Can I trust this QR code?: CSA, police warn of QR code scams and advise how to avoid being tricked

Check for signs of tampering, ensure that the URL leads to a legitimate website, and refrain from downloading apps from third-party sites. PHOTO ILLUSTRATION: PEXELS

SINGAPORE – If you see a QR code pasted untidily over an existing one, it could be a scam.

The Cyber Security Agency of Singapore (CSA) and the police on Monday issued an alert to the public on the prevalence of such scams, which can lead users to download viruses or make payments to fraudsters from their mobile devices.

They did not provide details on the number of such scams here, but urged caution when scanning QR codes amid a spate of such scams.

It was recently reported that a 60-year-old woman was scammed of $20,000 after she scanned a QR code to complete a survey on bubble tea.

Box-shaped QR codes are commonly displayed in shops here as a convenient way to allow customers to make digital payments. This payment method was widely adopted during the Covid-19 pandemic as businesses sought ways to cut down on the potential spread of viruses through the handling of cash.

But fraudsters have found ways to trick users into scanning such codes to steal their money.

Similar warnings about QR code scams have been issued globally, including in the United States by the Federal Bureau of Investigation, which in 2022 warned that criminals were sticking fake codes over real ones at banks and restaurants, and on parking meters.

In Singapore, the CSA and police highlighted several types of QR code scams based on cases worldwide and how users can avoid being duped.

Legitimate QR codes displayed at businesses can be swopped with fake codes that direct payment to a fraudster’s bank account instead.

To avoid being tricked, check for signs of tampering and do not scan codes that appear to have been pasted over the original code, or if there are design inconsistencies, said the CSA. Otherwise, check with the organisation responsible for the code, it added.

Inspect and make sure the website address that a QR code leads to is the intended URL. Spelling errors, extra characters or unfamiliar addresses are often telltale signs that a website is a scam.

When making payments digitally, review the transaction details displayed on the payment app before sending the money through, and ensure that the amount, recipient’s name and other information are correct.

Some third-party QR code-scanning apps also display advertisements that prompt a user to create an account. Users may be directed to a phishing site requesting personal information and banking credentials.

Some third-party QR code-scanning apps contain advertisements that trick a user into filling in registration forms that ask for personal data and banking information. PHOTO: CSA

Third-party QR code-scanning apps are not those included with a phone, like the scanning feature in the camera apps of an Android phone or iPhone. Neither are the QR code scanners incorporated into major apps such as Grab and online banking apps considered third-party scanners.

Members of the public are advised to regularly update their devices’ operating software to ensure that they contain the latest security patches, and to refrain from downloading apps from third-party sites that a QR code links to, said the CSA.

“Mobile applications should only be downloaded from official sources such as Google Play Store or the Apple App Store,” it said.

Users should also avoid scanning codes sent through unsolicited messages or from unknown senders.

The police and CSA said: “QR codes are not inherently dangerous, but threat actors with malicious intentions could make use of QR codes to trick unsuspecting individuals into scanning these codes and exposing themselves to various threats.”

Join ST's Telegram channel and get the latest breaking news delivered to you.