QR Code Scams in Singapore: How to Stay Safe in 2026

Singapore has one of the highest smartphone penetration rates in the world, and QR codes have quietly become part of daily life — from paying for kopi at the hawker centre to topping up an EZ-Link card or scanning a SafeEntry-style menu. Unfortunately, scammers know this too. QR code scams, also called quishing (QR + phishing), have exploded across the island in recent years, with the Singapore Police Force and the Cyber Security Agency (CSA) issuing repeated advisories.

This guide explains how QR code scams in Singapore work in 2026, the most common tactics used by syndicates targeting locals and tourists, and the practical steps you can take to stay safe.

What Are QR Code Scams?

A QR code scam is a type of phishing attack where criminals trick victims into scanning a malicious QR code that leads to a fake website, a malware download, or an unauthorised payment. Because QR codes look identical to the human eye, you cannot tell a legitimate code from a malicious one just by glancing at it.

Once scanned, the QR code typically does one of three things:

Redirects you to a fake login page (DBS, OCBC, UOB, Singpass, or PayNow lookalikes).
Prompts you to download an Android APK file disguised as a survey, food review, or pet grooming app.
Initiates a payment or fund transfer from your e-wallet to the scammer's account.

Why Singapore Is a Prime Target

Singapore's digital infrastructure makes QR codes ubiquitous. PayNow, NETS QR, GrabPay, and SGQR are accepted almost everywhere, which means residents are conditioned to scan first and think later. Scammers exploit this trust in several ways:

High trust in official-looking branding — Fake codes often carry SPF, IRAS, MOH, or bank logos.
Tourist-heavy areas — Orchard Road, Chinatown, and Marina Bay see fake codes pasted over genuine merchant QRs.
Multilingual population — Scammers send messages in English, Mandarin, Malay, and Tamil to widen their net.
Speed of PayNow — Funds transferred via PayNow are nearly instant and very hard to recover.

According to figures shared by the Singapore Police Force, scam losses crossed S$1 billion in recent years, with phishing-related scams — including QR-based ones — making up a significant slice.

The Most Common QR Code Scams in Singapore

1. The Bubble Tea / Survey Scam

This is one of the most notorious quishing scams in Singapore. A victim is approached outside a mall or receives a flyer offering a free bubble tea, milk tea, or supermarket voucher in exchange for completing a quick "survey" via a QR code. Scanning the code installs a malicious Android APK that grants the scammer remote access to the phone, including banking apps. Within hours, savings are drained via PayNow or internet banking.

2. Fake Hawker and Coffee Shop Stickers

Scammers print stickers that look like legitimate PayNow or NETS QR codes and paste them over the real ones at hawker stalls, coffee shops, or even car park payment machines. Customers think they are paying the stall owner, but the money goes straight to the scammer's account. The stall owner only realises at closing time when sales don't tally.

3. Fake LTA, IRAS, and Singpass Notices

Letters, emails, or SMS messages claim you have an outstanding fine, unpaid tax, or a Singpass verification issue. A QR code is included to "resolve" it. The link leads to a near-perfect clone of the real government portal, capturing your Singpass credentials and 2FA codes.

4. Parking Fine and Season Parking Scams

Fake parking tickets are placed on windshields in HDB carparks and condo developments. A QR code on the notice directs the driver to pay a "reduced fine" within 24 hours. The payment page looks like a legitimate URA or HDB portal.

5. E-Commerce and Carousell Scams

A buyer or seller on Carousell, Facebook Marketplace, or Telegram asks you to scan a QR code to "verify" the transaction or receive payment. The code triggers a transfer out of your account rather than into it.

6. Fake Charity and Donation Drives

During festive seasons or after major news events, fake volunteers set up booths with QR codes claiming to collect for charities like the Community Chest or SPCA. Verify any charity on the Charity Portal (charities.gov.sg) before donating.

How to Spot a Malicious QR Code

Because the QR code itself is just a pattern of squares, the warning signs are usually around it. Here is a checklist Singaporeans should run through before scanning:

Red Flag	What to Look For
Sticker over a sticker	A QR code pasted on top of another, peeling at the edges, or misaligned with the merchant signage.
No SGQR label	Legitimate Singapore merchant payment QRs use the unified SGQR format with a merchant name and UEN.
Urgency or rewards	"Scan within 10 minutes", "Free gift", "Final notice" — classic social engineering.
Shortened or unfamiliar URL	Random domains, typos like dbs-sg.com or singpass-verify.net.
Prompts to install an app	Any QR that asks you to sideload an APK is almost certainly a scam.
Mismatched recipient	The PayNow confirmation screen shows a personal name instead of the business name.

Step-by-Step: How to Safely Scan a QR Code

Inspect the physical code. Look for tampering, stickers over stickers, or codes in unusual locations.
Use your phone's native camera. Don't install third-party QR scanner apps — many are riddled with ads or malware.
Preview the URL before tapping. Both iOS and Android show a preview link when you scan. Read it carefully.
Check the domain. Legitimate Singapore government sites end in .gov.sg. Banks use their official domains (dbs.com.sg, ocbc.com, uob.com.sg).
Verify the PayNow recipient. Before confirming any transfer, double-check the name shown matches the merchant.
Never install APKs. If a QR prompts an Android app installation outside Google Play, stop immediately.
Enable Google Play Protect and ScamShield. The ScamShield app by the Singapore Police Force and Open Government Products blocks known scam URLs and numbers.

Tools That Help You Stay Safe

ScamShield

Free official app from the Singapore Government. Filters scam SMSes and blocks calls from numbers used in reported scams. Available on iOS and Android.

Bank Security Features

DBS, OCBC, and UOB now offer "Money Lock" features that ringfence a portion of your savings so they cannot be transferred digitally — even if scammers gain remote access. Enable this if you keep emergency funds in your account.

URL Preview and Link Checkers

When you receive a suspicious link, use a reputable URL expander or checker before clicking. Trusted URL shorteners like Lunyb include safe redirect previews and malware scanning on outgoing links, which is useful both for senders who want to share trustworthy short links and for recipients who want transparency about where a link leads. If you're curious about how Lunyb compares to other services, see our honest review of Lunyb and our 2026 buyer's guide to the best URL shorteners.

Multi-Factor Authentication

Use Singpass Face Verification and app-based 2FA wherever possible. Avoid SMS OTPs as your only second factor — SIM-swap and malware attacks can intercept them.

What to Do If You've Been Scammed

If you suspect you've fallen for a QR code scam in Singapore, act within minutes — not hours. Speed determines whether your money can be recovered.

Call your bank's 24/7 anti-scam hotline immediately.
- DBS/POSB: 1800-339-6963
- OCBC: 1800-363-3333
- UOB: 1800-222-2121
Freeze your accounts through your banking app's "kill switch" or Safety Switch feature.
Disconnect your phone from the internet and put it in aeroplane mode if you suspect malware.
Lodge a police report via the SPF e-Services portal or call 1800-255-0000. For urgent cases, dial 999.
Report to ScamShield at scamshield.org.sg so others are warned.
Factory reset your phone if you installed a suspicious APK. Change all passwords from a clean device afterwards.
Inform Singpass if you may have leaked credentials, and reset your Singpass password and 2FA.

Tips for Businesses and Merchants

If you run a hawker stall, café, retail shop, or any business that accepts QR payments in Singapore, you have a duty to protect your customers too:

Laminate your SGQR display and check it daily for tampering.
Position the QR code where staff can see it at all times.
Train staff to verify each payment notification via the official merchant app before handing over goods.
Display a sign reminding customers to confirm your business name on the PayNow screen.
For marketing campaigns using QR codes, use a reputable link management tool with analytics and link-edit capabilities so you can deactivate a code if it's ever cloned.

Teaching Family Members — Especially Seniors

Elderly Singaporeans are disproportionately targeted by QR scams. Take 15 minutes to walk your parents and grandparents through these rules:

Never scan a QR code received via SMS, WhatsApp, or email from an unknown sender.
The Government, IRAS, and Singpass will never ask for payment or credentials via QR code in a message.
If unsure, call the family group chat before scanning anything.
Use the ScamShield app and enable Money Lock at the bank.

The Future of QR Code Security in Singapore

The Monetary Authority of Singapore (MAS), the Infocomm Media Development Authority (IMDA), and the Singapore Police Force have been rolling out shared responsibility frameworks where banks, telcos, and consumers each bear part of the loss. New initiatives include real-time scam alerts in banking apps, mandatory cooling-off periods for large transfers, and stricter merchant onboarding for SGQR.

Still, technology alone cannot solve quishing. Human awareness remains the strongest defence. Sharing this article with friends, family, and your migrant domestic helper community could prevent the next scam.

Frequently Asked Questions

Are QR code scams really that common in Singapore?

Yes. The Singapore Police Force has reported thousands of phishing-related scam cases each year, with QR-based variants (especially the Android malware quishing scam) accounting for tens of millions of dollars in losses. They are among the fastest-growing scam categories.

Can scanning a QR code alone hack my phone?

Scanning by itself opens a URL — it does not automatically install anything on iOS or modern Android without further action. The danger comes when you tap the link, enter credentials, or install an APK. Treat every QR code like a clickable link from a stranger.

Is it safe to use PayNow QR at hawker centres?

Generally yes, but always verify the SGQR shows the correct merchant name on the confirmation screen before tapping "Confirm". Be cautious of stickers that look freshly applied or that cover another code underneath.

What is the safest QR scanner app to use in Singapore?

The built-in camera apps on iPhone and Android are the safest. Avoid downloading third-party "QR scanner" apps from the Play Store — many contain adware or worse. The official ScamShield app also helps detect known scam URLs.

If I lose money to a QR scam, will my bank refund me?

Under the Shared Responsibility Framework introduced by MAS, banks may bear part of the loss if they failed in their anti-scam duties. However, if you authorised the transfer or installed malware yourself, recovery is not guaranteed. Reporting within minutes gives the best chance of intercepting the funds before they're withdrawn.

Stay vigilant, Singapore. A two-second pause before scanning a QR code can save you thousands of dollars and weeks of stress. Share this guide with someone who needs it today.