Experts: Never scan a QR code sent to you

SINGAPORE - Scammers have diversified to include using QR codes to dupe victims, with the police warning of two new scams involving the barcode.

Sengkang Neighbourhood Police Centre (NPC) on Wednesday (Feb 23) warned of a scam involving a printed flier of a Grab food voucher giveaway and a QR code. The QR code leads to a request for personal details.

Grab clarified that it did not create the flier and does not have promotions that require users to scan a QR code to redeem vouchers, said the NPC.

This comes after the police said on Tuesday that a Singpass QR code scam has surfaced in which victims are asked to fill out surveys in exchange for a monetary reward.

The scammers would send victims a Singpass QR code claiming that the victims had to verify their identity and accept the rewards, but the QR code is, in fact, a screenshot of a legitimate online service seeking authentification.

Many websites, including those of government agencies, telecoms companies, insurance firms and banks authenticate their services using Singpass.

By scanning the QR code and authorising the transaction, victims would be tricked into giving the scammers access to these online services.

Observers The Straits Times spoke to said QR code scanning on its own is safe when transactions on websites and cashier counters are initiated by the user, but they urged the public to exercise caution and not to scan a QR code sent by an unknown person on a messaging platform.

Mr Amos Tan, assistant director of Singapore Polytechnic's School of Business, told ST that customers might develop a fear of making online transactions, but this should not affect the sales of merchants as they can pivot to other payment methods.

"Scammers tend to move from one form of payment or method of collecting personal data to others once the method has been widely reported on and people know to look out for them... I don't believe sales will be affected but the method of transactions might be, in terms of where they take place," he said.

[[nid:566937]]

Mr Tan added that businesses could offer customers who are fearful of paying online the option of transacting in person.

They could also alert clients to phishing scams and send out messages to remind them that the company would not ask for personal details over the phone, he said.

Payment platforms that ST contacted urged users of the QR code function to check the beneficiary or merchant details and the transacted amount before authorising payment.

Mr Keith Chen, general manager of payment app Fave, said it was a shame that scammers are using a convenient tool to trick consumers.

He advised Fave users to scan QR codes using only the Fave app at physical stores with cashiers or online websites of Fave's merchants.

"We highly recommend that customers do not engage with QR codes that are shared via chat platforms from unauthorised or unknown contact," said Mr Chen.

Similarly, a spokesman for Grab said the company would never send users QR codes via SMS or messaging platforms.

The spokesman urged users to look out for signs of a potential phishing scam, such as an urgent call to action, the promise of attractive rewards, and suspicious links or attachments, including QR codes from unexpected or first-time senders.

Grab uses artificial intelligence, machine learning and experts to analyse and detect fraudulent or scam content to take down fake postings or illegal content, the spokesman added.

Grab users can call the company's fraud helpline on 6902-1036 if they are unsure about a message they have received.

How to avoid falling prey to Singpass QR code scam

• Never scan a Singpass QR code sent by someone else, say the police. Scan the Singpass QR code on only the official website of the e-service that you want to access, or tap on Singpass QR codes on the official apps of these e-services.
• Always verify with official sources whether the information you have received is sent by the organisation and if authentication using the Singpass app is necessary.
• After scanning a Singpass QR code, always check the consent screen on the Singpass app to verify the digital service. Ensure that the domain URL displayed on the Singpass app matches that in the browser address bar.
• Never disclose your Singpass ID, password and two-factor authentication (2FA) details to others.

Suspicious activities can be reported to the Singpass helpdesk by calling 6335-3533.

Those with any information relating to such crimes can call the police hotline on 1800-255-0000, or go to the police's I-Witness website.

If urgent police assistance is required, call 999.

This article was first published in The Straits Times. Permission required for reproduction.