QR Code Scams in Singapore: How to Stay Safe in 2026

Singapore is one of the most digitally connected nations in the world, and QR codes have become embedded in everyday life — from paying at hawker centres with PayNow and SGQR to scanning menus, parking coupons, and event tickets. Unfortunately, this convenience has created fertile ground for a fast-growing category of fraud: QR code scams, also known as quishing (QR phishing). The Singapore Police Force and the Cyber Security Agency of Singapore (CSA) have repeatedly warned that scammers are exploiting this trusted technology to steal money, harvest credentials, and install malware.

This guide explains how QR code scams in Singapore work, the most common tactics used locally, and the practical steps you can take to stay safe — whether you're a consumer, small business owner, or part of an enterprise security team.

What Are QR Code Scams?

QR code scams are fraud schemes in which criminals use Quick Response (QR) codes to direct victims to malicious websites, trick them into authorising payments, or deliver malware. Because QR codes are machine-readable and visually identical to one another, users cannot tell a legitimate code from a malicious one just by looking at it.

In Singapore, quishing has surged alongside the rapid adoption of SGQR, PayNow, and contactless payment systems. According to advisories from the Singapore Police Force, victims have lost tens of millions of dollars to QR-related scams in recent years, with cases ranging from a few hundred dollars to six-figure losses tied to fraudulent investment platforms and fake bank logins.

Why QR Codes Are Easy to Abuse

• No visible destination: Unlike a typed URL, a QR code hides where it leads until you scan it.
• Trust by default: Singaporeans are conditioned to trust QR codes at stalls, restaurants, and government touchpoints.
• Easy to print and replace: A scammer only needs a printer and a sticker to overlay a real code.
• Mobile-first attacks: Small phone screens make spoofed URLs (e.g. dbs-sg.com vs dbs.com.sg) harder to spot.

Common QR Code Scams Targeting Singaporeans

Local law enforcement and banks have flagged several recurring patterns. Knowing them is the single biggest factor in avoiding a loss.

1. The "Free Bubble Tea" / Survey Sticker Scam

Scammers leave stickers on shop windows, bus stops, or café tables offering a free drink or voucher in exchange for completing a survey. Scanning the code leads to a fake page that asks for banking credentials or installs a malicious Android APK. Several victims in Singapore have lost their entire bank balances after granting accessibility permissions to such apps.

2. Overlaid SGQR Stickers at Hawker Centres and Shops

Criminals print fraudulent SGQR or PayNow stickers and physically paste them over the real merchant code. Payments made by customers are routed to the scammer's account, while the stall holder is none the wiser until reconciliation.

3. Fake Parking Coupon and Carpark QR Codes

With the move to digital parking, scammers have been spotted placing fake "Parking.sg" or HDB carpark posters with QR codes that mimic the official app. Victims enter card details on the spoofed page, leading to unauthorised transactions.

4. Phishing Emails with QR Codes

Quishing emails are increasingly used to bypass corporate email filters. A message claiming to be from IRAS, Singpost, or your bank includes a QR code asking you to "verify your account." Because the malicious URL is inside an image, traditional URL scanners often miss it.

5. Investment and Romance Scam Onboarding

Once a victim is hooked through Telegram, WhatsApp, or dating apps, the scammer sends a QR code to "register" on a trading platform. The code leads to a cloned exchange where deposits vanish.

6. Delivery and Package QR Notices

Fake delivery slips left at doorways instruct residents to scan a QR code to "reschedule delivery" or "pay a customs fee." The destination is a phishing site impersonating SingPost, Ninja Van, or local couriers.

How a Typical Quishing Attack Works

Understanding the attack chain helps you spot the warning signs early. Most QR code scams in Singapore follow these steps:

1. Bait placement: A scammer prints a malicious QR code on a sticker, poster, email, or message.
2. Scan: The victim scans the code, usually in a rushed or distracted context.
3. Redirect: The phone opens a spoofed website — often impersonating DBS, OCBC, UOB, Singpass, or a popular merchant.
4. Credential harvest or APK install: The victim enters login details, OTPs, or installs a sideloaded app.
5. Account takeover: Funds are transferred out, often to overseas mule accounts, within minutes.

Red Flags: How to Spot a Suspicious QR Code

Before scanning any QR code in public or in a message, run through this mental checklist:

• Is the QR code a sticker pasted over something else? Peel-test it discreetly if you can.
• Does the URL preview show a legitimate .sg or known domain, or a strange shortener you don't recognise?
• Does the page ask for Singpass, OTP, or banking login before showing any content?
• Are you being asked to download an APK file outside Google Play? This is the #1 sign of a scam in Singapore.
• Does the offer feel too good — free vouchers, guaranteed returns, surprise refunds?
• Is the QR code in an unsolicited email claiming to be from a government agency or bank?

How to Stay Safe: Practical Steps for Singapore Users

Staying safe from QR code scams doesn't require advanced technical skills — just consistent habits.

1. Preview the URL Before Opening

Both iOS Camera and most Android scanners display the destination URL before opening it. Read it carefully. Look for subtle misspellings like dbs-secure.sg, singp4ss.gov.sg, or iras-refund.com.

2. Never Sideload APKs

Legitimate Singapore banks and government services never ask you to install an app via a downloaded APK. If a QR code leads to a file download, close it immediately.

3. Use Money Lock and Transaction Limits

DBS, OCBC, UOB, and other local banks now offer "Money Lock" features that ring-fence a portion of your balance from digital transfers. Combined with low daily transfer limits, this dramatically reduces potential losses.

4. Verify SGQR Stickers Before Paying

When paying at a stall, check that the merchant name displayed in your banking app matches the stall name. If it shows an unrelated personal name or business, stop and ask the stall owner.

5. Keep Your Phone Updated

Android 14+ and iOS 17+ include stronger protections against sideloaded apps and accessibility abuse. Make sure security patches are installed promptly.

6. Use a Trusted Link Checker

If you're unsure about a destination URL, paste it into a URL inspection tool before opening. A reputable shortener like Lunyb provides transparent link previews and analytics, making it easier to verify where a shortened link actually goes. You can read our honest review of Lunyb for more on how it handles link safety.

7. Report Suspicious Codes

Report scams to the ScamShield app, call the Anti-Scam Helpline at 1799, or lodge a report with the Singapore Police Force. Reporting fast can sometimes freeze funds before they leave the country.

Advice for Businesses and Merchants

Small businesses are often unwitting accomplices in QR scams when their genuine codes are overlaid or impersonated. Here's how to protect customers and your reputation:

Laminate and Tamper-Proof Your QR Codes

Use laminated or engraved displays rather than printed stickers. Inspect your payment QR daily for stickers placed over the original.

Display the Registered Merchant Name Clearly

Print the exact UEN-registered name beside the QR code so customers can cross-check what appears in their banking app.

Use Branded Short Links for Marketing

When sending QR codes in marketing campaigns, use branded short links from a reputable provider so customers recognise your domain. Our 2026 buyer's guide to URL shorteners compares the leading options, and our Rebrandly review covers an enterprise-grade alternative.

Train Staff to Spot Tampering

Educate cashiers and floor staff to look for overlaid stickers, unfamiliar QR posters, or customers reporting the wrong recipient name in their banking app.

What to Do If You've Been Scammed

If you suspect you've fallen victim to a QR code scam, time is critical. Follow these steps:

1. Freeze your bank accounts immediately via your banking app's kill-switch or by calling your bank's 24/7 hotline.
2. Change your Singpass, banking, and email passwords from a separate, trusted device.
3. Uninstall any suspicious apps installed from the QR code. If unsure, perform a factory reset.
4. Report to the police via the ScamShield app, the i-Witness portal, or in person at any Neighbourhood Police Centre.
5. Notify the Anti-Scam Centre at 1799.
6. Inform CSA via SingCERT if your work device or corporate credentials may be affected.

The Outlook: QR Scams in 2026 and Beyond

QR-based fraud isn't going away — if anything, it will get more sophisticated. We're already seeing AI-generated phishing pages that perfectly mimic Singpass and local banks, and dynamic QR codes that change destinations based on the victim's device or location. Singapore's regulators are responding with stronger Shared Responsibility Frameworks between banks and telcos, mandatory anti-scam features on banking apps, and faster fund recovery channels.

But the front line is still you. A 2-second URL check before tapping "Open" is the cheapest, most effective defence against quishing.

Frequently Asked Questions

Are all QR codes in Singapore dangerous?

No. The vast majority of SGQR, PayNow, and government QR codes are safe. The risk comes from tampered, fake, or unsolicited codes — particularly those sent via email, messaging apps, or stuck up in public places. Treat unfamiliar codes with the same caution you'd give an unknown link.

Can scanning a QR code alone infect my phone?

Simply scanning a code rarely infects your device on its own. The danger comes from what happens next — visiting a phishing site, entering credentials, or installing a sideloaded APK. As long as you preview the URL and never install apps from outside the Play Store or App Store, the risk is minimal.

How can I tell if an SGQR sticker has been tampered with?

Look for stickers that appear newer than the surrounding signage, peel at the edges, or have a slightly different alignment. After scanning, verify that the recipient name in your banking app matches the stall or shop's registered name. If it doesn't match, stop and alert the merchant.

What should I do if I scanned a suspicious QR code but didn't enter any details?

You're likely fine. Close the browser tab, clear your browser cache, and run a malware scan with a reputable mobile security app. Monitor your bank and Singpass accounts for unusual activity over the next few days as a precaution.

Will my bank refund me if I'm scammed via a QR code?

Under Singapore's Shared Responsibility Framework, banks and telcos may share liability if they failed in their duties — for example, if anti-scam controls weren't triggered. However, refunds are not guaranteed, especially if you authorised the transaction yourself. Reporting quickly to your bank and to 1799 gives you the best chance of partial recovery.

Final Thoughts

QR codes have transformed how Singaporeans pay, order, and access services — and that convenience is worth protecting. By learning to pause, preview, and verify before you scan, you cut off the vast majority of quishing attacks before they begin. Stay sceptical of unsolicited codes, never sideload apps, and use trusted link verification tools when in doubt. A little caution today can save you a lot of money — and stress — tomorrow.