QR Code Scams in Singapore: How to Stay Safe in 2026
QR codes have become part of daily life in Singapore — from paying for kopi at a hawker stall to topping up an EZ-Link card or scanning a menu at a restaurant. Unfortunately, the same convenience that made QR codes ubiquitous has also made them one of the fastest-growing tools for scammers. The Singapore Police Force and the Cyber Security Agency (CSA) have repeatedly warned the public about "quishing" — phishing carried out through malicious QR codes — with victims losing tens of thousands of dollars in single incidents.
This guide breaks down how QR code scams work in Singapore, the most common local tactics, and the practical steps you can take to stay safe.
What Are QR Code Scams?
A QR code scam is any fraud that uses a Quick Response (QR) code to trick a victim into visiting a malicious website, downloading malware, or authorising a fraudulent payment. Because QR codes are just machine-readable shortcuts to URLs or instructions, you cannot tell what they do simply by looking at them — and scammers exploit this blind trust.
In Singapore, the term often used by authorities and the media is "quishing" (QR + phishing). It typically ends with the victim entering banking credentials, Singpass details, or card information on a fake website that looks identical to a legitimate one such as DBS, OCBC, UOB, or a government portal.
Why Singapore Is a Prime Target
- High QR adoption: PayNow, SGQR, NETS QR and PayLah! have normalised scanning codes for everyday transactions.
- Tech-savvy but trusting population: Many users assume any QR code in a public place is safe.
- High-value bank accounts: Singapore's strong banking sector makes successful phishing extremely profitable.
- Tourist density: Areas like Orchard, Chinatown, and Marina Bay see constant scanning activity that scammers can blend into.
How QR Code Scams Work in Singapore
Most quishing attacks follow a predictable pattern, even when the cover story changes. Understanding the flow helps you spot one before you tap.
- The lure: A scammer presents a QR code in a context that feels normal — a sticker on a bubble tea shop, a flyer for a survey, a parking notice, or a message on Carousell.
- The scan: The victim opens their camera or scanner app and is taken to a URL.
- The fake site: The page mimics a bank, government agency, or e-commerce site. It may ask for Singpass login, bank credentials, an OTP, or to install an APK file.
- The capture: Credentials and one-time passwords are forwarded to the scammer in real time.
- The drain: Within minutes, the attacker logs into the real bank account and transfers funds out, often via PayNow to mule accounts.
Common QR Code Scam Tactics Seen in Singapore
1. Bubble Tea and F&B "Free Survey" Scams
One of the most widely reported Singapore cases involved a 60-year-old woman who lost S$20,000 after scanning a QR code on a bubble tea shop sticker that promised a free cup for completing a survey. The link installed a malicious Android app that gave attackers remote access to her phone and banking app.
2. Fake Parking Fine Notices
Scammers leave forged HDB or URA parking notices on windscreens with a QR code to "pay the fine." The site mimics AXS or a bank portal and harvests card details.
3. Restaurant Menu Overlays
A scammer pastes their own QR sticker over the legitimate one on a restaurant table. The victim scans, lands on a fake payment page, and pays the scammer instead of the restaurant.
4. Singpass and IRAS Impersonation
Emails or SMSes claim you have an unclaimed tax refund or pending Singpass verification. The QR code leads to a near-perfect clone of the Singpass login page.
5. Carousell and Marketplace Scams
A "buyer" sends a QR code claiming it is needed to receive payment via PayNow. Scanning it actually authorises a transfer from the seller's account.
6. Charity and Donation Scams
Fake volunteers in public areas hold up donation QR codes for causes that sound legitimate but route funds to personal wallets.
Red Flags: How to Spot a Malicious QR Code
Before scanning any code, run through this quick mental checklist:
- Is the QR code a sticker placed over another code? Peel-test it where appropriate.
- Does the surrounding signage have typos, off-brand colours, or low-quality printing?
- Is the code in an unusual location — a lamp post, public toilet, or random flyer?
- Was the code sent to you unsolicited via WhatsApp, SMS, or email?
- Does the URL preview look strange, use a misspelled domain, or end in unusual extensions like
.xyz,.top, or.click? - Does the resulting page ask you to download an APK file outside the Google Play Store?
- Does it request Singpass, full NRIC, or banking OTP without a clear reason?
10 Ways to Stay Safe from QR Code Scams
1. Always Preview the URL Before Opening
Both iOS Camera and most Android scanners show the destination URL before opening it. Read it carefully. Look for the real domain (e.g. dbs.com.sg, not dbs-sg-login.xyz).
2. Never Install Apps via QR Code Links
Legitimate Singapore banks and government agencies will never ask you to sideload an APK. Only install banking apps from the official Google Play Store or Apple App Store.
3. Enable Money Lock on Your Bank Account
DBS, OCBC, UOB and others now offer "Money Lock" features that ring-fence a portion of your savings so it cannot be transferred digitally — even if scammers gain access.
4. Turn On Anti-Scam Protections
Use the ScamShield app by the National Crime Prevention Council (NCPC) and Open Government Products. It blocks known scam SMSes and calls, and lets you check suspicious messages.
5. Use Trusted URL Scanners and Shorteners
If you frequently share or receive links, use platforms that provide safe-link checking and transparent destination previews. Tools like Lunyb let you create and inspect short links so recipients can see where they really lead before clicking. For a wider comparison, see our 2026 buyer's guide to URL shorteners.
6. Verify Payment QR Codes at F&B Outlets
When paying via SGQR, check that the merchant name shown in your banking app matches the actual shop. If a hawker stall "Ah Hock Chicken Rice" suddenly shows up as "John Tan Personal Account," stop the transaction.
7. Treat Unsolicited QR Codes Like Unsolicited Links
If you didn't ask for it, don't scan it. This applies to QR codes in emails, WhatsApp forwards, random flyers in your letterbox, and even Telegram groups.
8. Keep Your Phone OS and Apps Updated
Many quishing attacks rely on exploiting outdated Android versions or sideloaded apps with excessive permissions. Updates patch the vulnerabilities they depend on.
9. Use Encrypted DNS and a Reputable Browser
Enabling private DNS (e.g. 1.1.1.1 or dns.google) and using browsers with built-in phishing protection like Brave, Chrome, or Safari adds a layer of network-level filtering against known malicious domains.
10. Set Transfer Limits and Notifications
Lower your daily PayNow and outward transfer limits to the minimum you actually need. Enable instant SMS or push notifications for every transaction, no matter how small.
QR Code Scams vs Other Common Scams in Singapore
To put quishing in context, here is how it compares to other major scam types currently affecting Singaporeans:
| Scam Type | Entry Point | Typical Loss | Main Defence |
|---|---|---|---|
| QR Code (Quishing) | Physical sticker, flyer, chat message | S$1,000 – S$100,000+ | Preview URL, never sideload apps |
| Phishing SMS | SMS link impersonating bank/IRAS | S$500 – S$50,000 | ScamShield, ignore links in SMS |
| Job Scams | WhatsApp/Telegram "easy task" offers | S$2,000 – S$200,000 | Verify employer, never pay upfront |
| Investment Scams | Social media ads, fake celeb endorsements | S$10,000 – S$500,000+ | Check MAS Investor Alert List |
| E-commerce Scams | Carousell, Facebook Marketplace | S$50 – S$5,000 | Use in-platform escrow only |
What to Do If You've Been Scammed
Speed matters. The first 30 minutes are the most critical window for recovering funds.
- Call your bank immediately using the 24/7 anti-scam hotline (DBS: 1800-339-6963, OCBC: 1800-363-3333, UOB: 1800-222-2121). Request a freeze on all accounts.
- Disconnect your phone from the internet and turn off mobile data and Wi-Fi to stop further remote control if malware was installed.
- Call the Anti-Scam Helpline at 1800-722-6688 or report online at
www.police.gov.sg/iwitness. - File a police report at any Neighbourhood Police Centre or via the e-Services portal.
- Change all passwords from a different, clean device — Singpass, banking, email, and any reused passwords.
- Factory reset your phone if you installed any suspicious APK, then restore only from a trusted backup made before the incident.
- Notify Singpass at 6335 3533 if you suspect your Singpass was compromised.
How Businesses in Singapore Can Protect Customers
If you run an F&B outlet, retail store, or any business that displays QR codes, you have a duty of care to keep customers safe:
- Laminate or engrave payment QR codes so stickers cannot be placed over them.
- Inspect tables and counters daily for foreign QR stickers.
- Display the registered merchant name clearly next to the SGQR code so customers can verify it in their banking app.
- Use branded short links for marketing campaigns instead of generic QR codes pointing to unknown domains. Services like Lunyb let you create custom-branded short URLs that customers can recognise and trust.
- Train staff to recognise common scam tactics and to confirm payment received before releasing goods.
The Bigger Picture: Singapore's Anti-Scam Response
Singapore has taken aggressive steps to combat scams. The Anti-Scam Command (ASCom) was established in 2022 and has frozen tens of thousands of suspicious accounts. The Shared Responsibility Framework (SRF), which took effect in late 2024, defines when banks and telcos must compensate scam victims who were not negligent.
However, the SRF specifically covers phishing scams where the victim was deceived into giving credentials — it does not automatically cover all losses from QR code scams, especially if the victim sideloaded an app or ignored bank warnings. Personal vigilance remains your strongest defence.
Frequently Asked Questions
Are all QR codes in Singapore dangerous?
No. The vast majority of QR codes — SGQR at hawker stalls, NETS QR at retailers, codes in official MOH or government materials — are completely safe. The risk lies with codes from unverified sources or stickers that may have been tampered with. Always preview the URL and verify the merchant name before scanning.
Can scanning a QR code alone hack my phone?
Simply scanning a QR code does not directly install malware. The danger occurs in the next step: opening the link, then either entering credentials on a fake site or downloading and installing a malicious APK file. If you stop after seeing the URL preview and recognise it as suspicious, you are safe.
Will the bank refund me if I lose money to a QR code scam?
It depends. Under Singapore's Shared Responsibility Framework, banks and telcos may share liability if they failed to meet their duties (e.g. not sending real-time alerts). However, if you sideloaded an app, ignored warnings, or willingly entered your OTP, the bank may classify it as user negligence. Report the incident immediately to maximise your chances of recovery.
What's the safest way to pay at a hawker centre?
Use PayLah!, PayNow, or NETS QR scanning from your banking app (not a generic camera app). Always verify the merchant name shown in your app matches the stall before confirming payment. If the name looks like a personal account when the stall is clearly a business, cancel the transaction and pay in cash.
Should I use a third-party QR scanner app?
Generally no. The built-in iOS Camera and Android Camera apps are safe, show URL previews, and don't require additional permissions. Third-party scanner apps from unknown developers can request excessive permissions or display sponsored (and potentially malicious) links. Stick with what's built in.
Stay alert, stay informed. QR code scams will continue to evolve, but the fundamentals of safe scanning remain the same: pause, preview, verify. When in doubt, don't scan — the few seconds you save aren't worth the savings you could lose.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Two-Factor Authentication: Why You Need It in 2026
Two-factor authentication blocks over 99% of automated account attacks, yet most people still rely on passwords alone. This guide explains how 2FA works, the best methods to use, and how to set it up across your most important accounts.
Phishing Attacks in Singapore: How to Recognize and Avoid Them
Phishing attacks in Singapore cost victims over S$100 million each year, with scammers impersonating banks, SingPost, and government agencies. This guide explains how to recognize smishing, vishing, and QR code scams, and the practical steps you can take to protect yourself and your business.
End-to-End Encryption Explained: How It Works and Why It Matters
End-to-end encryption keeps your messages, files, and calls readable only by you and your recipient — not even the service provider can see the content. This guide explains how E2EE works, why it matters, and how to use it well in everyday life.
Email Security Best Practices for 2026: The Complete Guide
Email remains the top attack vector in 2026, with AI-powered phishing making threats harder to spot. This comprehensive guide covers the top 10 email security best practices, tool comparisons, and step-by-step actions to keep your inbox safe.