facebook-pixel

QR Code Scams in Singapore: How to Stay Safe in 2026

L
Lunyb Security Team
··11 min read

QR codes have quietly become part of daily life in Singapore. You scan them to pay at hawker centres, order kopi at cafes, top up EZ-Link cards, join Wi-Fi networks, and receive government notices. But that same convenience has opened a lucrative attack surface for scammers. In 2024 and 2025, the Singapore Police Force and the Cyber Security Agency of Singapore (CSA) both issued repeated advisories after victims lost hundreds of thousands of dollars in a single incident, sometimes with their entire savings drained in minutes.

This guide explains how QR code scams in Singapore actually work, the local variants you are most likely to encounter, and the practical steps you can take today to stay safe.

What Are QR Code Scams?

A QR code scam, sometimes called "quishing" (QR + phishing), is a social engineering attack that uses a malicious QR code to redirect a victim to a fraudulent website, prompt them to install a rogue app, or trigger an unauthorised payment. Because a QR code is just a machine-readable link, most users cannot tell a legitimate one from a fake one before scanning.

In Singapore, these scams are particularly effective for three reasons:

  1. Cashless culture. PayNow, SGQR, NETS QR and bank apps have trained us to scan and pay without a second thought.
  2. Trust in institutions. Singaporeans generally trust official-looking notices from MOM, IRAS, SPF, HDB, or well-known F&B chains.
  3. Mobile-first behaviour. Most scans happen on phones, where URLs are truncated and security indicators are harder to see.

How QR Code Scams Work in Singapore

Most QR scams in Singapore follow a predictable playbook. Understanding the flow makes them much easier to spot.

1. The Bait

The scammer places a fake QR code somewhere a Singaporean would reasonably scan it: pasted over a legitimate sticker at a bubble tea shop, printed on a fake parking summons, posted on a lift lobby noticeboard, or included in a WhatsApp message pretending to be from a bank, SingPost, or a survey offering a supermarket voucher.

2. The Redirect

Scanning the code opens a URL that closely resembles a genuine one — for example, a domain like dbs-secure-sg.com or singpass-verify.net. The page is a near-perfect clone of the real login screen.

3. The Harvest

Victims enter their Singpass credentials, iBanking username and password, and one-time passwords (OTPs). Some pages also ask users to "verify" by downloading an APK file (on Android), which installs malware capable of intercepting SMS OTPs and remotely controlling the device.

4. The Drain

Within minutes, the scammer logs into the victim's bank, raises transfer limits, and moves funds out via PayNow, FAST, or overseas remittance. By the time the victim realises, the money is gone.

Common QR Code Scam Variants Seen in Singapore

Fake F&B Survey Stickers

Scammers stick fake "Scan to give feedback and win a free bubble tea" stickers on tables at cafes and hawker centres. The QR leads to a survey site that eventually asks for banking credentials to "receive the reward." In 2023, a woman in Singapore reportedly lost S$20,000 to exactly this scam at a bubble tea shop.

Overlaid Payment QR Codes

At markets and small shops, scammers paste their own QR sticker directly over the merchant's SGQR or PayNow code. Customers pay the scammer's account instead of the stall owner. The stall owner may not notice until end-of-day reconciliation.

Fake Parking or LTA Fines

Realistic-looking notices left on windscreens or in mailboxes claim you have an outstanding fine. A QR code invites you to "pay now to avoid additional penalty." The site imitates AXS or the LTA payment portal.

Impersonation of Government Agencies

Letters or SMSes pretending to be from IRAS, MOM, ICA, or SPF include a QR code to "verify your identity via Singpass." The cloned Singpass page harvests credentials, which are then used to apply for loans or open accounts in the victim's name.

Phishing Emails With QR Codes

Corporate employees receive emails that appear to come from Microsoft 365, DBS IDEAL, or OCBC Velocity, asking them to scan a QR to reauthenticate. Because the malicious link is embedded in an image, many email security filters miss it.

Fake Delivery Notices

SingPost, Ninja Van, or Shopee delivery notices with QR codes claiming a "redelivery fee" of S$1–S$3 is required. The small amount lowers suspicion, but the payment page captures full card details for later fraud.

Real Warning Signs Before You Scan

Before scanning any QR code in Singapore, run through this quick mental checklist:

  • Is the sticker pasted over something? Check for a second layer of tape or paper.
  • Does the context make sense? Legitimate businesses rarely ask you to scan a QR to "claim a reward" that requires banking login.
  • Is the QR code unsolicited? Codes arriving via SMS, WhatsApp, or email from unknown senders should be treated as hostile by default.
  • Does the destination URL match the brand? After scanning, most phones preview the URL before opening. If it says dbs.com.sg.login-verify.xyz, it is not DBS.
  • Are you being rushed? "Pay within 2 hours to avoid penalty" is a classic pressure tactic.

Comparison: Legitimate vs Scam QR Codes in Singapore

SignalLegitimate QR CodeLikely Scam QR Code
PlacementPrinted directly on menu, receipt, or official signageSticker pasted over another sticker or on a random surface
Destination URLOfficial domain (e.g. dbs.com.sg, singpass.gov.sg, iras.gov.sg)Look-alike domain with extra words or unusual TLD (.xyz, .top, .info)
Request TypeOpens a menu, payment app, or info pageAsks for Singpass, iBanking login, or APK download
UrgencyNoneImmediate action required to avoid a fine or lose a reward
Payment FlowOpens your bank app with pre-filled merchant details you can verifyOpens a web page asking you to type in card or bank details

Step-by-Step: What to Do When You See a QR Code

  1. Pause. Do not scan reflexively, even if the code is in a familiar-looking place.
  2. Inspect physically. For payment QRs at hawker stalls or shops, look for tampering, uneven edges, or stickers layered on top of each other.
  3. Use your phone's built-in camera rather than a third-party QR scanner app. iOS and modern Android show the URL preview before opening.
  4. Read the URL carefully. Look for misspellings, extra subdomains, and unusual top-level domains.
  5. Never install an app from a QR code. Legitimate Singaporean banks and government agencies will never ask you to sideload an APK.
  6. Verify payment recipients. When your bank app opens after scanning a PayNow/SGQR, confirm the merchant name matches the stall or shop before approving.
  7. When in doubt, type the URL manually or navigate through the official app.

Protecting Your Devices and Accounts

Lock Down Your Bank App

All major Singapore banks — DBS, OCBC, UOB, Standard Chartered, Citibank, Maybank, HSBC — now offer a "Money Lock" or equivalent feature that ring-fences a portion of your savings so it cannot be transferred out digitally. Activate it. Also lower your daily transfer limits to the minimum you realistically need.

Enable Anti-Malware Protections

Turn on Google Play Protect on Android and avoid sideloading apps entirely. Since 2024, Singapore banks have rolled out anti-malware measures that block iBanking access if suspicious sideloaded apps are detected — do not disable this.

Use Strong, Unique Passwords and MFA

Use a password manager and enable Singpass Face Verification and biometric MFA wherever supported. Never share OTPs, not even with someone claiming to be from a bank or the police.

Be Careful With Shortened Links

QR codes often encode shortened links, which hide the true destination. Prefer link shorteners that give you the ability to preview the destination and that maintain clear abuse reporting — for example, reputable services like Lunyb that focus on transparent, privacy-respecting redirection. If you receive a shortened link you did not expect, use a URL expander or preview tool before opening.

Keep Your Phone Updated

Install iOS and Android security patches promptly. Many quishing attacks rely on out-of-date browsers or system components.

What to Do If You Have Already Been Scammed

Speed matters. If you suspect you have fallen for a QR code scam in Singapore, take these actions immediately, in order:

  1. Call your bank's 24/7 fraud hotline to freeze your accounts and cards. Every major Singapore bank publishes this number on the back of your card and inside the mobile app.
  2. Use the in-app "kill switch" if your bank offers one (DBS, OCBC, UOB and others do). This instantly disables digital access to all your accounts.
  3. Report to the Singapore Police Force via the ScamShield hotline 1799 or file a report at police.gov.sg. Provide screenshots of the QR code, the URL, and any transaction references.
  4. Reset your Singpass password and revoke unknown app authorisations at singpass.gov.sg.
  5. Factory reset your phone if you installed any APK or gave remote access. Restore only from a clean backup made before the incident.
  6. Notify Credit Bureau Singapore and place a fraud alert if you suspect your identity has been compromised.
  7. Change passwords on any account that shared credentials with the compromised login.

For Businesses: Protecting Your Customers

If you run an F&B outlet, retail shop, or any business that uses QR codes, you have a responsibility to protect customers too.

  • Laminate your SGQR and PayNow codes and inspect them daily for tampering.
  • Print QR codes directly onto menus or receipts rather than using loose stickers.
  • Display your registered business name prominently so customers can verify it matches what appears in their banking app.
  • Use branded, trackable short links from a reputable provider — see our 2026 URL shortener buyer's guide — so customers see a familiar domain instead of a random string.
  • Train staff to recognise and report suspicious stickers or overlays.

The Bigger Picture: Why Singapore Is a Target

Singapore's high smartphone penetration (over 90%), widespread QR-based payments, and relatively high disposable income make it a top target for regional scam syndicates operating out of neighbouring countries. According to Singapore Police Force annual scam statistics, phishing-related scams — of which QR quishing is a growing sub-category — accounted for hundreds of millions of dollars in losses in recent years.

The good news: awareness works. Victims are overwhelmingly people who had not previously heard of the specific scam variant. Once you understand the playbook, the same techniques stop working on you.

Frequently Asked Questions

Is it safe to scan QR codes at hawker centres and coffee shops in Singapore?

Generally yes, but always look for signs of tampering — such as a sticker pasted over the original SGQR code — and verify that the merchant name shown in your bank app matches the stall before confirming payment. If in doubt, pay by cash or ask the stall owner to show you the correct code.

Can simply scanning a QR code infect my phone?

Scanning alone usually just opens a URL; it does not install anything by itself. The danger comes from what you do next — entering credentials on a phishing site, downloading a malicious app (particularly APK files on Android), or approving a payment. Modern iOS and Android are reasonably resilient, but user actions after the scan are where compromise happens.

How do I tell if a Singpass or bank login page is fake?

Check the URL carefully. The genuine Singpass domain is singpass.gov.sg. Bank domains end in the official brand (for example, dbs.com.sg, ocbc.com, uob.com.sg). Any variation with extra words, hyphens, or unusual endings such as .xyz, .info, or .top is almost certainly a scam. Better yet, never log in via a link — open the official app directly.

What should I do first if I entered my bank details after scanning a scam QR code?

Immediately call your bank's fraud hotline to freeze your account and use the in-app kill switch if available. Then reset your iBanking and Singpass passwords, report the incident to the police via 1799 or police.gov.sg, and monitor your accounts closely. Every minute counts because scammers can move funds within minutes of gaining access.

Are shortened links inside QR codes always dangerous?

Not always — many legitimate businesses use shortened links for tracking and branding. The risk is that the true destination is hidden. Prefer QR codes from providers you trust, use your phone's URL preview feature, and if you are creating QR codes yourself, choose a transparent shortener such as Lunyb that shows clear destination information and supports abuse reporting.

Final Thoughts

QR code scams in Singapore are not going away — if anything, they are becoming more sophisticated, with AI-generated cloned websites and increasingly convincing impersonation of local brands and agencies. But the defence is straightforward: pause before you scan, verify the destination, never enter credentials or install apps from a QR code link, and lock down your bank accounts with the security features already available to you.

A few seconds of caution at the point of scanning is worth far more than months of trying to recover money that, once transferred overseas, is very rarely returned.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles