facebook-pixel

QR Code Scams in Singapore: How to Stay Safe in 2026

L
Lunyb Security Team
··10 min read

QR codes are everywhere in Singapore. From hawker centre payments and PayNow transfers to MRT posters, restaurant menus, and government service portals, scanning a small square of black-and-white dots has become second nature. Unfortunately, scammers have noticed. In the past two years, the Singapore Police Force has reported a sharp rise in QR code scams — a category of fraud that has cost victims millions of dollars, often in minutes.

This guide explains exactly how QR code scams in Singapore work, the red flags to watch for, and the practical habits that will keep you, your family, and your business safe.

What Are QR Code Scams?

A QR code scam is a type of fraud where criminals use fake or tampered QR codes to trick victims into visiting malicious websites, downloading harmful apps, or authorising fraudulent payments. Because a QR code is unreadable to the human eye, users cannot tell where it actually leads until after they scan it — and by then, damage may already be done.

In Singapore, QR code scams typically fall into three broad categories:

  1. Phishing QR codes — the code leads to a fake login page (bank, Singpass, or e-commerce) designed to steal credentials.
  2. Malicious app installation — scanning the code prompts a download of an Android APK file that installs spyware or a banking trojan.
  3. Payment redirection — a legitimate merchant's PayNow or SGQR sticker is replaced with the scammer's own code, redirecting payments.

Why Singapore Is a Prime Target

Singapore's rapid adoption of cashless payments makes it fertile ground for QR-based fraud. SGQR — the world's first unified QR payment standard — is used at over 200,000 acceptance points nationwide. Singpass, the digital identity used by nearly every resident, also relies heavily on QR-based authentication.

Scammers exploit three specific factors:

  • Trust in the format: Singaporeans scan dozens of QR codes weekly and rarely inspect them.
  • Speed of transactions: PayNow transfers are instant and generally irreversible.
  • Sophisticated phishing infrastructure: Fake DBS, OCBC, UOB, and Singpass pages are now near-indistinguishable from the real thing.

According to the Singapore Police Force's Annual Scams and Cybercrime Brief, phishing scams — many initiated through QR codes — remained one of the top scam types by both case volume and value lost in the last reporting cycle.

Common QR Code Scams in Singapore

1. The Bubble Tea and Hawker Stall Survey Scam

This scam became notorious after a widely publicised case where a victim lost S$20,000 after scanning a QR code offered by a stranger promising a free cup of bubble tea in exchange for filling out a "survey". The QR code directed the victim to download a third-party Android app, which then hijacked her phone, monitored keystrokes, and drained her bank account overnight.

Where it happens: Outside malls, MRT stations, hawker centres, and popular F&B outlets.

2. Fake Parking Fine and LTA Notices

Victims find a slip on their windscreen or receive a letter claiming an unpaid ERP or parking fee. A QR code is provided for "quick payment". Scanning leads to a fake LTA or HDB carpark portal that harvests credit card details.

3. Replaced Payment Stickers at Small Merchants

Scammers physically paste their own PayNow QR code over a hawker or small retailer's genuine sticker. Customers scan, pay S$3 for kopi, and the money goes straight to the criminal. Many merchants only realise at end-of-day reconciliation.

4. Fake Singpass or CDC Voucher QR Codes

Especially prevalent during voucher distribution periods, scammers send SMS or WhatsApp messages with QR codes claiming to help residents "claim" CDC vouchers, GST rebates, or Singpass verifications. The linked site asks for Singpass credentials and 2FA codes.

5. E-Commerce Delivery "Redelivery" QR Codes

Fake SingPost, Ninja Van, or Qxpress notices arrive by email or in physical mailboxes asking recipients to scan a QR code to reschedule delivery. The link often installs malware or asks for a small "redelivery fee" via credit card.

6. Investment and Crypto QR Scams

Promoted through Telegram groups, Facebook ads, and even LinkedIn, these scams use QR codes to funnel victims into fake investment platforms or crypto wallet apps that appear legitimate but siphon deposits.

Red Flags: How to Spot a Suspicious QR Code

Before you scan any QR code, run through this quick mental checklist:

  • Physical tampering: Does the sticker look freshly pasted over another one? Are the edges peeling?
  • Unsolicited source: Was the code handed to you by a stranger, sent unexpectedly, or found on a random flyer?
  • Urgency or reward pressure: "Scan now to claim!" or "Pay within 24 hours to avoid fines!"
  • Preview mismatch: The URL preview after scanning doesn't match the brand it claims to be.
  • Requests to download an app: Legitimate Singapore businesses will direct you to the Apple App Store or Google Play, never to an APK download.
  • Requests for Singpass, 2FA codes, or full card details on an unfamiliar site.

How to Stay Safe: 10 Practical Habits

  1. Always preview the URL. Every modern iPhone and Android camera shows the destination URL before opening it. Read it carefully — look for misspellings like "dbs-sg-login.com" or "singpass-verify.net".
  2. Never install Android apps from QR codes. If a code asks you to sideload an APK, stop immediately. This is the number one method used to compromise Singapore bank accounts.
  3. Verify payment QR codes with the merchant. At hawker stalls, glance at the name displayed after scanning — it should match the stall owner or business name.
  4. Use official apps for government services. Access Singpass, IRAS, LTA, and HDB only through their official apps or by typing the URL directly.
  5. Enable transaction alerts and set low daily limits. DBS, OCBC, UOB, and most digital banks allow you to cap PayNow and overseas transfer limits. Lower them if you rarely need high amounts.
  6. Turn on "Money Lock" or equivalent features. Most Singapore banks now offer a lock function that ring-fences a portion of your savings from digital transactions.
  7. Keep your phone OS updated. Many QR-triggered attacks exploit unpatched Android and iOS vulnerabilities.
  8. Use a URL scanner or link expander for suspicious links. If you receive a shortened or unfamiliar link, expand it before opening. Tools like Lunyb can help you generate and manage your own trusted short links for business use, and their transparency around link destinations sets a good standard — you should never trust a shortener that hides where it's sending you.
  9. Report and block. Report suspicious QR codes to the ScamShield app or call the Anti-Scam Helpline at 1799.
  10. Educate elderly family members. A significant portion of QR scam victims in Singapore are seniors unfamiliar with the format. Walk them through a live example.

Comparison: Safe vs. Suspicious QR Code Interactions

SituationSafe BehaviourWarning Signs
Paying at a hawker stallMerchant name matches the stall, small amount, confirmed by ownerSticker looks tampered, name is unfamiliar, or an unknown "individual" account
Receiving a government noticeAccess via official Singpass app or gov.sg siteQR code on unsolicited SMS, WhatsApp, or unofficial letter
Claiming a promotionScanned from an official brand poster inside a verified storeStranger on the street offering rewards for a scan
Redelivery noticeVerified via courier's official app with tracking numberQR code with urgency, small "fee", or APK download
Investment opportunityMAS-licensed platform accessed via typed URLTelegram/Facebook promotion via QR code with guaranteed returns

What to Do If You've Already Scanned a Suspicious QR Code

If you suspect you've fallen victim, act within minutes — Singapore banks can sometimes freeze fraudulent transfers if reported quickly enough.

  1. Do not enter any credentials if you're already on the suspicious page. Close the browser tab immediately.
  2. Disconnect from the internet (turn on flight mode) if you downloaded a suspicious app. This prevents further data exfiltration.
  3. Call your bank's 24-hour anti-scam hotline — DBS: 1800-339-6963, OCBC: 1800-363-3333, UOB: 1800-222-2121.
  4. Uninstall the app and consider a full factory reset if a suspicious APK was installed.
  5. Change passwords for Singpass, banking, email, and any accounts accessed on the device.
  6. Lodge a police report at any Neighbourhood Police Centre or online via the SPF e-Services portal.
  7. Report the scam through the ScamShield app to help protect others.

How Businesses in Singapore Can Protect Their Customers

If you're an F&B owner, retailer, or SME, you have a duty of care to your customers as well:

  • Laminate and secure your SGQR/PayNow stickers. Consider tamper-evident holographic overlays.
  • Do daily visual checks of every QR code sticker at your premises.
  • Reconcile payments daily, not weekly — early detection matters.
  • Display your business name clearly next to the QR code so customers can verify at scan time.
  • Use branded short links for promotional QR campaigns. Trusted platforms like Lunyb allow you to publish transparent, verifiable short URLs — much safer than exposing raw links or unknown redirects. For a deeper look at how link platforms compare, see our 2026 URL shorteners buyer's guide.
  • Train staff to recognise and report tampered stickers.

The Role of Link Transparency in Preventing Scams

One reason QR code scams succeed is that users cannot see where a code leads. This is why the reputation of the underlying link infrastructure — including URL shorteners — matters. A trustworthy shortener should:

  • Show a clear preview or landing page for questionable links
  • Scan destinations against phishing and malware databases
  • Allow custom branded domains so users can recognise the source
  • Provide analytics so businesses spot abuse quickly

If you're evaluating tools for your business, our honest review of Lunyb and our Rebrandly 2026 review both dig into the safety and branding features that matter most for QR-driven campaigns.

Frequently Asked Questions

Are QR code payments in Singapore generally safe?

Yes — SGQR and PayNow are safe by design, and the underlying banking infrastructure is well-regulated. The risk lies not in the technology but in the physical stickers being replaced, or in scammers tricking users into scanning fake codes that impersonate banks or government services. Always verify the recipient name shown by your banking app before confirming a transfer.

Can simply scanning a QR code infect my phone?

Scanning alone rarely installs malware directly on modern iPhones or Android phones. The risk comes from what happens next — if you tap the link, enter credentials on a phishing site, or approve an app installation. Treat a QR code the same way you would treat an unknown link in an email.

What should I do if I paid a scammer via PayNow?

Call your bank's anti-scam hotline immediately — within minutes if possible. Banks in Singapore participate in a coordinated anti-scam framework and can attempt to freeze funds at the receiving bank. Then file a police report and submit a claim through ScamShield. The faster you act, the higher the chance of partial recovery.

How do I report a suspicious QR code sticker I found in public?

Take a photo of the sticker and its location, then report it via the ScamShield app or call 1799 (the Anti-Scam Helpline). If the sticker is on a merchant's premises, notify the shop owner immediately so they can remove it and check for unauthorised payments.

Are seniors more vulnerable to QR code scams?

Yes. Statistics from the Singapore Police Force show that a disproportionate number of victims of high-value phishing and QR-related scams are older residents. If you have elderly family members, walk them through the red flags in this guide, lower their daily transfer limits, and enable Money Lock on their accounts.

Final Thoughts

QR codes are not going away — they are woven into the fabric of daily life in Singapore, and their convenience is genuine. But convenience has a price when we scan without thinking. The good news is that avoiding QR code scams requires only a small shift in habits: pause, preview the URL, verify the destination, and never rush a payment or a download because someone tells you to.

Stay skeptical, keep your banking apps configured with sensible limits, and share this guide with the people in your life who need it most. In a country as digitally connected as Singapore, awareness is the single best defence.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles