Focused guide

QR Code Quishing Impersonating Booking.com at Hotels

Criminals email or print fraudulent Booking.com confirmation documents containing fake QR codes that redirect guests to phishing pages harvesting account credentials or payment card details before or during their stay.

Part of: Quishing: Physical Payment Point QR Code Scams

Last reviewed: 8 June 2026

Booking.com sends guests confirmation emails and pre-stay reminders that legitimately contain QR codes for identity verification, digital key activation, or check-in convenience at connected properties. Criminals exploit this established pattern by generating fake Booking.com documents — sent by email or printed and placed in hotel lobbies — containing QR codes that redirect to fraudulent credential-harvesting pages.

The attack is particularly convincing because it can be timed to coincide with a genuine upcoming stay: an attacker who has compromised a property's Booking.com partner account knows the guest's name, reservation dates, and check-in time. A fake pre-arrival email referencing all these correct details and containing a QR code for online check-in feels entirely authentic.

Guests who scan these codes and enter their Booking.com login or payment details lose account access and may find their saved card charged fraudulently or their upcoming reservation modified.

How this scam works on the Booking.com brand

The most common vector is a phishing email timed to arrive two or three days before check-in — when guests are naturally reviewing reservation details. The email references the correct property, dates, and booking reference and contains a QR code ostensibly for online check-in or identity verification. The code resolves to a lookalike booking.com page.

A physical variant involves printed cards placed in hotel lobbies or at reception desks where guests are checking in. The card claims to offer a Booking.com check-in shortcut and invites guests to scan a QR code. In hotels where Booking.com branded materials are displayed, a fraudulent card is less likely to be questioned.

After credentials are captured, the attacker may cancel or modify the victim's genuine booking, causing the guest to arrive at the property with no reservation and no accommodation.

Common red flags

A pre-arrival email references correct booking details but contains a QR code linking to a non-booking.com domain
Scanning the code opens a page asking for your Booking.com login or payment card details rather than presenting check-in confirmation
The email sender address is not from booking.com — even small domain variations are fraudulent
A physical card in a hotel lobby or at reception invites you to scan a QR code for Booking.com check-in without any official hotel branding integration
The page the QR code opens lacks Booking.com's standard HTTPS certificate or header navigation
After scanning and entering details, your actual Booking.com reservation shows unexpected modifications or cancellations

How to protect yourself

Access your Booking.com account and reservation only through the official app or booking.com — never through QR codes in emails or physical hotel materials
Check that the URL opened by any Booking.com QR code begins with booking.com before entering any information
Verify pre-arrival communications by logging in directly at booking.com rather than trusting the content of any email
Enable two-factor authentication on your Booking.com account
Report suspicious physical QR codes to hotel management immediately
If your reservation was modified after a phishing incident, contact Booking.com customer service at once

How to report it

Report the phishing email to Booking.com via the Help Centre at booking.com
Report the scam to the FTC at reportfraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK)
Contact your bank if payment card details were entered on the fraudulent page
File a report with the FBI at ic3.gov if financial loss resulted

Frequently asked questions

Does Booking.com use QR codes in legitimate pre-arrival emails?

Booking.com and affiliated properties do use QR codes in some communications. Always verify the URL after scanning — it must begin with booking.com — and log in through the official app rather than following email QR codes.

How did a scam email know my correct reservation details?

This most commonly happens when the property's Booking.com partner account is compromised, exposing guest data. Booking.com warns guests about this risk and recommends contacting them if you receive suspicious pre-arrival communications.

What if my reservation was cancelled because I entered details on a fraudulent page?

Contact Booking.com customer service immediately. Booking.com can investigate and may be able to reinstate your reservation or arrange alternative accommodation under its customer guarantee.

How this scam works on the Booking.com brand

After credentials are captured, the attacker may cancel or modify the victim's genuine booking, causing the guest to arrive at the property with no reservation and no accommodation.

Common red flags

A pre-arrival email references correct booking details but contains a QR code linking to a non-booking.com domain

Scanning the code opens a page asking for your Booking.com login or payment card details rather than presenting check-in confirmation

The email sender address is not from booking.com — even small domain variations are fraudulent

A physical card in a hotel lobby or at reception invites you to scan a QR code for Booking.com check-in without any official hotel branding integration

The page the QR code opens lacks Booking.com's standard HTTPS certificate or header navigation

After scanning and entering details, your actual Booking.com reservation shows unexpected modifications or cancellations

How to protect yourself

Access your Booking.com account and reservation only through the official app or booking.com — never through QR codes in emails or physical hotel materials

Check that the URL opened by any Booking.com QR code begins with booking.com before entering any information

Verify pre-arrival communications by logging in directly at booking.com rather than trusting the content of any email

Enable two-factor authentication on your Booking.com account

Report suspicious physical QR codes to hotel management immediately

If your reservation was modified after a phishing incident, contact Booking.com customer service at once

How to report it

Report the phishing email to Booking.com via the Help Centre at booking.com

Report the scam to the FTC at reportfraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK)

Contact your bank if payment card details were entered on the fraudulent page

File a report with the FBI at ic3.gov if financial loss resulted

Frequently asked questions

Does Booking.com use QR codes in legitimate pre-arrival emails?

How did a scam email know my correct reservation details?

What if my reservation was cancelled because I entered details on a fraudulent page?

Contact Booking.com customer service immediately. Booking.com can investigate and may be able to reinstate your reservation or arrange alternative accommodation under its customer guarantee.