QR code scam: What you should know before scanning codes via SMS

When the victims completed the surveys, the scammers would ask them to scan a Singpass QR code with their Singpass app. PHOTO: LIANHE ZAOBAO
Jean Iau
Correspondent
Updated
May 17, 2022, 06:30 PM
Published
Feb 23, 2022, 09:27 AM

SINGAPORE - A new type of scam has emerged, tricking people into using their Singpass app to scan Singpass QR codes sent via SMS to authorise access into digital services.

The police on Tuesday (Feb 22) warned that scammers could misuse the access by registering businesses, subscribing for new mobile lines or opening new bank accounts under the victim's name. These registrations could be for illicit purposes.

The police warned against scanning QR codes delivered via SMS and messaging platforms such as WhatsApp. In the same way, people should not click on embedded links in SMS and messages.

QR code scanning by itself is safe when transactions on websites and at cashier counters are initiated by the user.

Here is how the scam works:

1. Promise of monetary rewards

Scammers create fake surveys and recruit participants through online forums and e-commerce sites.

The surveys are purportedly conducted for reputable companies or organisations in Singapore. The scammers usually communicate with the victims through WhatsApp and promise them monetary rewards in exchange for filling up the surveys.

2. Request to scan QR codes

When the victims complete the surveys, the scammers ask them to scan a Singpass QR code with their Singpass app, claiming that it is part of a verification process to retrieve the survey results to disburse the rewards.

But the Singpass QR code provided by the scammers is a screenshot from legitimate websites. Many websites, including those of government agencies, telcos, insurance firms and banks, authenticate services using Singpass. By scanning the QR code and authorising the transaction without further checks, victims are tricked into giving the scammers access to all sorts of online services.

3. Unauthorised transactions

Scammers then use the access to register businesses, subscribe to new mobile lines or open new bank accounts under the victim's name. These registrations could be for illicit purposes.

4. Notifications

Victims only realise something has gone wrong when they receive notifications of these transactions by their telecommunications service providers or banks, or when an alert in their Singpass Inbox shows that their personal details have been retrieved.

More On This Topic
People tricked into granting scammers Singpass access in QR code scam
Stop scams: Counting the cost of love, sex and money scams

Join ST's WhatsApp Channel and get the latest news and must-reads.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top