QR Code Scams in Singapore: How to Stay Safe in 2026
Singapore has one of the highest QR code adoption rates in the world. From hawker centres accepting PayNow to MRT posters offering instant promotions, those little black-and-white squares are everywhere. Unfortunately, scammers know this too. The Singapore Police Force (SPF) and the Cyber Security Agency of Singapore (CSA) have both flagged a sharp rise in QR code scams — often called "quishing" — with victims losing tens of thousands of dollars in single incidents.
This guide breaks down exactly how QR code scams work in the Singapore context, walks through real local cases, and gives you a practical checklist to stay safe whether you're paying for bubble tea, scanning a parking notice, or filling in a survey for a free gift.
What Are QR Code Scams?
QR code scams are a form of phishing where criminals use Quick Response (QR) codes to direct victims to malicious websites, trigger unauthorised payments, or trick them into installing harmful apps. Because a QR code is essentially a hidden URL, victims cannot see where it leads until they have already scanned it — and sometimes not even then.
The term "quishing" (QR + phishing) has become the umbrella label used by Singapore authorities and banks like DBS, OCBC, and UOB to describe these attacks. Unlike traditional phishing emails, QR scams exploit physical trust: a sticker on a real shop window or a notice on a real lamppost feels legitimate in a way that a random email does not.
Why Singapore Is a Prime Target
- Cashless culture: PayNow, PayLah!, GrabPay and SGQR are used daily by millions.
- High smartphone penetration: Over 90% of residents own a smartphone with a built-in QR scanner.
- Trusted infrastructure: Singaporeans are conditioned to trust QR codes from government agencies, banks, and F&B outlets.
- Tourist-heavy areas: Orchard Road, Marina Bay, and Chinatown attract scammers who tamper with QR codes in public spaces.
How QR Code Scams Work in Singapore
Most quishing attacks in Singapore follow one of five patterns. Understanding the mechanics is the first step to recognising them in the wild.
- Sticker overlay: A scammer pastes a fake QR code sticker over a genuine one at a hawker stall, parking meter, or shop counter. Payments go to the scammer's wallet instead of the merchant.
- Survey or free-gift bait: Flyers offering bubble tea vouchers, free milk, or supermarket rewards lead to fake forms that harvest banking credentials.
- Fake parking or LTA notice: A printed "summons" left on a windscreen instructs the driver to scan a QR code to pay a fine — leading to a cloned LTA or AXS website.
- Malicious app install: Scanning the code prompts the user to download an APK (Android package) outside the Play Store, which then takes over the phone.
- Account takeover via banking app: The victim is asked to log in to their "bank" through a QR link, handing over their SingPass or iBanking credentials and OTP.
Real-World Cases from Singapore
In one widely reported 2023 case, a 60-year-old woman in Singapore lost S$20,000 after scanning a QR code on a flyer outside a bubble tea shop in Bukit Timah. The code led to a fake survey that installed malware capable of harvesting her banking app credentials.
Other patterns reported by the SPF include scammers placing QR stickers on coffee shop tables in Toa Payoh and Ang Mo Kio, fake "LTA fine" notices in HDB carparks, and tampered QR codes on shared bicycles. Losses in 2023 alone from quishing-style scams crossed the eight-figure mark, according to data referenced by the Ministry of Home Affairs.
The Anatomy of a Quishing Attack
To defend yourself, it helps to understand what happens after the scan. Here is the typical chain:
- Scan: You point your camera at a QR code on a poster, sticker, or flyer.
- Redirect: The encoded URL opens in your browser. It often uses a free shortener or a domain that looks similar to a real brand (e.g. paylah-rewards.com or lta-payment.sg-fines.net).
- Landing page: A polished page mimics a real bank, agency, or merchant. It may ask for your NRIC, mobile number, banking ID, or card details.
- Credential capture or APK push: Your details are sent to the attacker, or you're prompted to install a "survey app" with permissions to read SMS and overlay other apps.
- Drain: Within minutes, attackers log in to your account, intercept OTPs via the malicious app, and transfer funds out — often to mule accounts overseas.
10 Practical Ways to Stay Safe
You don't need to stop using QR codes — you just need a few habits that take seconds but prevent disaster.
1. Inspect the Sticker Physically
Before scanning at a hawker stall or shop, look for signs of tampering: a sticker over another sticker, peeling edges, or a QR code that doesn't match the brand's signage. If it looks pasted on top of something else, ask the merchant directly.
2. Preview the URL Before Opening
Modern iOS and Android cameras show the destination URL after you scan, before opening. Always read it. Look for the real domain — for example, dbs.com.sg is real, but dbs-sg-login.com is not. Watch for misspellings, extra hyphens, or unfamiliar top-level domains like .xyz, .top, or .info.
3. Never Install Apps From Unknown Sources
If a QR scan asks you to download an APK or sideload an app, stop immediately. Legitimate Singapore banks, government agencies, and major brands distribute apps only through the Apple App Store, Google Play, or Huawei AppGallery. Singapore banks have also rolled out anti-malware features that block sideloaded apps from running alongside banking apps — don't disable these.
4. Verify with the Source for Anything Involving Money
For parking fines, tax notices, or bank alerts, navigate to the official app or website yourself rather than using the QR code. The LTA's One Motoring portal, IRAS website, and your bank's official app are always safer entry points.
5. Use a Trusted URL Expander or Scanner
If a shortened link looks suspicious, paste it into a URL expander or a privacy-respecting redirect checker before opening. Tools like Lunyb let you create and inspect links transparently, which is helpful both for businesses generating their own QR codes and for cautious users verifying where a link actually leads. For a deeper look at trustworthy shortener practices, see our 2026 buyer's guide to URL shorteners.
6. Enable Banking App Security Features
Turn on Money Lock (DBS), Money Lock / Kill Switch (OCBC and UOB), and Singpass Face Verification. These features ring-fence a portion of your funds so that even if your credentials are stolen, the money can't be transferred without in-person verification.
7. Watch for OTP Prompts You Didn't Request
If your phone suddenly shows an OTP for a login or transfer you didn't initiate, treat it as an active attack. Don't type it anywhere. Open your banking app directly and check recent activity.
8. Keep Your Operating System Updated
Many quishing attacks rely on outdated Android versions or older browsers with known vulnerabilities. Set your phone to auto-update iOS or Android, and update your default browser too.
9. Be Skeptical of "Free" Anything
Free bubble tea, free NTUC vouchers, free milk for the elderly — these are well-documented bait themes in Singapore. If a flyer or sticker is promising something for nothing in exchange for a scan and a form, it's almost certainly a scam.
10. Report Suspicious QR Codes
If you see a tampered QR sticker, report it to the establishment and to the SPF via the ScamShield app or by calling the anti-scam hotline at 1799. Reporting helps police track scam clusters and warn the public.
How to Tell a Safe QR Code from a Suspicious One
Use this quick comparison table when you're unsure:
| Signal | Likely Safe | Likely Scam |
|---|---|---|
| Placement | Printed directly on signage or laminated menu | Loose sticker pasted over another sticker |
| Destination URL | Official domain (e.g. gov.sg, dbs.com.sg) | Look-alike domain, unusual TLD, or random characters |
| What it asks for | Opens a payment app or menu | Asks for NRIC, banking ID, OTP, or APK install |
| Context | Inside a verified store or government office | Flyer on a lamppost, windscreen, or table tent |
| Offer | Standard pricing or normal transaction | "Free" gift, urgent fine, or limited-time reward |
What to Do If You've Already Been Scammed
If you suspect you scanned a malicious QR code and entered information or installed an app, act within minutes — not hours.
- Switch your phone to airplane mode to cut off the attacker's connection.
- Call your bank's 24/7 fraud hotline immediately: DBS (1800-339-6963), OCBC (1800-363-3333), UOB (1800-222-2121), or your respective bank.
- Activate the Kill Switch / Safety Switch via your banking app or hotline to freeze accounts.
- Lodge a police report at any neighbourhood police centre or via the SPF e-Services portal.
- Reset your device: Factory reset your phone after backing up only essential photos and contacts (not apps).
- Change passwords for SingPass, banking, email, and any service tied to that phone — from a different, clean device.
- Report to ScamShield so the malicious number, URL, or app can be added to the blocklist.
For Businesses: Protect Your Customers from Quishing
If you run a hawker stall, café, retail shop, or services business in Singapore, you have a role to play too. Customers who get scammed at your storefront — even via a sticker you didn't put there — lose trust in your brand.
- Laminate or print QR codes directly onto signage rather than using removable stickers.
- Inspect your payment QR codes daily for tampering before opening.
- Use a branded, traceable short link for marketing QR codes so customers can recognise your domain. Trusted shortener platforms make this easy — see our honest review of Lunyb and our Rebrandly 2026 review for options.
- Train staff to recognise the most common scam patterns and to assist elderly customers who may be unsure.
- Display a notice reminding customers to verify the payment recipient name in their banking app before confirming.
Why QR Code Scams Will Keep Evolving
Scammers adapt quickly. Recent trends in Singapore include dynamic QR codes that rotate destinations to avoid takedowns, AI-generated landing pages that mimic local banks pixel-for-pixel, and hybrid attacks that combine a phone call from a fake "bank officer" with a QR code sent via WhatsApp. The technical sophistication is rising, but the defenses remain the same: pause before you scan, verify the URL, and never enter credentials or install apps from a code you didn't expect.
Education is also catching up. The SPF's Anti-Scam Command, CSA's SG Cyber Safe programme, and bank-led campaigns like #BSHARP and #B-R-A-K-E are pushing awareness into community centres, schools, and senior activity centres. If you have elderly relatives, walk them through this guide — they are the demographic most often targeted and most often successfully scammed.
Frequently Asked Questions
Is it safe to scan QR codes at hawker centres in Singapore?
Generally yes, but always check the recipient name shown in your PayNow or PayLah! app before confirming the payment. If the name doesn't match the stall, cancel the transaction. Watch out for stickers placed over the stall's original SGQR code.
Can I get hacked just by scanning a QR code?
Scanning alone usually just opens a URL — it doesn't directly install malware. The danger comes from what happens next: entering credentials on a fake site, downloading an APK, or granting app permissions. If you scan, see a suspicious URL, and close it immediately, you're typically safe.
What should I do if I scanned a suspicious QR code but didn't enter any details?
Close the browser tab, clear your browser cache, and run a security scan with your phone's built-in tools (Google Play Protect on Android, or check Settings > Privacy on iOS). Monitor your bank accounts for the next 48 hours. You should be fine if you didn't submit anything or install an app.
How do I report a QR code scam in Singapore?
Call the anti-scam hotline at 1799, report through the ScamShield app, or file a report at any neighbourhood police centre. If money has been transferred, call your bank's fraud hotline first to attempt to freeze the funds before they're moved out.
Are QR codes on official government letters from IRAS, LTA, or HDB safe?
Codes printed on genuine government correspondence are safe, but verify by accessing the agency's website directly rather than scanning. Scammers frequently impersonate IRAS tax notices and LTA parking fines, especially during tax season and around public holidays. When in doubt, log in to Singpass and check your inbox there.
Final Thoughts
QR codes are convenient, and that convenience won't go away. The good news is that staying safe takes only a few seconds per scan: look at the sticker, look at the URL, and trust your instinct when something feels off. Combine that with strong banking app security features and a healthy skepticism of "free" offers, and you'll sidestep the vast majority of quishing attacks circulating in Singapore today.
Share this guide with family members — especially elderly parents and grandparents — and consider bookmarking the SPF's anti-scam resources. A 30-second pause before scanning could save you thousands of dollars and weeks of stress.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Phishing Attacks in Singapore: How to Recognize and Avoid Them in 2026
Phishing attacks cost Singaporeans tens of millions each year. Learn how to spot fake bank SMS, Singpass scams, and delivery fraud, plus the exact steps to take if you've been targeted.
Email Security Best Practices for 2026: The Complete Guide
Email is still the #1 attack vector in 2026, with AI-powered phishing and BEC scams on the rise. This complete guide covers the technical controls, account hygiene, and user practices every individual and organization needs to secure their inbox.
How Hackers Use Shortened URLs to Spread Malware (2026 Guide)
Shortened URLs hide their destination, making them a favorite tool for cybercriminals delivering phishing pages, ransomware, and infostealers. This in-depth guide explains the tactics hackers use, how to spot suspicious short links, and the layered defenses that keep you and your organization safe.
Phishing Attacks: How to Recognize and Avoid Them in 2026
Phishing attacks cause more than 90% of data breaches, but they're surprisingly easy to spot once you know what to look for. This guide covers the main types of phishing, the red flags that reveal scams, and a practical checklist to keep your accounts safe.