QR Code Scams in Singapore: How to Stay Safe in 2026
QR codes have become part of daily life in Singapore. We scan them to pay at hawker centres, check in to events, view restaurant menus, top up EZ-Link cards, and access government services via Singpass. But this convenience has a dark side: QR code scams in Singapore have surged dramatically, with the Singapore Police Force reporting losses of millions of dollars to so-called "quishing" attacks.
This guide explains exactly how QR code scams work, the most common tactics used against Singaporeans, real local cases reported in the news, and—most importantly—the practical steps you can take to protect yourself, your family, and your business.
What Are QR Code Scams?
A QR code scam, often called quishing (a blend of "QR" and "phishing"), is a fraud technique where criminals trick victims into scanning a malicious QR code. Once scanned, the code typically redirects the victim to a fake website, prompts a malicious app download, or initiates a fraudulent payment.
QR codes are essentially shortcuts to URLs. Because the human eye cannot read what is encoded inside the black-and-white squares, scammers exploit this blind trust. By the time you realise the link is malicious, your credentials, banking details, or money may already be gone.
Why Singapore Is a Prime Target
- High smartphone penetration: Over 90% of Singaporeans own a smartphone with a built-in QR scanner.
- Cashless culture: PayNow, PayLah!, GrabPay, and SGQR are used everywhere—from coffee shops to taxis.
- Trust in QR codes: Government-backed systems like SGQR and Singpass have normalised scanning.
- Tourist and expat density: Visitors unfamiliar with local norms are easier marks.
How QR Code Scams Work in Singapore
Most quishing attacks follow a predictable pattern. Understanding the flow helps you spot red flags early.
- Bait: The scammer places a QR code somewhere it will be scanned—on a flyer, sticker, email, WhatsApp message, or even pasted over a legitimate code.
- Scan: The victim scans the code with their phone camera.
- Redirect: The code opens a website that mimics a legitimate brand (DBS, OCBC, UOB, Singpass, IRAS, SingPost, etc.).
- Harvest: The victim enters credentials, OTPs, or banking details—or is asked to download a third-party APK file outside the Play Store.
- Exploit: The scammer drains the bank account, takes over accounts, or installs malware that monitors the device.
The Most Common QR Code Scams in Singapore
1. Sticker Overlay Scams at F&B Outlets
Scammers print fake QR code stickers and paste them over genuine SGQR codes at hawker stalls, bubble tea shops, or restaurants. When you scan to pay, the money goes to the scammer's wallet instead of the merchant. Several cases have been reported in Geylang, Chinatown, and Bugis hawker centres.
2. The "Survey for Free Bubble Tea" Scam
In one widely publicised 2023 case, a 60-year-old woman in Singapore lost S$20,000 after scanning a QR code on a bubble tea shop window that promised a free drink for completing a survey. The code led to a fake app that gave scammers remote access to her phone and banking apps. This template has since been replicated with free coffee, food vouchers, and lucky draws.
3. Fake Parking Fine and LTA Notices
Victims find printed notices on their windscreens claiming an unpaid parking fine, with a QR code to "settle immediately". The link leads to a cloned LTA or HDB carpark website that captures credit card details.
4. Phishing Emails from "Banks" and "IRAS"
Emails pretending to be from DBS, OCBC, UOB, or IRAS now frequently embed QR codes instead of clickable links—because corporate email filters often miss images. The QR code leads to a credential-harvesting page.
5. Singpass and MyInfo Impersonation
Scammers send SMS or WhatsApp messages claiming your Singpass account is suspended, with a QR code to "verify". The fake Singpass login captures your username, password, and 2FA code in real time.
6. Door-to-Door and Letterbox Flyers
Flyers offering "government grants", "GST vouchers", or "CPF top-ups" with QR codes have been distributed in HDB estates. The codes lead to malicious sites or WhatsApp groups run by scammers.
7. Crypto and Investment Scams
QR codes in Telegram groups, Facebook ads, and even sponsored TikTok videos lure victims into fake crypto exchanges or "guaranteed return" investment platforms.
Real Cases: QR Code Scam Losses in Singapore
| Year | Scam Type | Reported Loss | How It Happened |
|---|---|---|---|
| 2023 | Bubble tea survey | S$20,000 (single victim) | Malicious APK gave remote control of phone |
| 2023 | Multiple quishing cases | Over S$160,000 (collective) | Fake surveys, fake parking fines |
| 2024 | Hawker QR overlay | Varies per merchant | Stickers pasted over real SGQR codes |
| 2024-2025 | Phishing emails with QR | Millions in combined losses | Fake bank login pages |
The Singapore Police Force and the Cyber Security Agency of Singapore (CSA) have repeatedly issued advisories, but the numbers continue to climb each quarter.
10 Practical Steps to Stay Safe from QR Code Scams
1. Preview the URL Before Opening
Modern iPhones (iOS) and most Android phones show the destination URL as a preview when you scan a QR code. Always read it before tapping. If the domain looks odd—misspelled, unusual TLD, or random characters—do not proceed.
2. Inspect Physical QR Codes for Tampering
Before paying at a hawker stall or restaurant, look closely at the QR code. Is it a sticker pasted over another sticker? Are the edges peeling? Does it match the merchant's branding? When in doubt, ask the staff to confirm the correct payee name appears in your banking app before approving the transfer.
3. Verify the Payee Name in Your Banking App
PayNow, PayLah!, and SGQR transfers always display the recipient's name. If you are paying "Ah Hock Chicken Rice" but the app shows a personal name or a shell company, stop and verify with the merchant.
4. Never Download Apps from QR Codes
Legitimate apps are available on the Apple App Store or Google Play. If a QR code prompts you to install an APK file or sideload an app, it is almost certainly malware. This is the single most common vector for full account takeover in Singapore.
5. Be Skeptical of "Free" Offers
Free bubble tea, free vouchers, free GST rebates, free CPF top-ups—if it requires scanning a QR code and entering personal details, it's a scam. Government agencies in Singapore never request banking credentials via QR.
6. Use a Reputable URL Shortener and Inspector
If you must share or check links, use trusted tools. A reputable shortener like Lunyb lets you generate clean, traceable short links for your own QR codes, and you can also use link-inspection features to preview where a suspicious URL really leads before you click. For a deeper comparison of trustworthy options, see our 2026 buyer's guide to URL shorteners.
7. Enable Banking App Security Features
All major Singapore banks now offer:
- Money Lock (DBS digiVault, OCBC Money Lock, UOB LockAway) — funds that cannot be transferred digitally.
- Transaction limits — set low daily PayNow/transfer limits.
- Kill switch — freeze your account instantly if compromised.
- Anti-malware checks — apps refuse to open if sideloaded apps or screen-sharing tools are detected.
8. Keep Your Phone OS and Apps Updated
iOS and Android regularly patch vulnerabilities exploited by quishing malware. Turn on automatic updates and never disable Google Play Protect on Android.
9. Use the ScamShield App
The ScamShield app, developed by the National Crime Prevention Council and the Singapore Police Force, blocks known scam SMS and calls and lets you report suspicious links. Install it from the official app stores.
10. Report Suspected Scams Immediately
If you suspect you've been scammed:
- Call your bank's 24/7 fraud hotline immediately and freeze your account.
- Call the Anti-Scam Helpline at 1800-722-6688.
- File a report at police.gov.sg/iwitness or visit any Neighbourhood Police Centre.
- Report the scam to ScamShield via the app.
Special Advice for Businesses and Merchants
If you run an F&B outlet, retail shop, or any business that accepts QR payments, you have a responsibility to protect your customers too.
Protect Your SGQR Display
- Laminate your SGQR code and frame it behind glass or acrylic.
- Check it daily for tampering or overlaid stickers.
- Place it in a well-lit, visible area covered by CCTV.
- Train staff to verify the merchant name shown on customers' phones during payment.
Use Branded Short Links for Marketing QR Codes
If you print QR codes on menus, flyers, or packaging, use a branded short link so customers can visually verify the domain. Generic shorteners look identical whether legitimate or malicious—but a branded link reinforces trust. Our team has written about this trust factor in our honest review of Lunyb and in our Rebrandly review for 2026.
How to Tell a Real QR Code from a Fake One
| Indicator | Legitimate QR Code | Likely Scam QR Code |
|---|---|---|
| Placement | Laminated, framed, original signage | Loose sticker, peeling edges, pasted over another code |
| Destination URL | Matches official domain (e.g., dbs.com.sg, singpass.gov.sg) | Misspelled, unusual TLD (.xyz, .top), random subdomain |
| Payee Name | Matches merchant name in your banking app | Personal name or unfamiliar company |
| Required Action | Direct payment via SGQR/PayNow | App download, OTP entry, personal data form |
| Offer | Standard transaction | "Free gift", "urgent fine", "limited-time" |
What to Do If You've Already Scanned a Malicious QR Code
Act quickly. The faster you respond, the higher your chances of recovering funds or preventing further damage.
- Disconnect from the internet — turn on aeroplane mode immediately.
- Do not enter any further information — close the browser and any apps that opened.
- Uninstall any newly downloaded apps — especially APKs sideloaded outside the Play Store.
- Call your bank's fraud hotline — DBS: 1800-339-6963, OCBC: 1800-363-3333, UOB: 1800-222-2121.
- Change passwords from a different, trusted device for banking, Singpass, email, and social media.
- Run a malware scan or factory reset your phone if you installed any suspicious app.
- File a police report within 24 hours to maximise recovery chances.
The Future of QR Code Scams in Singapore
As AI-generated phishing pages become indistinguishable from real ones, and as scammers increasingly use deepfake voice and video to follow up on quishing attacks, vigilance must grow. Expect more sophisticated tactics in 2026 and beyond:
- AI-personalised quishing emails referencing your real purchases.
- QR codes embedded in deepfake video ads on TikTok and Instagram.
- Bluetooth-based proximity scams in MRT stations and shopping malls.
- Compromised legitimate websites serving malicious QR codes to specific visitors.
The good news: Singapore is among the most proactive countries in the world on scam prevention, with the SPF, CSA, IMDA, and MAS working together on regulations, education, and bank-level controls.
Frequently Asked Questions
Are QR code scams really that common in Singapore?
Yes. The Singapore Police Force has logged hundreds of quishing-related cases since 2022, with combined losses running into the millions of Singapore dollars. The bubble tea survey case alone made international news when one victim lost S$20,000.
Is it safe to scan QR codes at hawker centres?
Generally yes, but always verify the payee name in your banking app before confirming the transfer. If the name doesn't match the stall, stop the transaction and ask the owner. Be wary of QR codes that look like loose stickers pasted on top of laminated ones.
Can scanning a QR code alone infect my phone?
Simply scanning a QR code is usually safe—it only opens a URL. The danger comes from what you do next: entering credentials, downloading an app, or approving permissions. Never sideload APK files from a QR code, and never enter your Singpass or banking details on a site reached via an unsolicited QR.
What is the fastest way to report a QR code scam in Singapore?
Call the Anti-Scam Helpline at 1800-722-6688, contact your bank's 24/7 fraud hotline, and file a report via the SPF i-Witness portal at police.gov.sg/iwitness. Speed matters—funds can sometimes be frozen within minutes if you act fast.
How can I tell if a short URL behind a QR code is safe?
Use a URL preview tool or a trusted short-link service that shows the destination before redirecting. Reputable platforms like Lunyb let you create traceable branded links for your own QR codes and inspect where a link points before clicking. Always prefer links on recognisable domains over random shorteners.
Final Thoughts
QR code scams in Singapore are not going away—they are evolving. But almost every quishing attack relies on the same weak link: a human who scans without thinking, taps without checking, and enters details without verifying. By building the habit of previewing URLs, inspecting physical QR codes, verifying payee names, and refusing to download apps from QR codes, you can sidestep the vast majority of attacks.
Share this guide with elderly family members, foreign workers, and anyone in your life who might be vulnerable. The best defence against QR code scams in Singapore is a community of informed scanners.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Two-Factor Authentication: Why You Need It in 2026
Two-factor authentication blocks over 99% of automated account attacks, yet most people still rely on passwords alone. Learn what 2FA is, why you need it in 2026, and how to set it up across your most important accounts in minutes.
Social Engineering Attacks: A Complete Guide to Recognition and Defense
Social engineering attacks exploit human psychology rather than software flaws, making them the leading cause of data breaches worldwide. This complete guide explains the most common attack types, real-world examples, and proven defense strategies to keep you and your organization safe.
Data Breaches 2026: What You Need to Know to Stay Protected
Data breaches in 2026 are larger, faster, and more AI-driven than ever before. This guide explains the latest threats, biggest incidents, real costs, and the practical steps individuals and businesses must take to stay protected.
What Data Does Google Have on You? The Complete 2026 Privacy Guide
Google quietly collects a staggering amount of information about your life—from every search you've made to the routes you walk. This guide breaks down exactly what data Google has on you, why it matters, and how to take control of your privacy.