QR Code Scams in Singapore: How to Stay Safe in 2026
Quick Response codes are woven into daily life in Singapore. You scan them to pay at hawker centres, order kopi at a coffee shop, check into buildings, top up parking, and access government services. But this same convenience has opened the door to a fast-growing category of fraud: QR code scams, also known as "quishing" (QR phishing). The Singapore Police Force and the Cyber Security Agency of Singapore (CSA) have both issued repeated warnings, and losses continue to climb into the millions of dollars each year.
This guide explains exactly how QR code scams work in the Singapore context, the local variants you are most likely to encounter, and the practical steps you can take to protect your money, your data, and your identity.
What Are QR Code Scams?
A QR code scam is a form of fraud where criminals use a manipulated or fake QR code to redirect victims to a malicious website, trick them into authorising a payment, or install malware on their phones. Because a QR code is just a machine-readable shortcut, you cannot tell by looking at it whether it leads to a legitimate PayNow page or a cloned phishing site designed to steal your SingPass or bank credentials.
In Singapore, these scams often blend into everyday routines. Scammers know that Singaporeans trust QR codes, scan them without hesitation, and are used to authenticating via bank apps and SingPass. That trust is precisely what makes the attack so effective.
Why Singapore Is a Prime Target
- High QR adoption: PayNow, SGQR, NETS QR, and GrabPay make QR scanning second nature.
- High smartphone penetration: Nearly every adult carries a scanner in their pocket.
- Wealthy user base: Higher average balances mean bigger payouts for criminals.
- Multilingual population: Scammers can craft convincing lures in English, Mandarin, Malay, or Tamil.
Common QR Code Scams in Singapore
Not all quishing attacks look the same. Below are the most reported variants that have hit Singapore residents in recent years.
1. The Bubble Tea and Survey Sticker Scam
This is the classic Singapore case that made national headlines. A victim in Bukit Timah lost around S$20,000 after scanning a QR code sticker on the glass door of a bubble tea shop that promised a free cup in exchange for a customer survey. The code led to a third-party app download that installed malware, granted remote access, and drained her bank account overnight.
Variants of this scam now appear as:
- Free drink or dessert promotions stuck on shopfront glass
- "Complete a short survey" stickers on restaurant tables
- Fake feedback forms at hawker stalls
2. Tampered Hawker and Merchant Payment QRs
Scammers print their own PayNow or SGQR stickers and physically paste them over the merchant's real code. You scan, pay S$4.50 for your chicken rice, and the money goes to a mule account instead of the stall owner. In some cases, the fake code redirects to a phishing site that captures your bank login before completing (or failing) the payment.
3. Parking Fine and LTA Impersonation
Fake parking notices are slipped under windscreen wipers in HDB carparks and shopping malls. The notice claims an unpaid fine and includes a QR code to "pay now to avoid penalty." The link leads to a spoofed LTA or HDB payment portal that harvests card details.
4. Delivery and Parcel Redelivery Scams
A fake SingPost, Ninja Van, or Shopee delivery notice is dropped in your letterbox. It says a parcel could not be delivered and asks you to scan a QR code to reschedule and pay a small redelivery fee. The site looks convincing but is designed to steal credit card information or install a malicious APK on Android devices.
5. Fake Charity and Donation Drives
Around festive periods such as Chinese New Year, Hari Raya, and Deepavali, scammers pose as volunteers collecting donations for well-known charities. They present a QR code on a tablet or printed card. The donation flows straight to the scammer, and any personal details entered are used for further attacks.
6. Phishing Emails and WhatsApp Messages with QR Codes
Instead of a suspicious link (which many people now know to avoid), scammers embed a QR code in an email or a WhatsApp image. The pretext might be a DBS, OCBC, UOB, or IRAS security alert asking you to "reverify" your account. Because you have to switch to another device to scan, mobile security filters often miss it entirely.
How QR Code Scams Actually Work: The Attack Chain
Understanding the mechanics helps you interrupt the scam before it succeeds.
- Placement or delivery: The scammer places a physical sticker, hands out a flyer, or sends a digital message containing the malicious QR.
- Trust trigger: The lure taps into a familiar Singapore context: a promotion, a fine, a parcel, a payment, or a government notice.
- Scan and redirect: The code opens a shortened or lookalike URL such as "dbs-secure-login.xyz" or "paynow-verify.net".
- Credential capture or app install: The site either asks for SingPass, banking credentials, and OTPs, or prompts an Android user to sideload an APK that grants accessibility permissions.
- Account takeover: With login details or remote control of the device, scammers transfer funds, often at 2am to 4am when victims are asleep.
Red Flags: How to Spot a Suspicious QR Code
Before you scan, take five seconds to check for these warning signs.
Physical Red Flags
- A sticker that looks freshly pasted over an existing code
- Peeling edges, bubbles, or a different printing style from the surrounding menu
- QR codes on lamp posts, bus stops, or random walls with no clear owner
- Handwritten notes attached to official-looking QR codes
- Codes on "parking fines" that are not on official LTA or HDB letterheads
Digital Red Flags
- Preview URL uses a strange top-level domain (.xyz, .top, .info, .click)
- The domain is misspelled: "dbs-sg.com" instead of "dbs.com.sg"
- You are asked to download an APK file outside the Google Play Store
- The page requests your full SingPass password plus OTP plus card CVV all at once
- Urgency language: "Account will be suspended in 30 minutes"
Legitimate vs Scam QR Codes: Side-by-Side
| Feature | Legitimate QR Code | Scam QR Code |
|---|---|---|
| Placement | Printed on official menu, receipt, or laminated sign | Sticker pasted over existing signage |
| Destination URL | Bank, MAS, gov.sg, or known merchant domain | Lookalike domain or unfamiliar TLD |
| Payment flow | Opens PayNow or bank app directly with pre-filled merchant name | Opens a browser asking you to log in again |
| Data requested | Confirmation of payee and amount only | Full credentials, OTP, card details, NRIC |
| App installation | Never required for payment | Prompts APK download or "update" |
| Merchant name shown | Matches the stall or shop name in SGQR | Personal name, unrelated business, or blank |
How to Stay Safe: 10 Practical Rules
- Always preview the URL. Both iOS and Android show the destination before opening. If it doesn't look right, don't tap.
- Check the merchant name in your banking app. After scanning a PayNow or SGQR code, the payee name is displayed. Confirm it matches the stall you are paying.
- Never download apps from a QR code. Legitimate Singapore banks and government agencies will never ask you to install an APK through a scanned link.
- Enable Google Play Protect and disable "Install unknown apps" for your browser and messaging apps.
- Use the ScamShield app. Developed by the Singapore Police Force and NCPC, it helps filter scam calls and messages.
- Turn on Money Lock in DBS, OCBC, or UOB apps to ring-fence a portion of your savings from digital transfers.
- Set low default transfer limits and only raise them when needed.
- Use SingPass Face Verification and never share your SingPass password or OTP with anyone.
- Avoid scanning random public QR codes on posters, lamp posts, and unsolicited flyers.
- Report suspicious codes to the merchant and to the Anti-Scam Helpline (1800-722-6688) or via ScamShield.
Shortened Links and QR Codes: A Note on Trust
Many QR codes encode a shortened URL rather than a full address, which is normal and often makes the code easier to scan. The problem is that a short link hides the final destination. This is why reputable link shorteners matter. Trustworthy providers block malicious redirects, scan destinations for phishing, and give end users a way to preview where a link goes.
If you generate QR codes for your own business, using a link management platform like Lunyb lets you create branded short links with analytics and the ability to update the destination if a code is ever compromised, without reprinting all your stickers. For a wider look at options, our 2026 buyer's guide to URL shorteners compares the main players, and our honest review of Lunyb covers what to expect if you are considering the platform for merchant use.
What to Do If You Have Scanned a Malicious QR Code
Speed matters. Every minute counts once a scammer has your credentials or a foothold on your device.
- Disconnect immediately. Turn on Airplane Mode to cut the device off from the internet.
- Call your bank's 24/7 fraud hotline. DBS, OCBC, UOB, and Standard Chartered all have dedicated numbers. Ask them to freeze your accounts and cards.
- File a police report via the SPF e-Services portal or at any Neighbourhood Police Centre.
- Call the Anti-Scam Helpline at 1800-722-6688.
- Reset SingPass and all banking passwords from a clean, trusted device.
- Factory reset the affected phone if you installed any app from the scan. Reinstall only from official app stores.
- Notify your CPF and IRAS accounts if you entered SingPass credentials, and monitor for unusual activity.
- Warn family members, especially elderly relatives, in case scammers try to reach them through your compromised contacts.
Advice for Merchants and Hawkers
Small businesses are victims too. If a scammer swaps out your QR code, your customers lose money and your reputation takes the hit.
- Laminate or seal your QR codes so tampering is obvious.
- Check your codes at the start and end of each day.
- Display your registered business name prominently so customers can cross-check the payee shown in their bank app.
- Train staff to notice when the daily takings do not match the number of transactions rung up.
- Use a branded short link and QR platform so you control the destination and can rotate it if compromised.
Advice for Families and Seniors
Older Singaporeans are disproportionately targeted because they may be less familiar with scam patterns but still active users of PayNow and online banking. Practical steps:
- Set up Money Lock on their behalf with their consent.
- Lower daily transfer limits to a level appropriate for their spending.
- Install ScamShield and enable auto-updates on their phone.
- Have a family rule: any request to scan a code or share an OTP must be checked with a trusted relative first.
- Do a monthly "scam catch-up" over dinner and share recent cases from the news.
Frequently Asked Questions
Is it safe to scan QR codes at hawker centres in Singapore?
Generally yes, but always check the payee name that appears in your banking app before confirming payment. If the name shown is a personal name or an unrelated business rather than the stall you are ordering from, cancel the transaction and pay by cash or ask the stall owner for their correct code.
Can just scanning a QR code hack my phone?
Scanning a QR code by itself will not compromise a modern iPhone or Android phone. The danger comes from what happens next: visiting a phishing site, entering credentials, or installing an app. If you scan, pause on the URL preview, and never proceed if anything looks off.
How do I report a suspicious QR code sticker I found in public?
Take a photo of the sticker and its location, then report it to the Anti-Scam Helpline at 1800-722-6688 or through the ScamShield app. If it is stuck at a specific merchant, alert the shop owner so they can remove it. You can also lodge a report via the Singapore Police Force e-Services portal.
Will my bank refund me if I fall victim to a QR code scam?
Under the Shared Responsibility Framework introduced by MAS and IMDA, banks and telcos may bear part of the loss if they failed in specific duties. However, if you authorised the transaction or shared your OTP, recovery is not guaranteed. Report the incident within minutes, not hours, to maximise the chance of recovering funds before they are moved out of Singapore.
Are dynamic QR codes safer than static ones?
Dynamic QR codes point to a short link that can be updated by the owner, so if a code is compromised the destination can be changed without reprinting. Static codes contain the destination directly and cannot be edited. For merchants, dynamic codes from a reputable provider are generally safer and more flexible, provided the underlying account is well secured with strong passwords and multi-factor authentication.
Final Thoughts
QR code scams in Singapore are not going away. As long as scanning remains the fastest way to pay, order, and authenticate, criminals will keep finding new angles, from bubble tea stickers to fake LTA notices. The good news is that almost every successful scam relies on the victim moving too quickly. A five-second pause to check the URL preview, verify the payee name, and question anything that feels urgent will stop the vast majority of attacks before any money leaves your account.
Stay skeptical, keep your transfer limits tight, and share what you know with the people around you. Awareness is Singapore's strongest defence.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Data Breaches 2026: What You Need to Know
Data breaches in 2026 are larger, faster, and more AI-driven than ever before. This guide breaks down the latest attack trends, real-world costs, and the specific steps individuals and businesses should take to reduce exposure this year.
Zero Trust Security Model Explained Simply: A 2026 Guide
Zero Trust flips traditional security on its head with one rule: never trust, always verify. This plain-English guide breaks down the model's core principles, real-world workflows, and a step-by-step adoption roadmap for teams of any size.
What Data Does Google Have on You? The Complete 2026 Breakdown
Google collects an astonishing amount of personal data — from every search and location to inferred income, interests, and relationships. This 2026 guide breaks down exactly what's in your file, how to view it, and practical steps to take back control.
How Hackers Use Shortened URLs to Spread Malware (2026 Guide)
Shortened URLs make links shareable — but they also hide destinations, which is exactly why hackers use them to spread malware and phishing kits. Learn how these attacks work, how to detect malicious short links, and how to protect yourself and your organization in 2026.