QR Code Scams in Singapore: How Quishing Works and How to Stay Safe
Learn about QR code scams (quishing) in Singapore — fake PayNow QR codes, survey scams, Singpass phishing, and how to protect yourself from QR-based attacks.
QR Code Scams in Singapore: How Quishing Works and How to Stay Safe
Singapore runs on QR codes. PayNow, NETS, GrabPay, FavePay — scan and pay is second nature at every hawker centre, shop, and restaurant. This widespread adoption has made QR codes one of the most attractive attack vectors for scammers.
The threat has a name: quishing (QR code + phishing). And it is growing fast.
Real Cases in Singapore
These are not hypothetical scenarios:
- Bubble tea shop survey scam: A customer scanned a QR code at a bubble tea shop promising a "free drink survey." The link installed malware on their phone. They lost S$20,000 from their bank account.
- Hawker centre QR replacement: Scammers physically pasted fake QR codes over legitimate PayNow QR codes at food stalls. Customers unknowingly sent payments to the scammer's account instead of the hawker.
- Fake parking meter QR codes: Fraudulent QR stickers placed on parking meters directed drivers to phishing sites that harvested credit card details.
Types of QR Code Scams
1. Payment QR Replacement
Scammers print fake QR codes on stickers and paste them over the merchant's real PayNow or NETS QR code at food stalls, shops, and parking meters. When you scan and pay, the money goes to the scammer.
How to spot it: Look for stickers placed over other stickers. Check if the QR code looks tampered with or misaligned. Verify the recipient name matches the merchant before confirming payment.
2. Survey and Reward QR Scams
Fake "customer survey" QR codes promising rewards, free items, or lucky draw entries. Scanning leads to:
- Phishing sites that steal login credentials
- Malware downloads that give scammers access to your phone
- Fake forms that harvest personal and banking information
3. Singpass QR Exploitation
Fake websites or pop-ups asking you to scan your Singpass QR code to "verify your identity" or "claim a government benefit." Scammers can use your Singpass to access government services, open accounts, or make transactions in your name.
Rule: Never scan your Singpass QR on any website that is not the official Singpass app or singpass.gov.sg.
4. Fake Delivery QR Codes
SMS or email claiming a package requires "verification" — with a QR code to scan. The QR leads to a phishing site designed to look like SingPost, Ninja Van, or a courier service.
How to Protect Yourself
Before Scanning
| Check | What to Do |
|---|---|
| Physical tampering | Look for stickers pasted over other QR codes |
| URL preview | Many phone cameras show the URL before opening — check the domain |
| Source | Only scan QR codes from trusted, verified sources |
| Context | Be suspicious of QR codes in unexpected places (random flyers, unsolicited emails) |
During Payment
- Use PayNow within your banking app, not external QR scanners
- Verify the recipient name before confirming the transaction
- Check the amount — some scam QR codes pre-fill inflated amounts
For Merchants
- Regularly inspect your QR codes for tampering or stickers placed on top
- Use stands or frames that make it harder to paste over
- Consider dynamic QR codes that change regularly
What to Do If You Have Been Scammed
- Call your bank immediately to freeze your account and reverse any unauthorized transactions
- Report to the Singapore Police Force (SPF) — file a report online or at any police station
- Call ScamShield hotline: 1799
- Change passwords for any accounts that may have been compromised
- Scan your phone for malware using a reputable security app
Share Payment Details Securely
One way to reduce QR scam exposure is to stop publicly displaying payment QR codes altogether. Instead of taping a PayNow QR code to your stall or printing it on invoices, share your payment details through a password-protected link on LOCK.PUB.
Only people with the password can see your actual payment QR code or bank details. This prevents scammers from photographing, replacing, or tampering with your publicly displayed codes.
The Bigger Picture
QR codes are not inherently dangerous — they are just links in visual form. The danger comes from the fact that humans cannot read a QR code before scanning it. Unlike a URL where you can see "bank.com" vs "b4nk.com," a QR code looks the same whether it leads to your bank or to a scammer's phishing site.
Stay vigilant. Verify before you scan. And when sharing your own payment information, consider using LOCK.PUB to add a layer of protection that a simple printed QR code cannot provide.
Report scams to SPF or call 1799 (ScamShield).
Keywords
You might also like
Android Malware Scam in Singapore: 128+ Cases, S$2.4M Lost — How APK Files Drain Your Bank Account
Since February 2025, Android malware scams have cost Singaporeans S$2.4M. Learn how malicious APK files steal banking credentials and how to protect yourself.
Children's Online Safety in Singapore: A Parent's Complete Guide for 2026
Everything Singapore parents need to know about keeping children safe online — screen time guidelines, parental controls, new regulations, and practical tools.
CPF Scam Prevention in Singapore: How to Protect Your Retirement Savings
Learn how scammers target CPF savings in Singapore through phishing, fake investments, and SingPass exploitation. Discover how to use CPF Safety Switch and other tools.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free