QRsafer LogoQRsafer
Fake Wi-Fi QR Code Scams: How Rogue Hotspots Steal Your Data
← Back to blog

Fake Wi-Fi QR Code Scams: How Rogue Hotspots Steal Your Data

Scammers print QR codes that connect your phone to attacker-controlled networks instead of the real Wi-Fi. Here's how the attack works, how to spot a fake, and what to do if you already connected.

2026-05-03 · QRsafer Team

Most people know to be careful about clicking links in suspicious emails. Far fewer think twice before scanning a QR code to join a Wi-Fi network — and scammers are counting on exactly that gap.

Fake Wi-Fi QR codes are one of the least visible attacks in use today. The setup is simple, the hardware cost is near zero, and most victims never know it happened.

How the attack works

A QR code can encode more than just a URL. It can also encode Wi-Fi credentials — the network name (SSID), security type, and password — in a format that tells your phone to join automatically when you scan it. This is a legitimate feature used by hotels, cafes, and offices to make connecting easier for guests.

Scammers use the same format with one difference: the QR code joins your device to a network they control, not the venue's actual network.

Here's the typical setup:

  1. The attacker creates a Wi-Fi network with a name similar to the real one — "Hotel_Guest_WiFi" instead of "HotelGuestWiFi," or just a generic name like "Airport Free WiFi."
  2. They print a QR code that connects to their network and post it on a table card, a wall near the gate, or over an existing sign.
  3. You scan it, your phone connects automatically, and you browse without realizing anything is wrong.

Once you're on their network, the attacker can:

  • Intercept traffic on sites that don't enforce HTTPS properly
  • Redirect you to a fake login page for your bank, email, or airline account
  • Capture session cookies that keep you logged in to various services
  • Present a fake captive portal asking for your personal or payment details

The attack is especially effective in high-trust environments where you expect to scan a QR code for Wi-Fi — hotel rooms, airport terminals, cafe lobbies, coworking spaces, and conference venues.

The fake captive portal variant

A related but distinct attack doesn't hijack your network connection — it harvests your data through a fake registration page.

You scan a QR code, land on what looks like a legitimate Wi-Fi login portal, and are asked to "register" to access the network. The page asks for your name, email address, and sometimes a credit card number "to verify your identity" or "unlock premium speeds."

Real captive portals for guest Wi-Fi don't work this way. They ask for a room number, a voucher code, or a simple terms-of-service agreement. They never ask for payment information or full account credentials. If you see a Wi-Fi signup page asking for your card number, close it immediately.

Where these attacks happen

Fake Wi-Fi QR codes are most common in places where:

  • Guests expect to connect to free Wi-Fi and have been taught to scan a code to do it
  • Physical signage is easy to tamper with or replace
  • Staff turnover is high and nobody checks posted materials regularly

Hotels and conference centers top the list. A scammer books a room, posts a QR sticker near the elevator or on the door of a conference room, and checks out before anyone notices.

Coffee shops and cafes are also frequent targets. Printed table tents with QR codes are cheap and interchangeable. A sticker placed over the real code on a card holder is invisible until staff are looking for it.

Airports and transit hubs see this attack too, often combined with a fake "scan here for free Wi-Fi" sign placed in a dead zone where the real airport network signal is weak.

How to spot a fake

Before you scan any QR code for Wi-Fi, check these things:

Look at the physical code. A sticker placed over an existing QR code will show slight edges or misalignment if you look closely. Raised edges, bubbles, or a code that sits above the surface of the card are warning signs.

Preview before connecting. Use QRsafer to scan the code first. It shows you the network name encoded in the QR before your phone connects. Confirm the SSID matches the name your hotel or venue told you to use — not a similar-but-different name. One letter difference matters.

Ask staff. The simplest check is also the most reliable. Ask a staff member for the correct Wi-Fi name and password instead of scanning a posted code. If the posted code leads to a different network than the one staff gives you, you've found a tampered code.

Verify the captive portal domain. If you do reach a login page, check the URL. A hotel captive portal should use the hotel's actual domain or a well-known hospitality network provider's domain. A URL you don't recognize or a generic landing page with no branding is a red flag.

What to do if you already connected

If you scanned a Wi-Fi QR code and are now unsure whether it was legitimate:

  1. Disconnect immediately. Go to your phone's Wi-Fi settings and forget the network.
  2. Switch to cellular data for anything sensitive until you're on a trusted network.
  3. Change passwords for any accounts you logged into while connected — especially email, banking, and social media. Do this from a trusted network.
  4. Check for active sessions. Most major services (Google, Apple, Facebook, banking apps) let you see where you're currently logged in. Revoke any sessions you don't recognize.
  5. Run a security scan. If you downloaded anything or noticed your device behaving oddly, run a malware scan before using it further.

If you entered personal or payment information on a captive portal that turned out to be fake, treat it the same as any credential or card compromise: change the password immediately, contact your bank to flag potential fraud, and monitor your accounts for unusual activity.

How QRsafer helps

The core protection against Wi-Fi QR attacks is the same as for any QR code: see what the code contains before your device acts on it.

QRsafer decodes the QR and displays the full content — including the SSID of a Wi-Fi credential — before joining. That one-second preview is often the only checkpoint between your device and an attacker's network.

Download QRsafer for iOS or Android and scan before you connect.

FAQ

Can a QR code connect my phone to a fake Wi-Fi network?

Yes. A QR code can encode Wi-Fi credentials — network name (SSID) and password — that automatically join your device to any network the attacker controls. When you scan the code, your phone connects without showing you any warning, because the process is no different from scanning a legitimate Wi-Fi QR code.

What can someone do if I'm connected to their fake Wi-Fi?

On an attacker-controlled network, they can intercept unencrypted traffic, redirect you to fake login pages for your bank or email, strip HTTPS on unprotected sites, and capture session cookies from apps that don't use certificate pinning. Most modern HTTPS traffic is harder to read in transit, but the redirect and fake login-page attacks remain very effective.

How do I know if a captive portal Wi-Fi registration page is real?

Legitimate hotel and airport captive portals ask for a room number, loyalty number, or a simple 'agree and connect' click — they never ask for a credit card, Social Security number, or full account password. If a Wi-Fi registration page asks for payment details or personal credentials, close the browser immediately and report it to venue staff.

Does QRsafer protect against fake Wi-Fi QR codes?

QRsafer decodes any QR code and shows you the full content before your device acts on it. For a Wi-Fi QR code, that means displaying the network name (SSID) and the connection type so you can confirm it matches what you expect before your phone joins. That preview step is often the only warning you'll get.