facebook-pixel
L
Lunyb

QR Code Scams in Singapore: How to Stay Safe in 2026

L
Lunyb Security Team
··9 min read

QR codes are everywhere in Singapore — from hawker centre payment terminals and MRT posters to restaurant menus and parking meters. They are fast, contactless, and convenient. Unfortunately, that same convenience has made them one of the most exploited tools in the scammer's playbook. The Singapore Police Force and the Cyber Security Agency (CSA) have both flagged QR code phishing — known as quishing — as a rising threat, with victims losing tens of thousands of dollars in single incidents.

This guide breaks down exactly how QR code scams in Singapore work in 2026, the local cases you should learn from, and a practical checklist to keep your bank account, SingPass, and personal data safe.

What Are QR Code Scams?

A QR code scam is a fraud technique where criminals trick victims into scanning a malicious QR code that leads to a phishing website, a fake payment page, or a download for malware. Because the destination URL is hidden inside a pixelated square, the victim cannot judge whether the link is safe just by looking at it.

In Singapore, quishing has overtaken many traditional phishing methods because nearly every adult uses PayNow, NETS QR, or banking apps that rely on QR scanning. Scammers exploit that trust and muscle memory.

How a Typical Quishing Attack Works

  1. The scammer creates a fake website that mimics a bank (DBS, UOB, OCBC), SingPass, or a popular merchant.
  2. They generate a QR code pointing to that fake site.
  3. The QR code is placed in a high-trust location — a sticker over a real one at a bubble tea shop, a flyer in a HDB lift lobby, or inside a phishing email.
  4. The victim scans, lands on the fake site, and enters login credentials, OTPs, or card details.
  5. Money is drained, often within minutes, via instant transfers or unauthorised card transactions.

Why Singapore Is a Prime Target

Singapore's digital maturity is a double-edged sword. The country has one of the highest smartphone penetration rates in the world and near-universal adoption of QR-based payments. A few specific factors make Singaporeans particularly attractive to scammers:

  • SGQR ubiquity: One unified QR standard means people scan without thinking twice.
  • High average account balances: Successful attacks yield large payouts.
  • SingPass integration: A compromised SingPass can unlock CPF, IRAS, HDB, and bank services.
  • Tourist-heavy areas: Visitors are less familiar with local payment flows and easier to deceive.
  • Multilingual society: Scam messages can be localised in English, Mandarin, Malay, or Tamil.

Real QR Code Scam Cases in Singapore

Looking at actual incidents reported by the Singapore Police Force and local media helps you recognise the patterns before you become a statistic.

1. The Bubble Tea Survey Scam

One of the most widely reported cases involved a victim who scanned a QR code on a flyer outside a bubble tea shop in Bukit Timah, promising a free cup in exchange for a short survey. The QR code led to a malicious Android app download. Within hours, the scammers had remote access to her phone, intercepted banking OTPs, and transferred over S$20,000 out of her account.

2. Fake Parking Fines

Scammers have placed fake "parking violation" notices on windscreens in carparks across the island. The notice includes a QR code to "pay the fine immediately." The link leads to a cloned HDB or URA payment page that captures card details.

3. Sticker Overlay at Hawker Centres

Fraudsters have been caught pasting their own PayNow QR stickers over the legitimate ones at hawker stalls. Customers pay, but the money goes to a money mule's account, not the stall owner.

4. Phishing Emails Pretending to Be Banks

Email-based quishing has surged because QR codes embedded as images often bypass URL filters used by corporate email security. A staff member receives an email "from DBS" asking them to scan a QR to re-verify their account — the destination is a credential-harvesting site.

How to Spot a Malicious QR Code

You cannot read a QR code with your eyes, but you can read the context around it. These are the red flags that should make you stop before scanning.

Red Flags in the Physical World

  • A sticker that looks freshly placed or peeling, especially if it covers another sticker underneath.
  • QR codes printed on plain paper and taped to lamp posts, MRT walls, or ATMs.
  • Unsolicited flyers in your letterbox offering rewards, refunds, or government rebates.
  • Parking or traffic notices that demand immediate payment via QR.

Red Flags in Digital Messages

  • Emails or SMS from "banks" or "government agencies" containing a QR code instead of a normal link.
  • Urgent language: "Your account will be suspended in 24 hours."
  • QR codes inside WhatsApp messages from unknown numbers or Telegram channels.
  • Promotions that seem disproportionately generous (free iPhones, S$500 vouchers).

Safe Scanning Habits Every Singaporean Should Adopt

Treat every QR code the way you would treat a stranger handing you a USB stick. Here is a practical, repeatable routine.

Before You Scan

  1. Inspect the surface. Peel test: if you can lift the corner of a sticker, the QR underneath may be the real one.
  2. Verify the source. If the code is on a flyer, ask the shop directly. If it is in an email, log in to your bank app independently instead.
  3. Use your phone's built-in camera rather than a random third-party scanner app. iOS and Android both preview the URL before opening.

After You Scan

  1. Read the URL carefully. Look for subtle misspellings (dbs-secure.com instead of dbs.com.sg) and unusual top-level domains like .xyz, .top, or .info.
  2. Never approve app installs from a link you reached via QR. Legitimate Singapore banks will never ask you to sideload an APK.
  3. Do not enter OTPs on a page you reached from a QR code unless you initiated the transaction yourself.
  4. Close the tab and verify independently if anything feels off.

Quick Comparison: Safe vs. Suspicious QR Scenarios

Scenario Safe Indicator Suspicious Indicator
Hawker stall PayNow Printed, laminated, matches stall name in app Sticker peeling, recipient name unrelated to stall
Bank communication Direct link inside official bank app QR in SMS or email asking to "re-verify"
Restaurant menu Code embedded in physical menu or table sticker Loose printout, redirects to login page
Parking payment Opens Parking.sg or official app Asks for full card details on web page
Promotion / lucky draw From verified brand social account Random flyer, asks for SingPass login

The Role of URL Transparency

One of the biggest issues with QR codes is that the link they contain is invisible until you scan. This is also why scammers love shortened links inside QR codes — they obscure the final destination further. Reputable link management platforms like Lunyb provide click analytics and let recipients preview destinations before redirecting, which is a much safer way for legitimate businesses to share links. If you run a Singapore SME and rely on QR campaigns, choosing a trustworthy shortener matters — our 2026 buyer's guide to URL shorteners compares the leading options. You can also read our honest review of Lunyb if you are evaluating the platform.

What to Do If You've Been Scammed

Speed matters. The first hour after a quishing attack is critical because instant transfers can still sometimes be intercepted.

  1. Call your bank's 24-hour anti-scam hotline immediately (DBS: 1800-339-6963, OCBC: 1800-363-3333, UOB: 1800-222-2121).
  2. Freeze your accounts and cards via your banking app's kill switch.
  3. Lodge a police report at any Neighbourhood Police Centre or online at eservices.police.gov.sg.
  4. Call the ScamShield Helpline 1799 for guidance and to flag the scam pattern.
  5. Change passwords for SingPass, email, and any account you may have entered credentials into.
  6. Factory reset your phone if you installed any app from the malicious link.
  7. Enable Money Lock on your bank account to ring-fence savings from digital transfers.

Tools and Settings That Help

Singapore offers several local defences that many people forget to enable.

  • ScamShield app: Filters scam SMS and calls, maintained by the National Crime Prevention Council.
  • Money Lock: Lock a portion of your savings so that no digital channel — including a compromised app — can move it.
  • SingPass face verification: Required for high-risk transactions; never approve a face verification you did not initiate.
  • Encrypted DNS (such as Cloudflare 1.1.1.1 or Quad9): Blocks many known phishing domains at the network level before the page even loads.
  • Browser safe-browsing: Keep Chrome, Safari, or Edge updated — they maintain blocklists of known phishing sites.

Advice for Businesses Using QR Codes

If you run a café, retail shop, or run marketing campaigns, you are also a target — scammers can hijack your customers' trust in your brand. Protect both sides of the transaction:

  • Laminate and tamper-seal your PayNow and SGQR stickers.
  • Check daily that no overlay sticker has been placed on top of yours.
  • Use branded short links for marketing QR codes so customers see your domain after scanning.
  • Train staff to verify large incoming PayNow payments by checking the sender name aloud.
  • Display a printed notice telling customers what your real PayNow recipient name is.

Frequently Asked Questions

Are QR code scams really that common in Singapore?

Yes. The Singapore Police Force has reported a sharp year-on-year rise in phishing scams that involve QR codes, with combined losses running into millions of dollars. Quishing is now one of the top three digital fraud vectors flagged by the Cyber Security Agency.

Can scanning a QR code alone hack my phone?

Simply scanning a QR code and previewing the URL is generally safe. The danger begins when you tap through to the link, enter credentials, approve a face verification, or install an app. Modern iOS and Android sandboxing makes drive-by infections rare, but social engineering on the destination page is the real threat.

How can I tell if a PayNow QR at a hawker stall is genuine?

Before confirming payment, your banking app shows the recipient's registered name. If the name does not match the stall — for example, you are paying "Wong Kee Chicken Rice" but the recipient shows as an unrelated personal name or a generic company — cancel immediately and alert the stall owner.

Should I use a QR scanner app from the Play Store or App Store?

Generally no. Your phone's native camera app is the safest scanner because it shows a URL preview without running additional code. Many third-party scanner apps are bloated with ads or, worse, designed to inject their own redirects.

What should I do if I already entered my bank details on a fake QR-linked site?

Act within minutes. Call your bank's anti-scam hotline, freeze your cards through the kill switch in your banking app, change your SingPass and online banking passwords, file a police report, and call 1799 for ScamShield support. The faster you act, the higher the chance of recovering funds or stopping further transfers.

Final Thoughts

QR codes are not going away — they are too useful, too cheap to produce, and too embedded in Singapore's payment culture. The defence is not to stop scanning, but to scan with awareness. Inspect the physical surface, preview the URL, verify the recipient, and never enter sensitive details on a page reached through a QR code you did not expect.

Treat every code with healthy suspicion, enable Money Lock and ScamShield, and share this guide with family members who may be less digitally cautious. The strongest firewall against quishing is a habit, not an app.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

Social Engineering Attacks: A Complete Guide to Recognizing and Preventing Them

Social engineering attacks exploit human psychology rather than technical flaws, making them one of the hardest threats to defend against. This complete guide explains how these attacks work, the most common types, and practical steps to protect yourself and your organization.

10 min

Two-Factor Authentication: Why You Need It in 2026

Two-factor authentication blocks over 99% of automated account attacks, yet most users still don't enable it. This guide explains how 2FA works, which methods are safest, and exactly how to set it up on the accounts that matter most.

9 min

Phishing Attacks in Singapore: How to Recognize and Avoid Them

Phishing attacks in Singapore are increasingly sophisticated, targeting SingPass, bank, and government users. Learn how to recognize the red flags, avoid common scams, and respond quickly if you've been targeted.

9 min

Email Security Best Practices for 2026: The Complete Guide

Email remains the top attack vector in 2026, with AI-generated phishing and deepfake-driven BEC on the rise. This guide covers the essential email security best practices—from phishing-resistant MFA and DMARC to safe link handling and incident response—so you can protect your inbox and your organization.

9 min