QR Code Scams in Singapore: How to Stay Safe in 2026

QR codes are everywhere in Singapore — from hawker centres and MRT stations to bubble tea stalls and condominium notice boards. They make life convenient, but they have also become one of the favourite tools of scammers. In 2023 alone, the Singapore Police Force reported that victims of QR code scams lost more than S$130,000 in just a handful of cases, and the figures have only grown since. This rising threat, known globally as quishing (QR + phishing), is now one of the fastest-growing cybercrimes in the country.

This guide explains how QR code scams in Singapore work, walks through real cases reported by local media, and gives you a clear, practical checklist to stay safe.

What Are QR Code Scams?

A QR code scam is a type of phishing attack in which fraudsters trick victims into scanning a malicious QR code that leads to a fake website, downloads malware, or initiates an unauthorised payment. Because QR codes look identical to the human eye, you cannot tell a legitimate one from a fraudulent one until you scan it — and by then, it may already be too late.

In Singapore, where PayNow, SGQR, and contactless payments are part of daily life, scammers exploit the trust people place in QR-based transactions. A scam QR code can be printed on a sticker, sent via WhatsApp, posted on social media, or even slipped into a forged government letter.

Why Singapore Is a Prime Target

• High QR adoption: SGQR is the world's first unified payment QR code, used by over 200,000 merchants.
• Cashless culture: PayNow, GrabPay, and bank apps are deeply integrated with daily spending.
• Trust in institutions: Scammers impersonate MAS, IRAS, SPF, Singpost, and major banks like DBS, OCBC, and UOB.
• Tourism and F&B traffic: Hawker centres, coffee shops, and tourist spots offer easy physical targets for sticker swaps.

How QR Code Scams Work in Singapore

Most QR scams in Singapore follow a predictable five-step pattern. Understanding the workflow helps you spot it before you lose money.

1. Bait: The scammer places a QR code where a victim will trust it — on a bubble tea shopfront, in a survey flyer, or in a WhatsApp message offering free vouchers.
2. Scan: The victim scans the code, which redirects to a fake but professional-looking website (e.g., a cloned DBS or Singpass login page).
3. App install or login: The victim is asked to download an APK file (on Android) or enter banking credentials, OTPs, and Singpass details.
4. Remote access: The fake app contains malware that records keystrokes, intercepts SMS OTPs, or gives the scammer full remote control of the device.
5. Drain: Within minutes, the victim's bank account is emptied — often while they are asleep, since scammers commonly strike between 2am and 5am.

Real QR Code Scam Cases in Singapore

1. The Bubble Tea Survey Scam

In 2023, a 60-year-old woman in Singapore lost S$20,000 after scanning a QR code stuck to the glass door of a bubble tea shop in Telok Ayer. The code led to a "customer feedback survey" that asked her to download a third-party app. The app gave scammers remote access to her phone, and they drained her bank account overnight. This case, widely covered by CNA and The Straits Times, became one of the most well-known quishing incidents in Singapore.

2. Fake Parking Fine QR Codes

Scammers have placed fake notices on cars with QR codes claiming to be "unpaid parking fines" from HDB or URA. Victims who scanned were taken to a cloned government payment page that captured their card details.

3. Fraudulent SingPost and Delivery Notices

Fake "missed delivery" cards bearing SingPost or Ninja Van branding have circulated, complete with QR codes that redirect to phishing sites asking for NRIC, address, and credit card information to "reschedule" the delivery.

4. Sticker Overlays on Hawker Stalls

Scammers print their own PayNow QR stickers and paste them directly over the genuine ones at hawker stalls. Payments go to the scammer instead of the stall owner. This has been reported across Chinatown, Geylang, and several heartland coffee shops.

Common Types of QR Code Scams

Scam Type	How It Works	Typical Loss
Quishing (phishing via QR)	Redirects to fake bank or Singpass login	S$5,000 – S$100,000+
Malicious APK download	Installs malware with remote access	Entire bank balance
PayNow sticker overlay	Payment goes to scammer, not merchant	S$5 – S$500 per scan
Fake survey / free voucher	Harvests personal data and card details	Identity theft + card fraud
Government impersonation	Mimics IRAS, MOM, ICA, SPF letters	S$1,000 – S$50,000

Warning Signs of a Malicious QR Code

Before you scan, look for these red flags:

• Stickers that look pasted over another label — peeling edges, mismatched sizes, or bubbles underneath.
• QR codes in unsolicited messages — WhatsApp, Telegram, SMS, or email from unknown numbers.
• Urgent language — "Your account will be frozen", "Final notice", "Claim before midnight".
• Codes leading to shortened or unfamiliar URLs — especially those that ask you to install an APK or sideload an app.
• Requests for Singpass, OTP, or full card details — legitimate Singapore agencies will never ask for these via a QR code.
• Sites that don't match the brand — odd spelling like "dbs-secure-sg.com" or "singpass-login.net".

10 Steps to Stay Safe From QR Code Scams in Singapore

1. Preview the URL before opening. Most modern phones (iOS and Android) display the link before you tap. If it looks suspicious, cancel.
2. Never download apps from a QR code. Only install apps from the Apple App Store or Google Play Store — never sideload APKs.
3. Verify PayNow recipient names. Before confirming any payment, check that the recipient name shown matches the stall or business.
4. Check stickers physically. If a QR sticker looks like it has been pasted over another, alert the merchant and do not scan.
5. Enable Singpass 2FA and Money Lock. DBS, OCBC, and UOB all offer Money Lock, which prevents digital transfers of locked funds.
6. Turn on Google Play Protect. Singapore was one of the first countries to roll out Play Protect's enhanced scanning to block sideloaded malicious apps.
7. Use a URL checker. Paste suspicious links into a URL preview or scanning tool before opening them. Services like Lunyb let you safely shorten and inspect links, and our team also publishes ongoing security research — see our 2026 URL shortener guide for trusted options.
8. Keep your phone OS updated. Most malware exploits rely on outdated Android or iOS versions.
9. Set a daily transfer limit. Lower your PayNow and FAST transfer limits to the smallest amount you realistically need.
10. Report and block immediately. Call the ScamShield Helpline at 1799 or report at scamshield.gov.sg the moment you suspect a scam.

What To Do If You've Been Scammed

If you have already scanned a malicious QR code or made a payment to a scammer, act within minutes — not hours.

1. Turn on aeroplane mode to cut the scammer's remote access if you downloaded a suspicious app.
2. Call your bank's 24/7 fraud hotline immediately:
   • DBS/POSB: 1800-339-6963
   • OCBC: 1800-363-3333
   • UOB: 1800-222-2121
   • Standard Chartered: 1800-747-7000
3. Freeze your accounts using your banking app's "kill switch" or Safe Access feature.
4. Reset your Singpass at singpass.gov.sg if there is any chance your credentials were captured.
5. File a police report online at police.gov.sg or call 999 for ongoing fraud.
6. Factory reset your phone after backing up only your photos and contacts — not any APKs.

How Businesses in Singapore Can Protect Customers

Merchants, especially F&B and retail, are increasingly being held accountable for protecting customer trust. Here is what stall owners and SMEs should do:

• Laminate or frame your SGQR / PayNow code so stickers cannot easily be placed over it.
• Check daily for sticker tampering at the start and end of each shift.
• Display your registered business name next to the QR so customers can verify the PayNow recipient.
• Use branded short links for marketing campaigns instead of generic QR redirects, so customers learn to recognise your domain. Tools like Lunyb and other shorteners we've reviewed (see our Rebrandly review) help you build that trust.
• Train staff to politely intervene if a customer is about to scan a suspicious code.

The Role of URL Safety in Stopping Quishing

Almost every QR scam ultimately leads to a malicious URL. That is why URL hygiene is the single most powerful defence. Before clicking any link from a scanned QR code, ask:

• Does the domain exactly match the official one (e.g., dbs.com.sg, not dbs-sg-login.com)?
• Is the connection HTTPS with a valid certificate?
• Does the page ask for unusual information like full card number + CVV + OTP all at once?

If you regularly share or shorten links for your own business, choose a transparent, privacy-conscious URL shortener that lets recipients preview links. We cover the trade-offs in our honest review of Lunyb and our 2026 Rebrandly review.

Frequently Asked Questions

1. Are QR codes themselves dangerous?

No, a QR code is just an image that encodes text or a URL. The danger comes from what it points to. A malicious QR code can lead to a phishing site or trigger a malware download, but scanning alone is generally safe as long as you don't open the link or install anything.

2. Can scanning a QR code hack my phone instantly?

Not in most cases. Modern iPhones and Android devices show a preview of the link before opening it. The real risk happens only after you tap the link, enter credentials, or install a sideloaded app. Always cancel if anything feels off.

3. Will my bank refund me if I'm scammed via a QR code?

Under Singapore's Shared Responsibility Framework (SRF), banks and telcos may share liability if they failed to meet their duties — but if you willingly provided your OTP, Singpass, or installed an app, recovery is harder. Report the scam within hours to maximise your chances.

4. How do I check if a QR code is safe before scanning?

Use a QR scanner app that previews the URL without opening it, then paste the URL into a link-checking tool. Look for the official domain, HTTPS, and no requests for sensitive data. When in doubt, type the URL manually into your browser instead.

5. Where do I report QR code scams in Singapore?

Call the ScamShield Helpline at 1799, report online at scamshield.gov.sg, or file a police report at police.gov.sg. For ongoing financial fraud, call your bank's 24/7 hotline immediately and dial 999 if money is actively being transferred.

Final Thoughts

QR code scams in Singapore are not going away — if anything, they are becoming more sophisticated as scammers use AI to clone bank websites and Singpass portals. The good news is that almost every QR scam can be stopped at one of three points: before scanning (check the sticker), after scanning (check the URL), or before paying (check the recipient).

Stay sceptical, slow down, and remember: no legitimate Singapore bank, government agency, or business will ever ask you to install an app or hand over OTPs through a QR code. A two-second pause to verify can save you tens of thousands of dollars.