Spread the love

SINGAPORE: The police on Tuesday (Feb 22) warned about the emergence of a new type of scam, involving the scanning of Singpass QR codes to gain access to digital services for fraudulent purposes.

In a media release, the Singapore Police Force (SPF) said these scams involve fake surveys – purportedly conducted on behalf of reputable companies or organisations in Singapore – with participants recruited via channels such as online forums and e-commerce sites. 

The scammers will typically communicate with the victims through WhatsApp and promise them monetary rewards for their participation in the surveys, the police said. 

“Upon completing the surveys, the scammers would request for the victims to scan a Singpass QR code with their Singpass app, claiming it was part of the verification process to retrieve their survey results for disbursement of the monetary rewards,” said the police. 

The SPF warned however that the Singpass QR codes provided are actually screenshots of legitimate websites. Scanning these codes and authorising transactions without further checks grants the scammers access to certain online services, it said. 

“Scammers would proceed to misuse the access by registering businesses, subscribing for new mobile lines or opening new bank accounts under the victim’s name,” said the SPF. 

“Victims would only realise something was amiss when notified of these transactions by their telecommunications service provider or bank, or when they receive notifications in their Singpass Inbox that their personal details have been retrieved.”

The police noted the Singpass login process requires user consent and authentication through biometrics or passcode verification on the user’s personal device.

“Singpass will never send QR codes through SMS, messaging apps like WhatsApp and other non-official messaging platforms,” they said.

The police warned that while Singpass has “stringent security measures”, members of the public should stay vigilant and follow security processes.

How to check if the domain URL displayed on your Singpass app matches that of the browser address bar of the digital service you are trying to access. Do not tap “Log in” if they do not match. (Image: Singapore Police Force)

These include not scanning Singpass QR codes sent by others, and only scanning the QR code on the official websites of specific e-services or otherwise tapping on QR codes on the official apps of these services.

The police also advised that people always verify with official sources on whether the information received is sent by the relevant organisation and if the transaction involves authentication using the Singpass app.

“After scanning a Singpass QR code, always check the consent screen on your Singpass app to verify the legitimacy of the digital service you are accessing,” said the SPF. 

It added that users should also ensure the domain URL displayed on their Singpass apps matches that in the browser address bar, and not to log in if it does not. 

Information such as Singpass ID, password and Two-Factor Authentication (2FA) details should also not be revealed to others, said the police, adding that suspicious activities to the Singpass helpdesk at 6335 3533 immediately.

The police advisory comes as the number of reported scam cases in Singapore surged last year, hitting 23,931 – making up more than half of all crimes reported in the country.