QR Code Scams in Singapore: How to Stay Safe in 2026
Singapore has one of the highest smartphone penetration rates in the world, and QR codes are everywhere — from hawker centre payment terminals to MRT advertisements, parking meters, and restaurant menus. Unfortunately, this convenience has created a new playground for fraudsters. QR code scams, also known as "quishing" (QR phishing), have become one of the fastest-growing fraud categories tracked by the Singapore Police Force.
This guide explains how QR code scams in Singapore work, the red flags to watch for, and the practical habits that will keep your bank account, SingPass credentials, and personal data safe.
What Are QR Code Scams?
A QR code scam is a fraud technique where criminals trick victims into scanning a malicious QR code that leads to a fake website, downloads malware, or initiates an unauthorised payment. Because the destination URL is hidden inside the code, victims cannot easily verify where they are being sent before tapping the link.
In Singapore, these scams typically end with one of three outcomes:
- Bank accounts drained after victims enter login credentials on a spoofed bank portal.
- Android phones infected with malware that intercepts SMS OTPs.
- PayNow or credit card payments sent to a scammer-controlled account.
Why Singapore Is a Prime Target
Several factors make Singapore particularly attractive to QR code scammers:
- High digital payment adoption. PayNow, NETS QR, and SGQR are used by virtually every demographic.
- Trusted-by-default culture. Singaporeans generally trust signage in public places like coffee shops, hawker stalls, and government-linked spaces.
- High disposable income. The return on investment for scammers per successful victim is significant.
- Bilingual phishing surface. Scammers can craft believable lures in English, Mandarin, Malay, or Tamil.
According to figures shared by the Singapore Police Force and the Cyber Security Agency (CSA), phishing-related scams — which include quishing — caused hundreds of millions of dollars in losses in recent years, with QR codes increasingly identified as the initial attack vector.
How QR Code Scams Work in Singapore
Most quishing attacks follow a predictable five-step pattern:
- Bait placement. A scammer prints a fake QR sticker and places it over a legitimate one — on a parking meter, bubble tea shop counter, or restaurant table.
- Scan and redirect. The victim scans the code, which opens a URL that looks like a real bank, government, or merchant page.
- Credential or app capture. The fake page asks for SingPass login, bank credentials, or prompts an APK download (Android only).
- Session hijack or malware install. Once installed, the malicious app reads SMS messages, captures OTPs, and grants remote access.
- Account drain. The scammer logs in, transfers funds via PayNow or FAST, and disappears within minutes.
Common Quishing Scenarios Seen Locally
- Bubble tea and F&B "surveys": Stickers on shop windows promising free drinks for completing a survey after scanning.
- Fake parking fines: Notices placed on car windscreens demanding payment via QR.
- Counterfeit PayNow stickers: Overlaid on real hawker stall QR codes, redirecting payments to mule accounts.
- Fake CDC voucher or government scheme pages: Promising payouts after "verification" via SingPass.
- Phishing emails with QR codes: Sent to corporate inboxes, bypassing email link scanners that don't decode images.
Red Flags: How to Spot a Malicious QR Code
You cannot "read" a QR code with your eyes, but you can read its context. Watch for these warning signs before you scan:
| Red Flag | Why It Matters |
|---|---|
| Sticker placed over another sticker | Classic overlay attack on legitimate payment QRs. |
| QR code on an unsolicited email or letter | Legitimate banks and government agencies in Singapore rarely send QR codes by email for logins. |
| Promises of free gifts, vouchers, or rebates | Bait designed to bypass your critical thinking. |
| URL preview shows a shortened or unfamiliar domain | Could mask a phishing site. Always expand the link first. |
| Prompt to download an APK file | Sideloaded Android apps are the #1 malware delivery method in Singapore. |
| Page requests SingPass or bank login "to verify" | No genuine merchant payment QR ever asks for this. |
| Urgent language: "act now," "final notice" | Pressure tactics indicate social engineering. |
10 Practical Steps to Stay Safe
Follow these habits every time you encounter a QR code in Singapore:
- Preview the URL before opening. Both iOS and Android show the destination link at the top of the screen after scanning. Read it carefully before tapping.
- Inspect the physical sticker. Peel-test gently — a sticker over a sticker is an immediate red flag.
- Use your bank's own app to pay. Instead of scanning random QRs, open DBS PayLah!, OCBC Digital, or UOB TMRW and scan from inside the app, which has built-in fraud checks.
- Never sideload APK files. If a QR code prompts you to install an app outside Google Play or the App Store, walk away.
- Enable Google Play Protect and Safe Browsing. These catch many malicious domains automatically.
- Turn on ScamShield. The free app from the Singapore Police Force and Open Government Products blocks known scam URLs and SMS.
- Verify with the merchant. If paying at a stall, confirm the recipient name shown in your banking app matches the business.
- Use encrypted DNS. Services like Cloudflare 1.1.1.1 or NextDNS can block known phishing domains at the network level.
- Keep your phone updated. Security patches close vulnerabilities that malware exploits.
- Set transaction limits. Lower your daily PayNow and FAST transfer caps so a single attack cannot wipe you out.
What to Do If You Have Scanned a Suspicious QR Code
If you suspect you've fallen for a quishing attempt, act within minutes — speed is everything:
- Disconnect immediately. Turn on aeroplane mode to stop any active session or malware communication.
- Do not enter any credentials. Close the browser tab without typing anything if you haven't already.
- Call your bank's 24/7 anti-scam hotline. DBS, OCBC, UOB, and Standard Chartered all have dedicated fraud lines. Request an immediate account freeze.
- Report to the police. Call the ScamShield Helpline at 1799 or file a report at eservices.police.gov.sg.
- Reset your SingPass. If you entered SingPass details, log in from a clean device and change your password and 2FA settings immediately.
- Factory reset Android phones if you installed an APK. Malware persistence on Android is extremely difficult to clean any other way.
- Notify CSA SingCERT. Report the phishing URL so it can be added to national blocklists.
How URL Shorteners Fit Into the Picture
QR codes almost always encode a URL, and many businesses use shortened links to keep codes scannable and trackable. The problem: scammers also use shortened links to hide phishing destinations.
The solution isn't to avoid shortened links entirely — it's to use shorteners that offer link previews, malware scanning, and analytics. Reputable platforms like Lunyb let recipients preview where a short link leads before committing to the click, which is a meaningful safety net when paired with a printed QR code. If you're choosing a link tool for your business, our 2026 buyer's guide to URL shorteners compares the leading options on security features, and our honest review of Lunyb walks through its safety controls in detail.
Quick Comparison: Safer QR Habits vs Risky QR Habits
| Risky Habit | Safer Alternative |
|---|---|
| Scanning any QR you see in public | Scan only when you have a clear reason and trusted source |
| Tapping the link immediately | Read the URL preview first, look for the real domain |
| Paying via random QR sticker | Open your bank app and scan from inside |
| Installing APKs from QR prompts | Only install from Google Play or the App Store |
| Entering SingPass after a QR scan | Always navigate to singpass.gov.sg manually |
For Businesses: Protecting Your Customers
If you run a Singapore-based business that uses QR codes — for payments, menus, marketing, or check-ins — you share responsibility for customer safety. Consider the following:
- Laminate or frame your QR codes. This makes overlay stickers obvious and harder to apply.
- Inspect daily. Train staff to check payment QR codes at the start and end of each shift.
- Use branded short links. A custom domain (e.g. yourbrand.link/menu) is harder to spoof than a generic shortener. See our Rebrandly review for one option, or compare alternatives.
- Display the expected destination. Print the human-readable URL next to the QR so customers can cross-check.
- Monitor analytics. A sudden drop in scans on your real QR may indicate an overlay attack is diverting traffic.
The Bigger Picture: Layered Defence
No single tool stops every QR scam. The most resilient approach combines:
- Awareness — knowing the red flags above.
- Device hygiene — updated OS, Play Protect, no sideloading.
- Network protection — encrypted DNS that blocks known phishing domains.
- Financial controls — low transaction limits, money lock features (DBS digiVault, OCBC Money Lock, UOB LockAway).
- Reporting reflex — calling 1799 the moment something feels off.
Singapore's anti-scam ecosystem — banks, telcos, SPF, CSA, and IMDA — has improved enormously, but criminals adapt quickly. The biggest variable is still you, the person holding the phone. A two-second pause before scanning is the cheapest, most effective defence available.
Frequently Asked Questions
Are QR code scams in Singapore really that common?
Yes. The Singapore Police Force and CSA have repeatedly flagged quishing as a top-tier emerging threat, with documented losses ranging from a few hundred dollars to entire life savings in single incidents. Cases involving fake bubble tea surveys and counterfeit hawker payment stickers have been widely reported in mainstream local media.
Can iPhones get malware from scanning a QR code?
iPhones are significantly harder to infect because iOS does not allow APK-style sideloading. However, iPhone users are still vulnerable to phishing pages — fake SingPass, DBS, or OCBC login screens work identically on any device. The risk is credential theft rather than malware installation.
Is it safe to scan QR codes at hawker centres?
Generally yes, but always verify the recipient name shown in your banking app matches the stall owner before confirming payment. Be alert for stickers that appear newly placed, lifted at the corners, or stuck over another QR. When in doubt, ask the stall owner to confirm the displayed business name.
What should I do if I scanned a QR code but didn't enter anything?
If you only scanned and viewed the page without entering credentials or downloading anything, your risk is low. Close the browser tab, clear your browsing data, and run a security scan if you're concerned. Avoid revisiting the link. If the page tried to auto-download a file, do not open it — delete it from your downloads folder.
How do I report a suspicious QR code or phishing site in Singapore?
Call the ScamShield Helpline at 1799, file an online report at the Singapore Police Force e-services portal, and submit the malicious URL to CSA SingCERT. If you lost money, contact your bank's 24/7 anti-scam hotline immediately to attempt a recall of the funds.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Phishing Attacks in Singapore: How to Recognize and Avoid Them in 2026
Phishing attacks in Singapore are getting more sophisticated, from fake DBS SMS to QR code scams at hawker centres. Learn how to recognize the red flags, verify suspicious links, and protect your money and identity with this 2026 guide.
Irish Data Breaches 2026: What You Need to Know
Irish data breaches are rising in 2026, driven by ransomware, AI-powered phishing, and supply chain attacks. This guide explains the current threat landscape, DPC enforcement trends, and practical steps for citizens and businesses to stay protected.
Email Security Best Practices for 2026: The Complete Guide
Email threats in 2026 are smarter, faster, and AI-driven. This complete guide walks through the email security best practices every individual and organization needs—from passkeys and DMARC to AI threat detection and BEC defense.
Phishing Attacks: How to Recognize and Avoid Them in 2026
Phishing attacks are more convincing than ever in 2026, with AI-generated emails and voice deepfakes targeting both individuals and businesses. This guide explains the main types of phishing, the red flags to watch for, and step-by-step defenses to protect your accounts and data.