Coffee Shop QR Code Scam: What It Is and What to Do
You sat down, grabbed a table tent, and scanned the QR code to get the Wi-Fi password or pull up the menu — and the page that opened felt a little off. Here's how scammers exploit the café environment and exactly what to do if you already entered your information.
How coffee shop QR code scams work
Coffee shops are high-risk environments for QR code fraud for a straightforward reason: QR codes are everywhere in them, and patrons are relaxed and habituated to scanning without a second thought. You scan to get on Wi-Fi, scan for the menu, scan to check in for a loyalty reward. Attackers exploit that routine in three distinct ways.
Fake Wi-Fi QR codes. An attacker prints a small sign or places a sticker that mimics the café's Wi-Fi notice — same font, similar wording — and tapes it to a table, wall, or restroom door. When you scan it, instead of joining the network automatically, you're directed to a browser page styled as a "captive portal" that asks you to log in with an email address and password. Because people often reuse passwords, this is an effective credential-harvesting technique. The attacker collects your login before you realize the "Wi-Fi" never actually connected.
Tampered table-tent menu codes. Many cafés use a QR code on the table to display their digital menu or open a mobile-ordering app. A scammer needs only a few seconds to place a sticker QR code directly over the printed one. You scan it, land on a convincing lookalike ordering page, select your drinks, and enter your card details — and the payment goes to the scammer, not the café. The real menu was just one layer below.
Fraudulent loyalty-program QR codes. Fake "scan to join our rewards club" cards appear on counters, tables, or printed on receipts that aren't actually from the café. They direct you to a form asking for your name, email, phone number, and sometimes card details for a "starter pack" or "first purchase discount." There is no loyalty club; the form collects your personal information for sale or phishing follow-up.
The coffee shop context closely mirrors the risks described in the restaurant QR code scam guide and the hotel QR code scam guide: any location where QR codes feel routine and guests are at ease is a target.
How to spot a fake coffee shop QR code
A few quick checks before you type anything will keep you safe.
For Wi-Fi QR codes: A real café Wi-Fi QR code connects your device to the network silently — it should not open a browser page and ask for a password you use elsewhere. If a page opens and requests any credentials, close it immediately. Ask a staff member for the Wi-Fi password directly instead.
For menu or ordering QR codes: Before entering any payment details, check that the URL in your browser matches the café's actual name or a recognizable ordering platform (Toast, Square, Olo). The page should show the café's logo, current menu items, and your location or table number. If the page is generic — a plain card form with no order summary or recognizable branding — don't enter payment details. Order at the counter instead.
Physical inspection: Look at the QR code itself. A sticker placed over a printed code often has slightly raised edges, a different paper texture, or a slightly different size than the surrounding design. If the QR code looks like it has been stuck on rather than printed as part of the table tent, don't scan it.
What to do right now
Your response depends on what you entered before you noticed something was wrong.
If you only scanned and didn't enter anything: Your risk is minimal. Close the browser tab and don't return to the page. Alert a café staff member about the suspicious QR code so they can check it.
If you entered a password:
- Change that password immediately on any account where you use it — email, social media, banking, shopping. Use a unique password for each account going forward.
- Enable two-factor authentication on your email and any financial accounts. This blocks attackers even if they have your password.
- Watch for phishing follow-ups to your email address if you entered one. Attackers use harvested emails for targeted phishing campaigns.
If you entered credit or debit card details:
- Call your card issuer now using the number on the back of your card. Report the card as potentially compromised and ask them to freeze it and send a replacement.
- Monitor your statements for small test charges — scammers often run a $0–$1 authorization to verify the card is live before selling it or making larger purchases. Dispute any charge you don't recognize.
- Tell the café what happened so staff can inspect table QR codes and remove any fraudulent stickers before another customer is affected.
- File a report with the FTC at reportfraud.ftc.gov. Your report helps the agency identify fraud patterns.
For a complete recovery checklist after any suspicious QR scan, see what to do if you scanned a suspicious QR code.
Frequently asked questions
How does a coffee shop QR code scam work?
Scammers target three things: Wi-Fi QR codes (replaced with fake portals that harvest passwords), table-tent menu codes (covered with stickers that redirect to phishing payment pages), and loyalty-program QR codes on counter cards or receipts that collect your personal and payment info for a club that doesn't exist.
What should a real café Wi-Fi or menu QR code look like?
A legitimate Wi-Fi QR code connects your device to the network without opening a login page. A real menu QR code opens the café's own ordering system — showing the café name, logo, and menu — and only asks for payment after you've confirmed an order. Any page that asks for a password or card details before you've done anything is a red flag. When in doubt, order at the counter.
I scanned a coffee shop QR code and entered my details — what do I do?
If you entered a password, change it everywhere you use it and enable two-factor authentication on your important accounts. If you entered card details, call your issuer immediately using the number on the back of your card, freeze the card, and watch for small test charges. Alert the café so they can remove fraudulent stickers, and file a report at reportfraud.ftc.gov.
Preview any café QR code before you scan
QRsafer shows you the destination URL with a Safe, Risky, or Dangerous verdict before your browser opens it — so you know what you're getting into before you type a single character. Free on iOS and Android.