# Hotel QR Code Scams: What to Check at Check-In

> Hotel QR code scams target the Wi-Fi card, dining menu, and check-out prompt in rooms that turn over daily. Here's what attackers do and how to stay safe.

URL: https://www.qrsafer.com/blog/hotel-qr-code-scams
Published: 2026-04-12

---

Your hotel room is full of QR codes. The Wi-Fi card on the desk. The dining menu by the phone. The check-out prompt on the in-room tablet. The welcome guide on the TV stand. Most are legitimate. **Hotel QR code scams** target exactly this environment — high-turnover spaces where a freshly placed sticker blends in with the furniture and guests have no reference point for what "normal" looks like.

Here's how each attack works, and the checks that take less time than unpacking your bag.

## The fake in-room Wi-Fi QR code

This is the most common hotel QR scam and the easiest to execute.

A card on the desk or nightstand — often printed to look like official hotel stationery — displays a QR code alongside text like "Scan to connect to complimentary Wi-Fi." Scan it and you join an attacker-controlled network, not the hotel's actual infrastructure.

From that network, attackers can intercept login credentials from apps you use, capture session cookies that grant access to your accounts without a password, and redirect you to pages that harvest payment details before letting you browse.

The real hotel Wi-Fi still works. You're just not on it.

**What to do instead:** Get the Wi-Fi name and password by calling the front desk or checking the hotel app. Type the password manually — no hotel network requires a QR code to join.

## Tampered dining and menu QR codes

Hotel restaurants and room-service menus use QR codes the same way standalone restaurants do. [The same sticker-swap attacks that hit city restaurants](/blog/restaurant-qr-code-scams) happen here too — often with higher success rates because guests don't know what the hotel's legitimate menu QR looks like.

Attackers swap the real code with a sticker pointing to a phishing page or fake payment portal dressed in the hotel's branding.

Before scanning any dining or room-service QR: check the physical code for raised sticker edges or mismatched print quality. If the destination URL doesn't match the hotel's domain or a recognized platform like Toast or Square, don't tap through.

## Fake check-out and billing QR codes

A growing attack involves placing a fake QR code on the in-room check-out card or a printed notice that reads "Fast check-out — scan to review your bill and pay." The code routes to a credential-harvesting page styled to match the hotel's real checkout interface.

This works because guests are moving fast, billing pages look identical to the real thing, and many legitimate hotels do offer digital check-out via QR or app.

**How to tell the difference:** Legitimate hotel check-out runs through the hotel app, the TV's official interactive menu, or the front desk — not a QR sticker freshly applied to the door or nightstand card. If a check-out QR appears somewhere unexpected, call the front desk before using it.

## QR codes in hotel public spaces

The attack doesn't stop at your room door. Lobbies, business centers, gyms, and pool areas all carry posted QR codes — and all are potential targets.

Watch for pool or gym access codes that harvest loyalty-program credentials, business-center Wi-Fi QR codes running the same attack as the in-room version, and "local restaurant deals" or "city guide" codes added to concierge boards that route to phishing pages. The [same vigilance that protects you at an airport](/blog/airport-qr-code-scams) applies in any high-traffic hotel common area.

## How QRsafer helps at the hotel

Hotel stays mean scanning codes in unfamiliar spaces under time pressure — exactly when it's hardest to notice something's off.

QRsafer checks every QR code's destination URL against multiple threat intelligence sources before anything loads in your browser. Scan the Wi-Fi card, the dining menu, or the check-out prompt with QRsafer first and it returns a **Safe**, **Risky**, or **Dangerous** verdict in seconds. A fake payment portal or freshly registered phishing domain shows up in the verdict before you tap through.

If something does go wrong, our guide on [what to do if you scanned a suspicious QR code](/blog/what-to-do-if-you-scanned-a-suspicious-qr-code) covers the immediate steps.

## Check-in checklist

- **Wi-Fi**: Get the network name and password from the front desk — never scan a QR to connect
- **Dining menus**: Check for sticker-swap signs before scanning any restaurant or room-service code
- **Check-out**: Use the hotel app or TV menu — never a QR sticker on the door or room card
- **Public spaces**: Ask staff to verify codes in lobbies, gyms, and business centers before using
- **Any surface**: Scan with QRsafer first — it takes the same two seconds as your camera app

Guests are in an unfamiliar space with no reference for what belongs. A quick verification before you scan is all it takes to break the attack.

## See also
- [What to Do If You Scanned a Suspicious QR Code](/blog/what-to-do-if-you-scanned-a-suspicious-qr-code)
- [Airport QR Code Scams](/blog/airport-qr-code-scams)
- [Car Rental QR Code Scam](/blog/car-rental-qr-code-scam)
- [Restaurant QR Code Scams](/blog/restaurant-qr-code-scams)
- [QR Code Threat Map](/threat-map)

Download QRsafer for [iOS](https://apps.apple.com/app/qrsafer/id6743708403) or [Android](https://play.google.com/store/apps/details?id=com.bedrockdigitalsolutions20.qrsafer) and scan safer on your next stay.