a "fine" or "tax notice," log in to the official portal (IRAS myTax Portal, OneMotoring, etc.) directly — never via QR.
- Use a URL inspection tool. Paste the previewed URL into a checker before opening it on your phone.
- Report and act fast. If you've scanned and entered details, immediately call your bank's 24-hour anti-scam hotline, freeze your cards, and call the SPF Anti-Scam Helpline at 1800-722-6688.
For Businesses: Protecting Your Customers and Brand
If you run a hawker stall, retail shop, F&B outlet or e-commerce business in Singapore, you have a duty of care to ensure customers can trust your QR codes.
Best practices for merchants
- Laminate or frame your SGQR code so stickers cannot easily be pasted over it.
- Inspect payment QR codes daily at opening and closing.
- Use branded short links for marketing campaigns instead of raw URLs that customers can't verify. A trusted shortener like Lunyb lets you create short, branded links with click analytics so customers see a familiar domain when they scan your campaign QR codes.
- Avoid printing QR codes on disposable receipts for sensitive actions like "verify your account" — these are easy to forge.
- Educate staff to recognise overlay stickers and report suspicious customer behaviour.
For a deeper look at picking a safe and reliable shortener for QR campaigns, see our 2026 buyer's guide to the best URL shorteners and our honest review of Lunyb.
What to Do If You've Been Scammed
- Contact your bank immediately via their 24-hour anti-scam hotline (DBS: 1800-339-6963, OCBC: 1800-363-3333, UOB: 1800-222-2121). Request an emergency block on all cards and accounts.
- Lodge a police report via eservices.police.gov.sg or in person at any Neighbourhood Police Centre.
- Call the Anti-Scam Helpline at 1800-722-6688 (8am–midnight daily).
- Reset all passwords for affected accounts from a clean device, and revoke active Singpass sessions.
- Run a malware scan if you sideloaded any APK. On Android, boot into Safe Mode and uninstall suspicious apps. If unsure, perform a factory reset.
- Notify CPF, IRAS or HDB if your Singpass was compromised, as scammers may attempt fraudulent transactions on government platforms.
The Bigger Picture: Singapore's Anti-Scam Response
The Singapore government has rolled out multiple measures, including the Shared Responsibility Framework (SRF) for phishing scams, the Anti-Scam Centre (ASC) under SPF, mandatory SMS Sender ID registration, and bank-level controls like Money Lock and kill switches. While these have reduced losses for some scam types, QR code scams continue to evolve — particularly through hybrid attacks combining social engineering calls with QR-based phishing.
The bottom line: technology alone won't save you. Awareness and slow, deliberate scanning habits are your strongest defence.
Frequently Asked Questions
Is it safe to scan QR codes at hawker centres in Singapore?
Generally yes, especially for official SGQR codes that are framed or laminated. Always check that the receiving name on PayNow matches the stall, and look for any sticker that appears to be pasted over the original code.
Can scanning a QR code alone hack my phone?
Simply scanning a QR code does not install malware. The danger comes from what happens after — opening a malicious link, entering credentials on a fake site, or downloading a sideloaded app. As long as you preview the URL and don't tap through, you remain safe.
How do I report a QR code scam in Singapore?
Report to the Singapore Police Force via the i-Witness portal or at eservices.police.gov.sg, call the Anti-Scam Helpline at 1800-722-6688, and notify your bank immediately. You can also report scam websites and SMS via the ScamShield app.
Are iPhones safer than Android phones against QR scams?
iPhones are generally more resistant to malicious app installation because iOS doesn't allow sideloading by default. However, both platforms are equally vulnerable to phishing pages that steal Singpass or banking credentials. The threat is the website, not the operating system.
What's the difference between a phishing link and a quishing attack?
Phishing uses clickable URLs delivered via email, SMS or chat. Quishing delivers the same malicious URL through a QR code, which bypasses many security filters and exploits user trust in the format. The end goal — stealing credentials or money — is identical.
Can a legitimate URL shortener be used in QR codes safely?
Yes. Reputable shorteners like Lunyb or Rebrandly allow businesses to create branded, trackable short links for QR campaigns. The key is that the shortener should display a recognisable brand domain and provide click analytics, so users and businesses can detect abuse early. For a comparison, read our Rebrandly review.
Final Thoughts
QR code scams in Singapore are not going away — they're evolving as scammers experiment with overlay stickers, fake government notices and hybrid voice-plus-QR attacks. The good news is that protecting yourself doesn't require deep technical knowledge. Pause before you scan, preview every URL, verify recipient names on PayNow, and never enter Singpass or banking credentials on a page reached through a QR code.
Treat every QR code with the same scepticism you'd apply to a stranger asking for your IC. That single habit will defeat the vast majority of quishing attempts targeting Singapore residents in 2026 and beyond.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Irish Data Breaches 2026: What You Need to Know
Irish data breach notifications surged again in 2026 amid AI-driven phishing, ransomware and cloud misconfigurations. This guide explains the latest trends, DPC enforcement actions, NIS2 and DORA obligations, and practical steps Irish organisations and individuals can take to stay protected.
Phishing Attacks in Singapore: How to Recognize and Avoid Them in 2026
Phishing attacks in Singapore are more sophisticated than ever, costing victims over S$1 billion in recent years. This guide explains how to recognise SMS, email, and WhatsApp phishing scams targeting Singaporeans, and shares practical steps — from ScamShield to Money Lock — to protect yourself and your business in 2026.
Two-Factor Authentication: Why You Need It in 2026
Two-factor authentication is the most effective security upgrade you can make in minutes. Learn why 2FA matters, the best methods to use, how to set it up, and how it protects you from phishing, breaches, and account takeover.
Social Engineering Attacks: A Complete Guide to Recognizing and Preventing Them
Social engineering attacks exploit human psychology rather than software flaws, making them one of the hardest threats to defend against. This complete guide explains how they work, the most common types, real-world examples, and proven prevention strategies for individuals and organizations.