facebook-pixel

QR Code Scams in Singapore: How to Stay Safe in 2026

L
Lunyb Security Team
··9 min read

QR codes have become part of everyday life in Singapore. From paying at hawker centres with PayNow and SGQR to checking in at events, ordering food, and topping up EZ-Link cards, the humble square barcode is now everywhere. Unfortunately, scammers have noticed too. Over the past few years, Singapore has seen an explosion of QR code scams, a technique known internationally as quishing (QR + phishing). The Singapore Police Force and the Cyber Security Agency (CSA) have issued multiple advisories warning that losses from these scams now run into millions of dollars annually.

This guide explains exactly how QR code scams work in the Singapore context, walks through real local cases, and gives you a clear checklist to protect yourself, your family, and your business.

What Are QR Code Scams?

A QR code scam is a type of phishing attack where fraudsters use a malicious QR code to redirect victims to fake websites, trigger unauthorised payments, or install malware on their devices. Because a QR code is just a machine-readable link, users cannot easily tell where it will take them until it is too late.

In Singapore, these scams typically fall into three categories:

  1. Payment redirection scams — victims think they are paying a legitimate merchant but the funds go to a scammer's account.
  2. Credential phishing — the QR code opens a fake DBS, OCBC, UOB, Singpass, or IRAS login page to steal usernames, passwords, and OTPs.
  3. Malware installation — victims are tricked into installing a third-party APK file that gives scammers remote control over their Android device.

Why Singapore Is a Prime Target

Singapore's rapid adoption of cashless payments makes QR codes both convenient and dangerous. According to the Monetary Authority of Singapore (MAS), more than 90% of adults use digital payments, and SGQR is accepted at over 200,000 merchant points nationwide. Scammers exploit this everyday familiarity — most Singaporeans no longer hesitate before scanning.

Additionally, the trust residents place in official-looking notices (from LTA, HDB, IRAS, or SPF) means a well-designed sticker or letter with a QR code can easily bypass suspicion.

Common QR Code Scams in Singapore

1. The Bubble Tea & Survey Scam

One of the most publicised cases involved a 60-year-old woman who lost S$20,000 after scanning a QR code on a bubble tea shop's window offering a free cup for completing a survey. The code led her to download a third-party Android app that logged her banking credentials and drained her account overnight.

2. Fake Parking Fine Notices

Scammers place fake parking summons on windscreens or under wipers, complete with LTA or HDB-style branding and a QR code to "pay the fine." The code leads to a spoofed payment page that captures card details or triggers a PayNow transfer to the scammer.

3. Sticker Overlay at Hawker Centres and Coffee Shops

Fraudsters print stickers with their own PayNow QR and paste them over legitimate stall QRs. Customers scan, pay, and only the stall owner realises hours later that no money came in.

4. Fake Singpass or IRAS Notifications

Emails or SMSes claiming you have an unclaimed tax refund or a Singpass verification issue include a QR code for "faster access." The link opens a convincing phishing page designed to harvest your Singpass credentials — one of the most damaging losses possible in Singapore.

5. Fake Delivery Slips

With the boom in e-commerce, scammers drop fake missed-delivery slips into letterboxes. The QR code supposedly reschedules delivery but instead installs malware or requests a "redelivery fee" via PayNow.

6. Rental and Marketplace Scams

On Carousell, Facebook Marketplace, or property listings, scammers ask buyers or tenants to scan a QR to "secure the deposit." Victims end up paying into an unrelated account or handing over banking OTPs.

How Quishing Actually Works: A Step-by-Step Breakdown

  1. Bait creation — the scammer prints a QR code linked to a malicious URL, often disguised using a URL shortener to hide the true destination.
  2. Placement — the code is placed somewhere trusted: over an existing sticker, on official-looking letters, or in a phishing email.
  3. Scan — the victim scans with their phone's camera, which auto-opens the link in a browser.
  4. Redirection — the site either mimics a bank/Singpass login, prompts an APK download, or displays a payment request.
  5. Harvest — credentials, OTPs, or funds are captured. In malware cases, the scammer gains full remote access and can intercept SMS OTPs to authorise larger transactions.

Red Flags: How to Spot a Suspicious QR Code

  • The QR code is a sticker pasted over another sticker — a common overlay tactic.
  • The URL preview shown by your camera app does not match the expected domain (e.g., paying a hawker but the URL points to a random .xyz or .top domain).
  • You are asked to download an app outside the Google Play Store or Apple App Store. Legitimate Singapore banks and government agencies never do this.
  • The landing page urgently requests your Singpass, bank login, or full card number.
  • The QR code appears on an unsolicited letter, email, SMS, or WhatsApp message.
  • The offer is too good to be true — free bubble tea, cash rebates, or lucky draws.

Safe QR Code Scanning: A Practical Checklist

  1. Always preview the URL before tapping. Both iOS Camera and most Android scanners show the destination link — read it carefully.
  2. Verify the merchant name on your payment app. PayNow and bank apps display the recipient's registered name before you confirm. If it does not match the shop, cancel immediately.
  3. Never install Android apps via QR code. Only download from the official Play Store or App Store.
  4. Enable Google Play Protect and Android's "Enhanced Anti-Scam Protection," which blocks sideloaded apps from requesting sensitive permissions.
  5. Use bank apps with money lock features such as DBS digiVault, OCBC Money Lock, or UOB LockAway to ring-fence savings.
  6. Turn on transaction alerts for every debit, no matter how small.
  7. Check the physical QR code for tampering — peel-marks, misaligned edges, or stickers over stickers.
  8. Use encrypted DNS (such as 1.1.1.1 or Quad9) to block known phishing domains at the network level.

QR Code Scams vs Other Common Singapore Scams

Scam Type Typical Loss Main Attack Vector Difficulty to Detect
QR Code (Quishing) S$1,000 – S$100,000+ Physical sticker or digital link High
Phishing SMS S$500 – S$50,000 SMS with spoofed sender Medium
Job Scam S$2,000 – S$200,000 Telegram/WhatsApp recruitment Medium
Investment Scam S$10,000 – S$1M+ Social media ads & fake platforms High
Impersonation (Govt/Police) S$5,000 – S$500,000 Voice call + fake portal High

The Role of Trusted Short Links

Many QR code scams hide their true destination behind sketchy or throwaway shortener domains. As a user, you can flip this to your advantage: when creating QR codes for your own business, use a trusted, transparent link management service so customers can visually verify the brand in the URL preview. Tools such as Lunyb allow you to generate branded short links with click analytics and abuse-monitoring, which makes it far easier to spot tampering or duplication of your QR materials. If you are researching options, our 2026 buyer's guide to URL shorteners and our honest review of Lunyb compare the leading services on security and trust features.

What to Do If You've Been Scammed

  1. Call your bank immediately using the anti-scam hotline printed on the back of your card. All major Singapore banks have 24/7 kill-switch options.
  2. Freeze your Singpass via the Singpass app if you suspect credentials were exposed.
  3. Report to the Singapore Police Force at police.gov.sg or call the ScamShield helpline at 1799.
  4. File a report with the affected platform (bank, e-wallet, marketplace).
  5. Factory reset your phone if you installed any suspicious app, and change every password from a clean device.
  6. Enable ScamShield on your phone to block future scam calls and SMSes.

How Businesses in Singapore Can Protect Their Customers

Hawker stalls, retail shops, and F&B outlets are increasingly held responsible for keeping their payment QRs secure. Practical steps include:

  • Laminating or framing SGQR posters behind clear acrylic so stickers cannot be overlaid.
  • Checking QR codes every morning before opening.
  • Placing the stall name and UEN clearly next to the QR so customers can cross-check.
  • Using CCTV coverage over the payment area.
  • Using branded short URLs (rather than random shorteners) for digital menus and promotions so customers recognise legitimate links.

The Bigger Picture: Singapore's Regulatory Response

MAS and the Association of Banks in Singapore (ABS) introduced the Shared Responsibility Framework (SRF) in 2024, which allocates liability between banks, telcos, and consumers for phishing-related scam losses. Under the framework, banks may bear part of the loss if they failed to implement required safeguards — but consumers still bear responsibility if they ignored clear warnings or handed over OTPs. Understanding this framework is essential: it means you are still your own first line of defence.

Frequently Asked Questions

Are QR codes themselves dangerous?

No. A QR code is simply a way to encode a link or text. The danger comes from what the link leads to. Treat every QR code the same way you would treat a link from an unknown sender — preview before you tap.

Can scanning a QR code hack my phone instantly?

Simply scanning a QR code will not compromise a modern iPhone or Android device on its own. The compromise happens when you then install an app, enter credentials, or approve a payment on the page it opens. Never install APKs from links opened via QR codes.

How do I check if a shortened URL from a QR code is safe?

Copy the shortened link (do not tap it) and paste it into a URL-expansion or reputation-check service such as VirusTotal or urlscan.io. If it resolves to a random domain, a suspicious login page, or a direct APK download, do not proceed.

What should I do if I scanned a scam QR but didn't enter anything?

If you only opened the page and closed it without entering credentials, downloading anything, or approving a payment, you are almost certainly safe. To be extra cautious, clear your browser cache, run a Play Protect or iOS security scan, and monitor your bank statements for the next few weeks.

Do banks in Singapore reimburse QR code scam victims?

Sometimes, but not always. Under the Shared Responsibility Framework, reimbursement depends on whether the bank met its security duties and whether the customer followed safe practices. Victims who handed over OTPs or installed unauthorised apps often bear the loss. This is why prevention is far more valuable than pursuing recovery afterwards.

Final Thoughts

QR codes are not going away — if anything, Singapore's push toward a truly cashless society means we will scan even more of them in the years ahead. The good news is that staying safe does not require paranoia; it just requires a few consistent habits: preview URLs, verify recipient names, refuse to install apps from links, and treat every unsolicited QR code as suspect until proven otherwise.

Scammers rely on speed and trust. Slow down for two seconds before every scan, and you eliminate the vast majority of the risk. Share this guide with your parents, grandparents, and colleagues — a large share of Singapore's scam losses come from victims who simply never knew what to look for.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles