QR code scam: What you should know before scanning codes via SMS

When the victims completed the surveys, the scammers would ask them to scan a Singpass QR code with their Singpass app. PHOTO: LIANHE ZAOBAO

SINGAPORE - A new type of scam has emerged, tricking people into using their Singpass app to scan Singpass QR codes sent via SMS to authorise access into digital services.

The police on Tuesday (Feb 22) warned that scammers could misuse the access by registering businesses, subscribing for new mobile lines or opening new bank accounts under the victim's name. These registrations could be for illicit purposes.

The police warned against scanning QR codes delivered via SMS and messaging platforms such as WhatsApp. In the same way, people should not click on embedded links in SMS and messages.

QR code scanning by itself is safe when transactions on websites and at cashier counters are initiated by the user.

Here is how the scam works:

1. Promise of monetary rewards

Scammers create fake surveys and recruit participants through online forums and e-commerce sites.

The surveys are purportedly conducted for reputable companies or organisations in Singapore. The scammers usually communicate with the victims through WhatsApp and promise them monetary rewards in exchange for filling up the surveys.

2. Request to scan QR codes

When the victims complete the surveys, the scammers ask them to scan a Singpass QR code with their Singpass app, claiming that it is part of a verification process to retrieve the survey results to disburse the rewards.

But the Singpass QR code provided by the scammers is a screenshot from legitimate websites. Many websites, including those of government agencies, telcos, insurance firms and banks, authenticate services using Singpass. By scanning the QR code and authorising the transaction without further checks, victims are tricked into giving the scammers access to all sorts of online services.

3. Unauthorised transactions

Scammers then use the access to register businesses, subscribe to new mobile lines or open new bank accounts under the victim's name. These registrations could be for illicit purposes.

4. Notifications

Victims only realise something has gone wrong when they receive notifications of these transactions by their telecommunications service providers or banks, or when an alert in their Singpass Inbox shows that their personal details have been retrieved.

Join ST's Telegram channel and get the latest breaking news delivered to you.