QR Code Scams in Singapore: How to Stay Safe in 2026
QR codes have become woven into daily life in Singapore — from SafeEntry legacies and hawker centre payments to PayNow transfers, MRT advertisements, and restaurant menus. But the same convenience that makes QR codes so popular has also made them a favourite tool for scammers. In 2023 and 2024, Singapore saw a sharp rise in QR code scams (often called "quishing"), with victims losing tens of thousands of dollars in single incidents. This guide explains how QR code scams work in Singapore, the most common tactics used by criminals, real local cases, and practical steps you can take to stay safe.
What Are QR Code Scams?
A QR code scam is a fraud technique where criminals trick victims into scanning a malicious QR code that leads to a phishing website, downloads malware, or initiates an unauthorised payment. The term "quishing" combines "QR" and "phishing." Because QR codes look identical to the human eye, you cannot tell a legitimate code from a malicious one without scanning it first — which is exactly what scammers exploit.
In Singapore, QR codes are trusted by default. Most consumers assume a code stuck on a stall, taped to a parking meter, or printed on a flyer is legitimate. Scammers exploit this trust by replacing real codes with fake ones, sending malicious codes via email, or printing them on counterfeit promotional materials.
Why Singapore Is a Prime Target
Singapore's high smartphone penetration, widespread adoption of PayNow and SGQR, and the cashless push by MAS have made QR codes ubiquitous. According to the Singapore Police Force (SPF), scam-related losses exceeded S$1.1 billion in 2024, and quishing cases have climbed steadily as part of broader phishing trends.
Several factors make Singapore particularly attractive to QR scammers:
- High trust environment: Singaporeans generally trust public infrastructure and printed signage.
- Mature digital payments: PayNow, GrabPay, and SGQR are second nature, so scanning to pay feels routine.
- Multilingual population: Scammers can craft phishing pages in English, Mandarin, Malay, or Tamil to widen their net.
- High-value targets: Above-average household incomes and widespread bank app usage make successful attacks lucrative.
Common Types of QR Code Scams in Singapore
1. Bubble Tea and Survey Scams
One of the most publicised cases involved a 60-year-old woman who lost S$20,000 after scanning a QR code on a flyer offering a "free cup of bubble tea" in exchange for completing a survey. The code led her to download a third-party app that contained malware, allowing scammers to take over her device and drain her bank account.
2. Fake Hawker Stall and Restaurant Codes
Scammers paste fraudulent QR code stickers over genuine PayNow or SGQR codes at hawker centres, food courts, and restaurants. When customers scan and pay, the money goes to the scammer's account instead of the merchant. Stallholders often only realise when reconciling takings at the end of the day.
3. Parking and Carpark Scams
Although Singapore's parking is largely managed via the Parking.sg app and gantry systems, scammers have placed fake "pay parking here" QR codes near HDB carparks and private estates, redirecting users to credential-harvesting sites that mimic bank login pages.
4. Email and Document Quishing
QR codes embedded in PDF attachments or emails bypass many corporate email filters that scan for malicious links. Recipients are urged to scan with their phone — often to "verify their account" or "view a secure document" — and end up on a fake Microsoft 365, DBS, or OCBC login page.
5. Delivery and Package Scams
Fake "missed delivery" notices left at HDB doors or in letterboxes contain QR codes that supposedly let you reschedule delivery. The codes lead to phishing pages impersonating SingPost, Ninja Van, or J&T Express, asking for credit card details to pay a small redelivery fee.
6. Investment and Crypto Scams
Social media ads featuring local celebrities (often deepfaked) promote "exclusive investment opportunities" via QR codes. Scanning leads to fake trading platforms or WhatsApp groups operated by syndicates that pressure victims into transferring funds.
7. Charity and Donation Scams
Fraudsters print QR codes on fake charity flyers, particularly during festive periods like Chinese New Year, Hari Raya, or Deepavali. The codes funnel donations directly to scammer-controlled PayNow numbers.
How a QR Code Scam Actually Works
Here is the typical attack flow used by scammers targeting Singapore residents:
- Bait creation: The scammer designs an attractive offer (free drink, parking discount, urgent delivery notice) or replicates a familiar payment scenario.
- Code deployment: The malicious QR code is printed on stickers, flyers, posters, or embedded in emails and social media ads.
- Victim scans: The victim scans with their phone's native camera or a QR app.
- Redirection: The code opens a phishing site, prompts an APK download (Android), or initiates a PayNow transfer with pre-filled scammer details.
- Credential or money capture: Victims enter banking credentials, OTPs, or NRIC numbers — or unknowingly install malware that grants the scammer remote access to their phone.
- Account takeover: Within minutes, scammers drain bank accounts, often transferring funds offshore through mule accounts before the victim realises.
Red Flags to Watch For
Before scanning any QR code in Singapore, check for these warning signs:
- The QR code is on a sticker placed over another code — peel back gently to check.
- The URL preview after scanning does not match the brand (e.g., "dbs-secure-login.xyz" instead of "dbs.com.sg").
- You're asked to download an APK file outside the Google Play Store or Apple App Store.
- The page asks for your full NRIC, SingPass credentials, or banking OTP for a simple action like a free drink.
- The offer feels too good to be true — free vouchers, lucky draws, or instant cashback.
- The QR code is on an unsolicited email, SMS, or letter claiming urgency.
- The destination website has poor grammar, mismatched logos, or unusual domain extensions.
10 Steps to Stay Safe from QR Code Scams
- Always preview the URL before tapping. Both iOS and Android show a URL preview when you scan — read it carefully.
- Verify the merchant at hawker stalls and shops. If unsure, ask the stallholder to confirm the PayNow name displayed on your app matches their business.
- Never download apps from QR codes. Legitimate Singapore businesses will direct you to the official App Store or Google Play.
- Disable "Install from unknown sources" on your Android device. iOS blocks sideloading by default.
- Use the ScamShield app by the SPF and the National Crime Prevention Council to filter scam SMSes and check suspicious links.
- Enable transaction alerts on your DBS, OCBC, UOB, or other banking apps so you're notified instantly of any outgoing transfer.
- Set transfer limits on your banking app — the lower the daily PayNow limit, the less you can lose.
- Activate the Money Lock feature offered by DBS, OCBC, UOB, and Standard Chartered, which ring-fences a portion of your savings from digital transfers.
- Inspect physical QR codes for tampering — peeling stickers, misaligned printing, or codes that look freshly added.
- Report suspicious codes to the SPF via the ScamShield helpline (1799) or the police hotline (1800-255-0000).
What Businesses in Singapore Should Do
If you run a hawker stall, café, retail shop, or services business, you have a duty of care to protect your customers from fraudulent QR codes attached to your premises. Here are the key actions every Singapore SME should take:
Daily Code Inspections
Train staff to check payment QR codes at the start and end of each shift. Look for stickers placed over your genuine SGQR or PayNow code, and remove any that appear suspicious.
Use Tamper-Evident Stickers
Print QR codes on holographic or tamper-evident materials so any attempt to peel or overlay them is visible immediately. Several local printers offer this service for under S$50.
Display the PayNow Recipient Name Prominently
Ensure your registered PayNow business name is visible next to the QR code. Encourage customers to verify the name shown on their banking app before confirming payment.
Use a Trusted Link Management Platform
For digital QR codes used in marketing — menus, promotions, loyalty programmes — generate them through a reputable platform that lets you monitor scans, detect abuse, and update destinations without reprinting. Tools like Lunyb let businesses create branded short links and trackable QR codes, so you can audit traffic and quickly disable any code that has been compromised. For a deeper dive into QR security best practices for SMEs, see our complete QR code security guide — many of the principles apply directly to Singapore businesses.
Educate Your Customers
Place a small notice near your QR code reminding customers to verify the payee name before paying. This simple step has been shown to dramatically reduce successful scam attempts.
Comparing Safe Scanning Practices
| Practice | Risk Level | Recommendation |
|---|---|---|
| Scanning random codes on flyers/stickers | High | Avoid unless from a verified source |
| Scanning codes inside trusted apps (Grab, ShopeePay) | Low | Generally safe |
| Scanning email-attached QR codes | Very High | Never scan — go to the website directly |
| Scanning hawker stall PayNow codes | Medium | Verify recipient name before paying |
| Scanning QR codes on official posters (LTA, HDB) | Low | Still preview the URL before tapping |
| Scanning codes from social media ads | High | Verify advertiser via official channels first |
What to Do If You've Been Scammed
If you suspect you've fallen victim to a QR code scam in Singapore, act immediately — every minute counts:
- Contact your bank's 24/7 fraud hotline immediately. DBS: 1800-339-6963; OCBC: 1800-363-3333; UOB: 1800-222-2121. Request an emergency freeze on your account.
- Change your banking and SingPass passwords from a different, trusted device.
- Run a malware scan or, if compromised via a downloaded APK, perform a factory reset on your phone.
- File a police report at any Neighbourhood Police Centre or online via eservices.police.gov.sg.
- Report the scam to ScamShield at 1799 and submit details so others can be warned.
- Notify the platform where you encountered the QR code — Facebook, Instagram, Carousell, or the physical venue's management.
The Regulatory Landscape
The Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) have introduced several measures to combat digital scams, including the Shared Responsibility Framework (SRF) which came into force in late 2024. Under the SRF, banks and telcos may bear part of the financial loss when they fail in their anti-scam duties. However, victims who voluntarily disclosed credentials or scanned malicious codes typically still bear most of the loss — making prevention the only reliable defence.
Singapore's approach to data protection and cyber security is broadly comparable to global benchmarks. If you're interested in how other jurisdictions handle similar issues, our coverage of Irish data breaches in 2026 and how to file privacy complaints under GDPR offers useful comparative perspective.
The Future of QR Code Security in Singapore
Looking ahead, several developments will shape the QR scam landscape in Singapore through 2026 and beyond:
- Signed QR codes: Industry groups are exploring cryptographically signed QR codes that phones can verify automatically before opening.
- Bank-side fraud detection: Local banks are deploying behavioural biometrics and AI-powered transaction monitoring to catch unusual transfers in real time.
- SafeApp ecosystem: The push toward a verified "SafeApp" ecosystem, where banking apps refuse to operate alongside known malware, will limit the impact of malicious downloads.
- Public awareness campaigns: Continued investment by the SPF, ScamShield, and the National Crime Prevention Council to educate Singaporeans on emerging scam tactics.
Frequently Asked Questions
Are QR codes inherently dangerous?
No. QR codes are simply a way of encoding information — usually a URL. The danger comes from where the code leads. A QR code from a trusted source (your bank's app, an official government poster) is generally safe. The risk lies in unverified codes from stickers, flyers, or unsolicited messages.
Can scanning a QR code install malware on my iPhone?
It's significantly harder on iOS because Apple does not allow apps to be installed from outside the App Store without enterprise certificates or developer mode. However, iPhones are not immune to phishing — a malicious QR code can still lead you to a fake login page that steals your credentials. Always preview the URL before tapping.
Will my bank refund me if I'm scammed via a QR code?
It depends. Under Singapore's Shared Responsibility Framework, banks may share liability if they failed to send timely transaction alerts or implement required safeguards. However, if you voluntarily entered your credentials, OTPs, or authorised the transfer, you will likely bear most or all of the loss. Contact your bank immediately — speed matters.
How can I tell if a PayNow QR code at a hawker stall is genuine?
After scanning, your banking app will display the registered recipient name before you confirm payment. Check that this name matches the stall (e.g., "ABC Chicken Rice Pte Ltd"). If the name is unfamiliar, a personal name on a business stall, or doesn't match, do not proceed — alert the stallholder.
Should businesses use a URL shortener for their QR codes?
Yes, but use a reputable one. A trusted link management platform lets you change the destination without reprinting codes, monitor scans for unusual patterns, and disable compromised links instantly. Avoid free, anonymous shorteners that customers may not recognise. See our comparison of the best link management platforms for business in 2026 and top URL shorteners to choose the right tool.
What's the single most important thing I can do to avoid QR scams?
Always preview the URL before tapping, and never enter banking credentials or OTPs on a page reached via a QR code. If a QR code asks you to log in to your bank, close it and open your banking app directly instead.
Final Thoughts
QR codes are not going away — they're too convenient, too embedded in Singapore's payment and information infrastructure. The answer is not to avoid them entirely, but to scan with awareness. By previewing URLs, verifying recipient names, refusing to download apps from codes, and reporting suspicious activity to ScamShield, you can enjoy the convenience of QR codes without becoming the next victim. For businesses, investing in tamper-evident codes and trusted link management platforms is now a basic duty of customer care.
Stay alert, stay informed, and when in doubt — don't scan.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Irish Data Breaches 2026: What You Need to Know
Irish data breaches in 2026 are growing in both volume and sophistication, driven by AI-enabled phishing, ransomware, and supply-chain attacks. This guide covers the major incidents, regulatory landscape under GDPR, NIS2 and DORA, and practical steps Irish businesses and citizens can take to protect themselves.
Phishing Attacks in Singapore: How to Recognize and Avoid Them in 2026
Phishing attacks cost Singaporeans over S$651 million in 2023. Learn how to recognize scam SMS, fake bank emails, SingPass impersonation, and other phishing tactics—plus the practical steps you can take to protect yourself and your business in 2026.
Two-Factor Authentication: Why You Need It in 2026
Two-factor authentication (2FA) adds a critical second layer of security beyond your password, blocking over 99% of automated account takeover attempts. This guide explains how 2FA works, the strongest methods, and how to enable it across your accounts.
Social Engineering Attacks: A Complete Guide for 2026
Social engineering attacks exploit human psychology rather than technology, making them one of the biggest cybersecurity threats today. This complete guide explains the most common types, real-world examples, and proven strategies to protect yourself and your organization in 2026.