QR code scam: What you should know before scanning codes via SMS

When the victims completed the surveys, the scammers would ask them to scan a Singpass QR code with their Singpass app. — Bloomberg

SINGAPORE: A new type of scam has emerged, tricking people into using their Singpass app to scan Singpass QR codes sent via SMS to authorise access into digital services.

The police on Tuesday (Feb 22) warned that scammers could misuse the access by registering businesses, subscribing for new mobile lines or opening new bank accounts under the victim’s name. These registrations could be for illicit purposes.

The police warned against scanning QR codes delivered via SMS and messaging platforms such as WhatsApp. In the same way, people should not click on embedded links in SMS and messages.

QR code scanning by itself is safe when transactions on websites and at cashier counters are initiated by the user.

Here is how the scam works:

1. Promise of monetary rewards

Scammers create fake surveys and recruit participants through online forums and e-commerce sites.

The surveys are purportedly conducted for reputable companies or organisations in Singapore. The scammers usually communicate with the victims through WhatsApp and promise them monetary rewards in exchange for filling up the surveys.

2. Request to scan QR codes

When the victims complete the surveys, the scammers ask them to scan a Singpass QR code with their Singpass app, claiming that it is part of a verification process to retrieve the survey results to disburse the rewards.

But the Singpass QR code provided by the scammers is a screenshot from legitimate websites. Many websites, including those of government agencies, telcos, insurance firms and banks, authenticate services using Singpass. By scanning the QR code and authorising the transaction without further checks, victims are tricked into giving the scammers access to all sorts of online services.

3. Unauthorised transactions

Scammers then use the access to register businesses, subscribe to new mobile lines or open new bank accounts under the victim's name. These registrations could be for illicit purposes.

4. Notifications

Victims only realise something has gone wrong when they receive notifications of these transactions by their telecommunications service providers or banks, or when an alert in their Singpass Inbox shows that their personal details have been retrieved. – The Straits Times (Singapore)/Asia News Network

Article type: free
User access status:
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!

Next In Tech News

UK accidentally leaks personal data on Afghan teacher in hiding from Taliban
Chip makers expect demand slowdown to expand beyond PCs, smartphones
Ether reaches two-month high as software update test conducted
Twitter plan to fight midterm misinformation falls short, voting rights experts say
Two lawmakers ask U.S. regulator about Tesla crashes, safety probes
Crypto derivatives volumes surge to $3.12 trillion in July - CryptoCompare
Govt body asks Rain to retract its proposal to merge with Telkom
Arrival to delay spending on bus project after posting wider loss
BlackRock launches spot bitcoin private trust for U.S. clients
World’s biggest Amazon warehouse raises fears over toxic air

Others Also Read