QR code scam: What you should know before scanning codes via SMS

When the victims completed the surveys, the scammers would ask them to scan a Singpass QR code with their Singpass app. — Bloomberg

SINGAPORE: A new type of scam has emerged, tricking people into using their Singpass app to scan Singpass QR codes sent via SMS to authorise access into digital services.

The police on Tuesday (Feb 22) warned that scammers could misuse the access by registering businesses, subscribing for new mobile lines or opening new bank accounts under the victim’s name. These registrations could be for illicit purposes.

The police warned against scanning QR codes delivered via SMS and messaging platforms such as WhatsApp. In the same way, people should not click on embedded links in SMS and messages.

QR code scanning by itself is safe when transactions on websites and at cashier counters are initiated by the user.

Here is how the scam works:

1. Promise of monetary rewards

Scammers create fake surveys and recruit participants through online forums and e-commerce sites.

The surveys are purportedly conducted for reputable companies or organisations in Singapore. The scammers usually communicate with the victims through WhatsApp and promise them monetary rewards in exchange for filling up the surveys.

2. Request to scan QR codes

When the victims complete the surveys, the scammers ask them to scan a Singpass QR code with their Singpass app, claiming that it is part of a verification process to retrieve the survey results to disburse the rewards.

But the Singpass QR code provided by the scammers is a screenshot from legitimate websites. Many websites, including those of government agencies, telcos, insurance firms and banks, authenticate services using Singpass. By scanning the QR code and authorising the transaction without further checks, victims are tricked into giving the scammers access to all sorts of online services.

3. Unauthorised transactions

Scammers then use the access to register businesses, subscribe to new mobile lines or open new bank accounts under the victim's name. These registrations could be for illicit purposes.

4. Notifications

Victims only realise something has gone wrong when they receive notifications of these transactions by their telecommunications service providers or banks, or when an alert in their Singpass Inbox shows that their personal details have been retrieved. – The Straits Times (Singapore)/Asia News Network

Article type: free
User access status:
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!

Next In Tech News

AI chatbot company Replika restores erotic roleplay for some users
Intel co-founder Gordon Moore, prophet of the rise of the PC, dies at 94
Food photography essentials: First the setting, then the cooking
Internet Archive's digital book lending violates copyrights, US judge rules
Gordon Moore, Intel co-founder who coined chip rule, dies at 94
Lidar, radar, cameras: The sensors making self-driving cars possible
Microsoft threatens to restrict data from rival AI search tools - Bloomberg News
The future of in-car entertainment: Music, cinema and gaming
Canada's Trudeau says TikTok ban had 'side benefit' of getting his kids off platform
Five video game classics that are now even better as remakes

Others Also Read