facebook-pixel
L
Lunyb

QR Code Scams in Singapore: How to Stay Safe in 2026

L
Lunyb Security Team
··10 min read

Singapore is one of the most cashless societies in the world. From hawker centres to MRT stations, QR codes have replaced wallets, menus, and even parking tickets. But this convenience has a dark side: QR code scams in Singapore have exploded over the past two years, with the Singapore Police Force (SPF) reporting losses in the tens of millions of dollars. This guide breaks down exactly how these scams work, the latest tactics used by syndicates targeting Singaporeans, and a practical checklist to keep you safe.

What Are QR Code Scams?

A QR code scam, often called quishing (QR phishing), is a type of fraud where criminals trick victims into scanning a malicious QR code that leads to a fake website, downloads malware, or initiates an unauthorised payment. Because QR codes are unreadable to the human eye, victims cannot tell whether the link is genuine until it is too late.

In Singapore, scammers exploit the widespread trust in PayNow, SGQR, and merchant QR codes to make their attacks feel routine and safe. Once the victim taps through, the criminals can steal banking credentials, install spyware on Android devices, or empty bank accounts within minutes.

Why Singapore Is a Prime Target

Several factors make Singapore especially attractive to QR scam syndicates:

  • High smartphone penetration: Over 95% of residents own a smartphone capable of scanning QR codes.
  • SGQR ubiquity: The unified SGQR standard means people scan codes without thinking twice.
  • Strong trust in institutions: Scammers impersonate MAS, IRAS, SingPost, and local banks, knowing residents tend to comply with official requests.
  • Tourism and F&B density: Bubble tea shops, cafes, and hawker stalls are easy places to stick fake QR codes over real ones.

According to the SPF's annual scam report, phishing-related scams (including quishing) consistently rank among the top five scam types, with younger Singaporeans aged 20-39 forming the largest victim group — debunking the myth that only the elderly are targeted.

The Most Common QR Code Scams in Singapore

1. The Bubble Tea Survey Scam

This is the case that shocked the nation. An elderly woman in Singapore lost S$20,000 after scanning a QR code on a bubble tea shop's window offering a free cup in exchange for a survey. The code installed a malicious Android app that recorded her banking credentials and drained her account while she slept.

How it works: Scammers paste fake "survey" or "lucky draw" QR stickers on legitimate-looking storefronts. The code prompts the user to download a third-party APK file outside the Google Play Store, which contains spyware with accessibility-service permissions.

2. Tampered Hawker and Merchant Payment Codes

Criminals print fake PayNow or SGQR stickers and paste them over genuine ones at hawker stalls, parking machines, or carpark season-pass kiosks. The customer thinks they are paying the merchant, but the money goes directly to the scammer's account or to a money mule.

3. Fake Parking Fine and LTA Notices

Letters or windscreen flyers claiming to be from LTA, HDB, or a town council carry a QR code that supposedly leads to a payment portal. The portal is a near-perfect clone of the official site and harvests credit card or SingPass details.

4. "SingPost Parcel Redelivery" Quishing

A flyer or SMS claims you missed a delivery and must scan a QR to reschedule. The code leads to a fake SingPost page asking for a small "redelivery fee" plus full card details — including the CVV and OTP.

5. Romance and Investment QR Codes

Scammers met on dating apps or Telegram channels send QR codes claiming to be entry points to exclusive crypto investment platforms. Once scanned, victims are funnelled into fraudulent trading dashboards that show fake profits until they try to withdraw.

6. Fake Charity and Donation Codes

Around festive periods like Chinese New Year, Hari Raya, and Deepavali, fake charity QR codes appear on flyers at MRT stations and void decks, impersonating real Singapore charities.

How a Typical Quishing Attack Unfolds

Understanding the attack chain helps you spot it early. Here is the typical sequence:

  1. Bait placement: A fake QR sticker, flyer, email, or SMS reaches the victim.
  2. Scan: The victim opens their phone camera and scans, trusting the context.
  3. Redirect: The QR resolves to a shortened or obfuscated URL — sometimes hidden behind several redirects.
  4. Action prompt: The page asks for login, payment, or an app download (often a sideloaded APK on Android).
  5. Credential or money capture: Data is exfiltrated or money is transferred via PayNow or card.
  6. Account takeover: If malware was installed, the scammer waits hours or days before draining the bank account, often at 3-4 a.m. when the victim is asleep.

Red Flags: How to Spot a Malicious QR Code

Use this checklist before scanning any code in Singapore:

  • The sticker looks freshly placed or is pasted over another sticker.
  • The QR code is on a flyer, lamp post, or random surface — not on official merchant signage.
  • It promises something free, urgent, or too good to be true.
  • After scanning, the URL uses a strange domain (e.g. .xyz, .top, or a misspelled bank name like dbs-sg-secure.com).
  • You are asked to download an app from outside the Google Play Store or Apple App Store.
  • You are asked to enter your SingPass, full NRIC, OTP, or card CVV.
  • The page asks you to disable Google Play Protect or grant "Accessibility" permissions.

Genuine vs Scam QR Code: Quick Comparison

AspectGenuine SGQR / Merchant CodeScam QR Code
PlacementPrinted on official menu, counter sign, or laminated holderSticker pasted over something, on a flyer, or on a window
Destination URLBank app deep link or official .sg domainRandom short URL, lookalike domain, or APK download
Payee nameMatches the merchant displayed in your banking appUnknown individual name or unrelated business
Action requiredConfirm amount and payLogin, OTP entry, app install, or "verification"
UrgencyNone"Limited time", "final notice", "account suspended"

10 Practical Tips to Stay Safe

  1. Preview the URL before opening. Both iOS and Android show the link at the top of the screen after scanning — read it carefully.
  2. Never install APKs from outside the Play Store. Legitimate Singapore businesses will never ask you to sideload an app.
  3. Confirm the payee name in your banking app matches the merchant before pressing pay.
  4. Enable Google Play Protect and keep it on. On iOS, keep "Install Unknown Apps" disabled.
  5. Use the official bank app's built-in scanner (DBS PayLah!, OCBC, UOB TMRW) instead of your camera — they validate SGQR codes.
  6. Turn on the "Money Lock" feature offered by DBS, OCBC, UOB, and other local banks to ringfence your savings.
  7. Set low daily transfer limits for PayNow and overseas transfers.
  8. Inspect physical QR stickers at hawker stalls — peel back a corner if you are suspicious, or pay cash.
  9. Treat unsolicited SMS and emails as hostile, especially if they contain a QR code. Government agencies use SMS Sender ID "gov.sg".
  10. Report suspicious codes to the ScamShield app or call the Anti-Scam Helpline at 1799.

Tools That Help You Verify Links Safely

Because QR codes hide their destination, the first line of defence is checking the URL before you tap. Free link-preview tools and reputable URL shorteners that include built-in safety checks can flag malicious destinations before you visit them. For example, services like Lunyb generate trackable short links with abuse monitoring, so businesses can publish QR codes that are easier for customers to trust — and easier for security teams to revoke if compromised. You can read more in our honest Lunyb review or compare alternatives in our 2026 URL shortener buyer's guide.

If you run a cafe, retail store, or event in Singapore, generating your QR codes through a managed shortening platform (rather than printing raw bank URLs) lets you rotate codes quickly if a sticker is tampered with, without reprinting collateral. For brand-conscious businesses, branded short domains — discussed in our Rebrandly review — can also make your QR destinations more recognisable to customers.

What to Do If You've Already Scanned a Suspicious Code

Act fast — the first 60 minutes are critical:

  1. Disconnect from the internet immediately (turn on flight mode).
  2. Do not enter any further information on the page.
  3. If you downloaded an app, uninstall it and run a factory reset if you are unsure.
  4. Call your bank's 24/7 anti-scam hotline to freeze your accounts (DBS: 1800-339-6963, OCBC: 1800-363-3333, UOB: 1800-222-2121).
  5. Lodge a police report at any Neighbourhood Police Centre or via the SPF e-Services portal.
  6. Report to ScamShield and forward suspicious SMS to 9-SPF-SCAM (97726).
  7. Change passwords for SingPass, banking, email, and any shopping accounts from a clean device.

QR Code Safety for Businesses in Singapore

If you operate a business that accepts QR payments, you carry responsibility for protecting your customers too:

  • Laminate or tamper-seal your SGQR sticker so any overlay is obvious.
  • Check your payment terminal daily for unfamiliar stickers.
  • Train staff to verify customer payments by looking at the live transaction in your merchant app — not the customer's screenshot.
  • Use a managed link platform for marketing QR codes (menus, loyalty programmes, feedback forms) so you can revoke a compromised link in seconds.
  • Educate customers with clear signage: "Please verify the payee name is [Your Business Pte Ltd] before paying."

The Role of Regulators and Banks

The Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) have rolled out several initiatives to fight quishing, including the Shared Responsibility Framework, mandatory kill-switches in banking apps, and restrictions on sideloaded apps that request risky permissions. Major banks now block transactions when accessibility services are detected as active during banking — a direct response to the bubble tea scam.

However, regulation can only do so much. The strongest defence remains an informed user who pauses for three seconds before scanning anything in public.

FAQ: QR Code Scams in Singapore

Are iPhones safe from QR code scams?

iPhones are harder to infect with malware because iOS strictly controls app installations through the App Store. However, iPhone users are still fully vulnerable to phishing pages opened from QR codes that ask for SingPass, banking, or card credentials. The device matters less than what you type into the page after scanning.

Can scanning a QR code immediately empty my bank account?

Not directly. Scanning only opens a URL. The actual loss happens when you enter credentials, approve a transfer, or install a malicious app. The danger is that this happens within seconds of scanning, so users often don't realise the chain has started.

How do I check if a QR code is genuine at a hawker stall?

Look at the SGQR sticker — it should display the registered business name (often a Pte Ltd) and a unique SGQR ID. After scanning with your banking app, the payee name shown must match the stall name. If it shows a personal name you don't recognise, cancel and alert the stall owner.

What should I do if I see a suspicious QR code in public?

Do not scan it. If it is pasted on a public surface or appears to cover another sticker, photograph it (without scanning), report it to the venue owner, and submit a report through the ScamShield app or to the SPF at 1799. You may save dozens of others from being scammed.

Will my bank refund me if I'm a victim of a QR code scam?

Under Singapore's Shared Responsibility Framework, banks and telcos may bear part of the loss if they failed to meet their anti-scam duties. However, if you willingly entered credentials, approved a transaction, or installed a sideloaded app despite warnings, recovery is unlikely. Prevention is far more effective than recovery.

Final Thoughts

QR codes are not going away — they are the connective tissue of Singapore's digital economy. The good news is that quishing relies almost entirely on a moment of inattention. By previewing every URL, verifying every payee name, refusing every sideloaded app, and setting strict transfer limits, you reduce your risk to near zero. Share this guide with your parents, grandparents, and friends — because in 2026, the most valuable thing you can give someone in Singapore is the habit of pausing before they scan.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

Zero Trust Security Model Explained Simply: A 2026 Guide

Zero Trust replaces "trust but verify" with "never trust, always verify." This plain-English guide explains the principles, architecture, and step-by-step roadmap for adopting Zero Trust in 2026—whether you're a small business or a global enterprise.

10 min

Data Breaches 2026: What You Need to Know to Stay Protected

Data breaches in 2026 are larger, AI-powered, and more costly than ever. This guide covers the biggest incidents, the latest attack techniques, regulatory changes, and the practical steps individuals and businesses can take to stay protected.

10 min

How to Know if Your Phone Is Hacked: 10 Warning Signs

Worried your phone has been compromised? Learn the 10 most reliable warning signs that your device has been hacked, from battery drain to mystery 2FA codes. This guide also walks you through exactly what to do if you spot them — and how to prevent it from happening again.

10 min

What Data Does Google Have on You? A Complete 2026 Breakdown

Google quietly builds one of the most detailed profiles of you that exists — from every search and YouTube video to your daily location and inferred interests. This 2026 guide breaks down exactly what data Google has on you, how to see it yourself, and the practical steps to take back control.

8 min