facebook-pixel

QR Code Scams in Singapore: How to Stay Safe in 2026

L
Lunyb Security Team
··11 min read

QR codes have become part of everyday life in Singapore. From paying at hawker centres with PayNow to scanning SafeEntry-style menus at cafes, checking bus schedules, or verifying HDB service notices, the humble black-and-white square is everywhere. Unfortunately, scammers know this too. The Singapore Police Force and the Cyber Security Agency of Singapore (CSA) have repeatedly warned that QR code scams, sometimes called "quishing" (QR phishing), are one of the fastest-growing fraud tactics targeting residents.

This guide explains exactly how QR code scams work in the Singapore context, the real cases that have cost victims tens of thousands of dollars, and the practical steps you can take to protect yourself, your family, and your business.

What Are QR Code Scams?

A QR code scam is a form of phishing where criminals use a Quick Response (QR) code to redirect victims to a malicious website, trigger a fraudulent payment, or trick them into downloading malware. Because the destination URL is hidden inside the code, victims cannot easily see where they are being sent until it is too late.

In Singapore, the risk is amplified because QR-based payments (PayNow, PayLah!, NETS QR, SGQR) are woven into daily life. Scammers exploit this trust by placing fake stickers, sending phishing emails with codes, or even printing counterfeit QR codes on flyers and parking notices.

Why Singapore Is a Prime Target

  • High smartphone penetration: Over 90% of Singaporeans use smartphones with built-in QR scanners.
  • Widespread SGQR adoption: A unified QR standard makes users comfortable scanning any code.
  • Trust in institutions: Scammers impersonate familiar brands like DBS, OCBC, UOB, IRAS, LTA, and SingPost.
  • Fast digital payments: Money moves instantly, giving victims little time to reverse a transfer.

Common QR Code Scam Tactics in Singapore

Understanding how these scams are executed is the first step toward avoiding them. Here are the most reported variants in Singapore over the past two years.

1. Fake Hawker and F&B Payment Stickers

Scammers paste counterfeit PayNow or PayLah! QR stickers over the legitimate ones at hawker stalls, coffee shops, and small eateries. When customers scan and pay, the money is transferred to the scammer's account instead of the merchant's. The stall owner only realises when reconciling sales at the end of the day.

2. "Complete This Survey" Scams

A particularly damaging variant involves scammers approaching victims at bubble tea shops, cafes, or on the street, offering a free drink or voucher in exchange for scanning a QR code and completing a "customer survey." The code installs a malicious Android app that grants remote access to the phone. Victims have lost their entire life savings, in some cases over S$100,000, after scammers accessed their banking apps overnight.

3. Phishing Emails Impersonating Banks or Government Agencies

You receive an email that appears to come from DBS, IRAS, or Singpass asking you to "verify your account" or "claim a tax refund" by scanning a QR code. The code leads to a lookalike login page designed to steal your credentials and 2FA codes.

4. Parking Fine and LTA Notice Scams

Fake parking violation notices are placed on windscreens in HDB carparks and public lots. Drivers scan the QR code to "pay the fine quickly" and are directed to a fraudulent payment page.

5. Fake Delivery and SingPost Notifications

Scammers leave notes claiming a parcel could not be delivered, with a QR code to "reschedule delivery." Scanning leads to a page requesting personal details, credit card info, or a small "redelivery fee" that captures card data.

6. Investment and Crypto QR Scams

On Telegram, WhatsApp, and dating apps, scammers share QR codes leading to fake investment platforms or crypto wallet addresses. Victims transfer funds believing they are investing, only to find the platform vanishes.

Real Cases Reported in Singapore

The Singapore Police Force has issued multiple public advisories. Some documented patterns include:

  • A woman in her 60s lost over S$20,000 after scanning a QR code for a "free bubble tea survey" at a shop in the central region.
  • Multiple hawker stall owners in Chinatown, Bedok, and Toa Payoh reported customers unknowingly paying scammers after fake QR stickers were pasted over legitimate ones.
  • Victims of parcel redelivery scams have collectively lost hundreds of thousands of dollars, according to SPF advisories.

These are not isolated incidents. The Singapore Police Force's annual scam statistics consistently show phishing-related losses in the tens of millions, with QR code variants making up a growing share.

How QR Code Scams Actually Work (Step by Step)

  1. Bait: The scammer places a QR code somewhere trusted, sends it via email, or offers a reward for scanning.
  2. Scan: The victim opens the code with their phone camera, which displays the destination URL only briefly, if at all.
  3. Redirect: The link leads to a phishing page, a payment prompt, or an APK download (for Android).
  4. Capture: The victim enters credentials, approves a payment, or installs malware that steals SMS OTPs.
  5. Drain: Scammers log into banking apps, transfer funds via PayNow or overseas, and disappear before the victim notices.

How to Spot a Suspicious QR Code

Before you scan any QR code in Singapore, run through this mental checklist.

Warning SignWhat It Looks LikeRisk Level
QR sticker pasted over anotherUneven edges, different paper, visible layersHigh
Unsolicited email with QR code"Verify your bank account" or "claim refund"Very High
QR code on a flyer offering rewardsFree drinks, cash, or lucky drawsHigh
Parking notice with QR to payNot on an official HDB, URA, or LTA templateHigh
QR code from a stranger's phoneSomeone insists you scan for a "survey"Very High
Shortened URL after scanningPreview shows bit.ly, tinyurl, or unknown domainMedium to High

10 Practical Steps to Stay Safe

  1. Preview the URL before opening. Modern iOS and Android cameras show the link before you tap it. Read the full domain carefully. "dbs-verify.com" is not the same as "dbs.com.sg".
  2. Check the payee name before confirming payment. When paying via PayNow or PayLah!, verify the recipient's name matches the merchant. A hawker stall should not be paying into a random personal account.
  3. Never install apps from a QR code. Legitimate banks and businesses will never ask you to sideload an APK. Only download apps from the Apple App Store or Google Play.
  4. Enable Money Lock with your bank. DBS, OCBC, UOB, and Standard Chartered offer Money Lock, which prevents funds from being transferred out digitally.
  5. Turn on Google Play Protect and enhanced safe browsing. These built-in Android features detect known scam apps and malicious sites.
  6. Use the ScamShield app. The official app from the Singapore Police Force and NCPC blocks known scam calls and SMS, and lets you report suspicious links.
  7. Do not scan random codes for rewards. If a stranger offers a free drink or voucher for scanning, walk away. This is one of the most common attack patterns in Singapore right now.
  8. Verify with the source directly. Received an "IRAS refund" or "bank verification" email? Log in to the official app or website manually. Never use links from emails.
  9. Watch for tampered stickers. At hawker centres, look for QR stickers that appear pasted over another. Ask the stallholder to confirm the payee name.
  10. Report suspicious codes. Call the Anti-Scam Helpline at 1800-722-6688 or report at ScamShield. Businesses can report tampered stickers to their acquiring bank.

What Businesses in Singapore Should Do

Merchants, especially F&B operators, are on the front line of QR code fraud. If your customers get scammed at your stall, you lose sales and reputation even though you were not at fault.

Best Practices for Merchants

  • Laminate and secure your QR codes: Use tamper-evident stickers or laminated displays that make overlays obvious.
  • Check daily: Inspect your SGQR display at opening and closing each day.
  • Display your business name prominently: Customers should be able to cross-check the payee name against your signage.
  • Train staff: Ensure everyone knows to verify the beep and the name shown on the payment confirmation.
  • Use a branded short link for online promotions: Instead of raw QR codes pointing to complex URLs, use a trusted link management platform. Services like Lunyb let you generate branded short links with analytics, so customers see a recognisable domain when they scan your marketing codes. If you want a broader look at options, see our 2026 URL shortener buyer's guide.

Comparison: Safe vs Risky QR Code Scenarios

ScenarioSafe PracticeRisky Behaviour
Paying at a hawker stallVerify payee name matches stallConfirming payment without checking
Email from "your bank"Open bank app directlyScanning the QR in the email
Parcel redelivery noticeLog in to SingPost or courier siteScanning QR on the note
Street survey for a free drinkPolitely declineScanning and installing an app
Parking fine on windscreenCheck via official HDB/URA appPaying via QR on the notice

What to Do If You've Been Scammed

Time is critical. Follow these steps immediately.

  1. Call your bank's 24/7 fraud hotline to freeze your accounts. DBS: 1800-339-6963. OCBC: 1800-363-3333. UOB: 1800-222-2121.
  2. Disconnect your phone from the internet and turn on aeroplane mode if you suspect malware was installed.
  3. Report to the police via the Anti-Scam Helpline (1800-722-6688) or file a report at any Neighbourhood Police Centre or online at eservices.police.gov.sg.
  4. Change your Singpass, banking, and email passwords from a different, trusted device.
  5. Factory reset your phone if malware is confirmed, then restore only from a clean backup.
  6. Notify friends and family in case scammers use your accounts to target them next.

The Bigger Picture: Privacy and Link Hygiene

QR codes are only one attack surface. The underlying problem is that links, whether inside QR codes, SMS messages, or emails, are the primary vehicle for phishing in Singapore. Building good "link hygiene" habits protects you across all channels:

  • Always preview links before tapping.
  • Prefer typing bank and government URLs manually.
  • Use encrypted DNS (available in iOS and Android settings) to block known malicious domains at the network level.
  • Keep your device OS and browser updated.
  • Use a password manager so you never enter credentials on a lookalike site by muscle memory.

For businesses that rely on shortened or branded links in marketing, choosing a reputable link platform matters. Read our honest review of Lunyb or compare alternatives in our Rebrandly 2026 review to understand what features protect end users.

Frequently Asked Questions

Are QR code scams really common in Singapore?

Yes. The Singapore Police Force has issued repeated advisories, and cases involving fake surveys, tampered hawker stickers, and phishing emails with QR codes have collectively cost victims millions of dollars. QR-based phishing (quishing) is one of the fastest-growing scam categories.

Is it safe to scan any QR code with my iPhone or Android?

Scanning itself is generally safe, because your camera only reads the code and shows you the URL. The danger begins when you tap the link, enter credentials, approve a payment, or install an app. Always preview the URL first and verify it belongs to a legitimate domain.

How can I tell if a hawker stall's QR code has been tampered with?

Look for stickers pasted over the original, mismatched paper or lamination, peeling edges, or a payee name that does not match the stall. If in doubt, ask the stallholder to confirm the account name before you press confirm on your banking app.

Can scanning a QR code install malware on my phone by itself?

Simply scanning does not install anything. However, if the code links to an APK file and you follow prompts to enable installation from unknown sources, malware can be installed on Android devices. iPhones are more resistant because iOS blocks sideloading, but phishing pages can still steal your credentials on any platform.

What should I do if I already scanned a suspicious QR code but did not enter anything?

If you did not enter credentials, approve a payment, or install any app, you are almost certainly fine. Close the browser tab, clear your browser history, and run a security scan. Monitor your bank accounts for a few days and consider enabling Money Lock as an added precaution.

Final Thoughts

QR codes are convenient, and they are not going away. The good news is that avoiding QR code scams in Singapore does not require special tools, just a moment of pause before you scan or tap. Preview the URL, verify the payee, never install apps from a code, and treat any unsolicited reward or urgent notice with deep suspicion. Combine those habits with ScamShield, Money Lock, and up-to-date banking app settings, and you will sidestep the vast majority of quishing attacks aimed at Singaporeans today.

Stay alert, share this guide with older family members who are often targeted, and report suspicious codes when you see them. Every report helps the Singapore Police Force and CSA shut down scam infrastructure faster.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles