QRsafer LogoQRsafer
Hotel QR Code Scams: What to Check at Check-In
← Back to blog

Hotel QR Code Scams: What to Check at Check-In

Hotel QR code scams target the Wi-Fi card, dining menu, and check-out prompt in rooms that turn over daily. Here's what attackers do and how to stay safe.

2026-04-12 · QRsafer Team

Your hotel room is full of QR codes. The Wi-Fi card on the desk. The dining menu by the phone. The check-out prompt on the in-room tablet. The welcome guide on the TV stand. Most are legitimate. Hotel QR code scams target exactly this environment — high-turnover spaces where a freshly placed sticker blends in with the furniture and guests have no reference point for what "normal" looks like.

Here's how each attack works, and the checks that take less time than unpacking your bag.

The fake in-room Wi-Fi QR code

This is the most common hotel QR scam and the easiest to execute.

A card on the desk or nightstand — often printed to look like official hotel stationery — displays a QR code alongside text like "Scan to connect to complimentary Wi-Fi." Scan it and you join an attacker-controlled network, not the hotel's actual infrastructure.

From that network, attackers can intercept login credentials from apps you use, capture session cookies that grant access to your accounts without a password, and redirect you to pages that harvest payment details before letting you browse.

The real hotel Wi-Fi still works. You're just not on it.

What to do instead: Get the Wi-Fi name and password by calling the front desk or checking the hotel app. Type the password manually — no hotel network requires a QR code to join.

Tampered dining and menu QR codes

Hotel restaurants and room-service menus use QR codes the same way standalone restaurants do. The same sticker-swap attacks that hit city restaurants happen here too — often with higher success rates because guests don't know what the hotel's legitimate menu QR looks like.

Attackers swap the real code with a sticker pointing to a phishing page or fake payment portal dressed in the hotel's branding.

Before scanning any dining or room-service QR: check the physical code for raised sticker edges or mismatched print quality. If the destination URL doesn't match the hotel's domain or a recognized platform like Toast or Square, don't tap through.

Fake check-out and billing QR codes

A growing attack involves placing a fake QR code on the in-room check-out card or a printed notice that reads "Fast check-out — scan to review your bill and pay." The code routes to a credential-harvesting page styled to match the hotel's real checkout interface.

This works because guests are moving fast, billing pages look identical to the real thing, and many legitimate hotels do offer digital check-out via QR or app.

How to tell the difference: Legitimate hotel check-out runs through the hotel app, the TV's official interactive menu, or the front desk — not a QR sticker freshly applied to the door or nightstand card. If a check-out QR appears somewhere unexpected, call the front desk before using it.

QR codes in hotel public spaces

The attack doesn't stop at your room door. Lobbies, business centers, gyms, and pool areas all carry posted QR codes — and all are potential targets.

Watch for pool or gym access codes that harvest loyalty-program credentials, business-center Wi-Fi QR codes running the same attack as the in-room version, and "local restaurant deals" or "city guide" codes added to concierge boards that route to phishing pages. The same vigilance that protects you at an airport applies in any high-traffic hotel common area.

How QRsafer helps at the hotel

Hotel stays mean scanning codes in unfamiliar spaces under time pressure — exactly when it's hardest to notice something's off.

QRsafer checks every QR code's destination URL against multiple threat intelligence sources before anything loads in your browser. Scan the Wi-Fi card, the dining menu, or the check-out prompt with QRsafer first and it returns a Safe, Risky, or Dangerous verdict in seconds. A fake payment portal or freshly registered phishing domain shows up in the verdict before you tap through.

If something does go wrong, our guide on what to do if you scanned a suspicious QR code covers the immediate steps.

Check-in checklist

  • Wi-Fi: Get the network name and password from the front desk — never scan a QR to connect
  • Dining menus: Check for sticker-swap signs before scanning any restaurant or room-service code
  • Check-out: Use the hotel app or TV menu — never a QR sticker on the door or room card
  • Public spaces: Ask staff to verify codes in lobbies, gyms, and business centers before using
  • Any surface: Scan with QRsafer first — it takes the same two seconds as your camera app

Guests are in an unfamiliar space with no reference for what belongs. A quick verification before you scan is all it takes to break the attack.

See also

Download QRsafer for iOS or Android and scan safer on your next stay.

FAQ

Are QR code scams common in hotels?

Yes, and they're growing. Hotels combine high foot traffic, daily room turnover, and guests who have no baseline for what legitimate in-room materials look like — ideal conditions for planting fake codes that blend right in. In-room Wi-Fi cards, dining menus, and check-out prompts are the most commonly targeted surfaces.

How do I connect to hotel Wi-Fi without scanning a QR code?

Call the front desk and ask for the Wi-Fi network name and password directly. Most hotels also list the credentials in the hotel app or on the back of the room key sleeve. Type the password manually — you never need to scan a QR code to join a hotel Wi-Fi network.

What should I do if I think I scanned a fake hotel QR code?

If you connected to a Wi-Fi network via a QR code, disconnect immediately and switch to cellular data. If you entered payment details or account credentials on the resulting page, contact your bank and change those passwords now from a trusted device. See our full recovery guide for step-by-step instructions.

Does QRsafer work on hotel Wi-Fi?

QRsafer needs an internet connection to run its security check. Once you're connected to any network — hotel Wi-Fi, cellular, or otherwise — it can check the URL in a QR code before your browser opens it. For maximum safety, use cellular data rather than an unverified network when scanning anything suspicious.