facebook-pixel

QR Code Scams in Singapore: How to Stay Safe in 2026

L
Lunyb Security Team
··11 min read

Quick Response codes are woven into daily life in Singapore. You scan them to pay at hawker centres, order kopi at a coffee shop, check into buildings, top up parking, and access government services. But this same convenience has opened the door to a fast-growing category of fraud: QR code scams, also known as "quishing" (QR phishing). The Singapore Police Force and the Cyber Security Agency of Singapore (CSA) have both issued repeated warnings, and losses continue to climb into the millions of dollars each year.

This guide explains exactly how QR code scams work in the Singapore context, the local variants you are most likely to encounter, and the practical steps you can take to protect your money, your data, and your identity.

What Are QR Code Scams?

A QR code scam is a form of fraud where criminals use a manipulated or fake QR code to redirect victims to a malicious website, trick them into authorising a payment, or install malware on their phones. Because a QR code is just a machine-readable shortcut, you cannot tell by looking at it whether it leads to a legitimate PayNow page or a cloned phishing site designed to steal your SingPass or bank credentials.

In Singapore, these scams often blend into everyday routines. Scammers know that Singaporeans trust QR codes, scan them without hesitation, and are used to authenticating via bank apps and SingPass. That trust is precisely what makes the attack so effective.

Why Singapore Is a Prime Target

  1. High QR adoption: PayNow, SGQR, NETS QR, and GrabPay make QR scanning second nature.
  2. High smartphone penetration: Nearly every adult carries a scanner in their pocket.
  3. Wealthy user base: Higher average balances mean bigger payouts for criminals.
  4. Multilingual population: Scammers can craft convincing lures in English, Mandarin, Malay, or Tamil.

Common QR Code Scams in Singapore

Not all quishing attacks look the same. Below are the most reported variants that have hit Singapore residents in recent years.

1. The Bubble Tea and Survey Sticker Scam

This is the classic Singapore case that made national headlines. A victim in Bukit Timah lost around S$20,000 after scanning a QR code sticker on the glass door of a bubble tea shop that promised a free cup in exchange for a customer survey. The code led to a third-party app download that installed malware, granted remote access, and drained her bank account overnight.

Variants of this scam now appear as:

  • Free drink or dessert promotions stuck on shopfront glass
  • "Complete a short survey" stickers on restaurant tables
  • Fake feedback forms at hawker stalls

2. Tampered Hawker and Merchant Payment QRs

Scammers print their own PayNow or SGQR stickers and physically paste them over the merchant's real code. You scan, pay S$4.50 for your chicken rice, and the money goes to a mule account instead of the stall owner. In some cases, the fake code redirects to a phishing site that captures your bank login before completing (or failing) the payment.

3. Parking Fine and LTA Impersonation

Fake parking notices are slipped under windscreen wipers in HDB carparks and shopping malls. The notice claims an unpaid fine and includes a QR code to "pay now to avoid penalty." The link leads to a spoofed LTA or HDB payment portal that harvests card details.

4. Delivery and Parcel Redelivery Scams

A fake SingPost, Ninja Van, or Shopee delivery notice is dropped in your letterbox. It says a parcel could not be delivered and asks you to scan a QR code to reschedule and pay a small redelivery fee. The site looks convincing but is designed to steal credit card information or install a malicious APK on Android devices.

5. Fake Charity and Donation Drives

Around festive periods such as Chinese New Year, Hari Raya, and Deepavali, scammers pose as volunteers collecting donations for well-known charities. They present a QR code on a tablet or printed card. The donation flows straight to the scammer, and any personal details entered are used for further attacks.

6. Phishing Emails and WhatsApp Messages with QR Codes

Instead of a suspicious link (which many people now know to avoid), scammers embed a QR code in an email or a WhatsApp image. The pretext might be a DBS, OCBC, UOB, or IRAS security alert asking you to "reverify" your account. Because you have to switch to another device to scan, mobile security filters often miss it entirely.

How QR Code Scams Actually Work: The Attack Chain

Understanding the mechanics helps you interrupt the scam before it succeeds.

  1. Placement or delivery: The scammer places a physical sticker, hands out a flyer, or sends a digital message containing the malicious QR.
  2. Trust trigger: The lure taps into a familiar Singapore context: a promotion, a fine, a parcel, a payment, or a government notice.
  3. Scan and redirect: The code opens a shortened or lookalike URL such as "dbs-secure-login.xyz" or "paynow-verify.net".
  4. Credential capture or app install: The site either asks for SingPass, banking credentials, and OTPs, or prompts an Android user to sideload an APK that grants accessibility permissions.
  5. Account takeover: With login details or remote control of the device, scammers transfer funds, often at 2am to 4am when victims are asleep.

Red Flags: How to Spot a Suspicious QR Code

Before you scan, take five seconds to check for these warning signs.

Physical Red Flags

  • A sticker that looks freshly pasted over an existing code
  • Peeling edges, bubbles, or a different printing style from the surrounding menu
  • QR codes on lamp posts, bus stops, or random walls with no clear owner
  • Handwritten notes attached to official-looking QR codes
  • Codes on "parking fines" that are not on official LTA or HDB letterheads

Digital Red Flags

  • Preview URL uses a strange top-level domain (.xyz, .top, .info, .click)
  • The domain is misspelled: "dbs-sg.com" instead of "dbs.com.sg"
  • You are asked to download an APK file outside the Google Play Store
  • The page requests your full SingPass password plus OTP plus card CVV all at once
  • Urgency language: "Account will be suspended in 30 minutes"

Legitimate vs Scam QR Codes: Side-by-Side

FeatureLegitimate QR CodeScam QR Code
PlacementPrinted on official menu, receipt, or laminated signSticker pasted over existing signage
Destination URLBank, MAS, gov.sg, or known merchant domainLookalike domain or unfamiliar TLD
Payment flowOpens PayNow or bank app directly with pre-filled merchant nameOpens a browser asking you to log in again
Data requestedConfirmation of payee and amount onlyFull credentials, OTP, card details, NRIC
App installationNever required for paymentPrompts APK download or "update"
Merchant name shownMatches the stall or shop name in SGQRPersonal name, unrelated business, or blank

How to Stay Safe: 10 Practical Rules

  1. Always preview the URL. Both iOS and Android show the destination before opening. If it doesn't look right, don't tap.
  2. Check the merchant name in your banking app. After scanning a PayNow or SGQR code, the payee name is displayed. Confirm it matches the stall you are paying.
  3. Never download apps from a QR code. Legitimate Singapore banks and government agencies will never ask you to install an APK through a scanned link.
  4. Enable Google Play Protect and disable "Install unknown apps" for your browser and messaging apps.
  5. Use the ScamShield app. Developed by the Singapore Police Force and NCPC, it helps filter scam calls and messages.
  6. Turn on Money Lock in DBS, OCBC, or UOB apps to ring-fence a portion of your savings from digital transfers.
  7. Set low default transfer limits and only raise them when needed.
  8. Use SingPass Face Verification and never share your SingPass password or OTP with anyone.
  9. Avoid scanning random public QR codes on posters, lamp posts, and unsolicited flyers.
  10. Report suspicious codes to the merchant and to the Anti-Scam Helpline (1800-722-6688) or via ScamShield.

Shortened Links and QR Codes: A Note on Trust

Many QR codes encode a shortened URL rather than a full address, which is normal and often makes the code easier to scan. The problem is that a short link hides the final destination. This is why reputable link shorteners matter. Trustworthy providers block malicious redirects, scan destinations for phishing, and give end users a way to preview where a link goes.

If you generate QR codes for your own business, using a link management platform like Lunyb lets you create branded short links with analytics and the ability to update the destination if a code is ever compromised, without reprinting all your stickers. For a wider look at options, our 2026 buyer's guide to URL shorteners compares the main players, and our honest review of Lunyb covers what to expect if you are considering the platform for merchant use.

What to Do If You Have Scanned a Malicious QR Code

Speed matters. Every minute counts once a scammer has your credentials or a foothold on your device.

  1. Disconnect immediately. Turn on Airplane Mode to cut the device off from the internet.
  2. Call your bank's 24/7 fraud hotline. DBS, OCBC, UOB, and Standard Chartered all have dedicated numbers. Ask them to freeze your accounts and cards.
  3. File a police report via the SPF e-Services portal or at any Neighbourhood Police Centre.
  4. Call the Anti-Scam Helpline at 1800-722-6688.
  5. Reset SingPass and all banking passwords from a clean, trusted device.
  6. Factory reset the affected phone if you installed any app from the scan. Reinstall only from official app stores.
  7. Notify your CPF and IRAS accounts if you entered SingPass credentials, and monitor for unusual activity.
  8. Warn family members, especially elderly relatives, in case scammers try to reach them through your compromised contacts.

Advice for Merchants and Hawkers

Small businesses are victims too. If a scammer swaps out your QR code, your customers lose money and your reputation takes the hit.

  • Laminate or seal your QR codes so tampering is obvious.
  • Check your codes at the start and end of each day.
  • Display your registered business name prominently so customers can cross-check the payee shown in their bank app.
  • Train staff to notice when the daily takings do not match the number of transactions rung up.
  • Use a branded short link and QR platform so you control the destination and can rotate it if compromised.

Advice for Families and Seniors

Older Singaporeans are disproportionately targeted because they may be less familiar with scam patterns but still active users of PayNow and online banking. Practical steps:

  • Set up Money Lock on their behalf with their consent.
  • Lower daily transfer limits to a level appropriate for their spending.
  • Install ScamShield and enable auto-updates on their phone.
  • Have a family rule: any request to scan a code or share an OTP must be checked with a trusted relative first.
  • Do a monthly "scam catch-up" over dinner and share recent cases from the news.

Frequently Asked Questions

Is it safe to scan QR codes at hawker centres in Singapore?

Generally yes, but always check the payee name that appears in your banking app before confirming payment. If the name shown is a personal name or an unrelated business rather than the stall you are ordering from, cancel the transaction and pay by cash or ask the stall owner for their correct code.

Can just scanning a QR code hack my phone?

Scanning a QR code by itself will not compromise a modern iPhone or Android phone. The danger comes from what happens next: visiting a phishing site, entering credentials, or installing an app. If you scan, pause on the URL preview, and never proceed if anything looks off.

How do I report a suspicious QR code sticker I found in public?

Take a photo of the sticker and its location, then report it to the Anti-Scam Helpline at 1800-722-6688 or through the ScamShield app. If it is stuck at a specific merchant, alert the shop owner so they can remove it. You can also lodge a report via the Singapore Police Force e-Services portal.

Will my bank refund me if I fall victim to a QR code scam?

Under the Shared Responsibility Framework introduced by MAS and IMDA, banks and telcos may bear part of the loss if they failed in specific duties. However, if you authorised the transaction or shared your OTP, recovery is not guaranteed. Report the incident within minutes, not hours, to maximise the chance of recovering funds before they are moved out of Singapore.

Are dynamic QR codes safer than static ones?

Dynamic QR codes point to a short link that can be updated by the owner, so if a code is compromised the destination can be changed without reprinting. Static codes contain the destination directly and cannot be edited. For merchants, dynamic codes from a reputable provider are generally safer and more flexible, provided the underlying account is well secured with strong passwords and multi-factor authentication.

Final Thoughts

QR code scams in Singapore are not going away. As long as scanning remains the fastest way to pay, order, and authenticate, criminals will keep finding new angles, from bubble tea stickers to fake LTA notices. The good news is that almost every successful scam relies on the victim moving too quickly. A five-second pause to check the URL preview, verify the payee name, and question anything that feels urgent will stop the vast majority of attacks before any money leaves your account.

Stay skeptical, keep your transfer limits tight, and share what you know with the people around you. Awareness is Singapore's strongest defence.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles