QR Code Quishing at Hilton Hotels
Criminals place fake QR code stickers on Hilton hotel room-key envelopes, lobby signage, and restaurant bill holders, directing guests to fraudulent Hilton Honors login or payment pages.
Part of: Quishing: Physical Payment Point QR Code Scams
Last reviewed: 8 June 2026
Hilton hotels use QR codes extensively in their guest experience — digital menus at restaurants, Hilton Honors sign-up promotions in lobbies, and room-feature guides contain scannable codes that guests are accustomed to using. This familiarity creates an effective attack surface for quishing criminals who substitute legitimate codes with fraudulent ones on in-hotel materials.
Guests at Hilton properties are often in a relaxed mindset, comfortable with their surroundings. A QR code on a neatly printed card or a professionally produced lobby sign does not trigger the suspicion that an unexpected email might. The Hilton brand's association with premium service further reduces natural vigilance.
Fraudulent QR codes in Hilton properties most commonly target the checkout experience or Hilton Honors loyalty enrolment, both of which involve personal and payment data that is valuable to attackers.
How this scam works on the Hilton brand
A criminal places fake QR stickers in Hilton hotel common areas, targeting table cards in the restaurant, the key-card envelope presented at check-in, or Honors sign-up literature at the front desk. The sticker's design approximates Hilton's navy-blue and white colour scheme.
When a guest scans the code, they reach a page styled after Hilton's website, asking them to log in to their Honors account or enter card details to complete a restaurant payment, Wi-Fi access, or room-upgrade confirmation. Credentials and card details entered are forwarded to the attacker.
The restaurant bill-folder attack is particularly effective: a guest scans what they believe is a Hilton digital payment link to avoid waiting for a server, entering their full card details on a fraudulent page.
Common red flags
- A QR sticker on hotel materials has raised edges or inconsistent alignment with the surrounding printed design
- Scanning the code opens a URL that is not hilton.com or honors.hilton.com
- The page asks for your Hilton Honors login credentials or full card details rather than standard menu or Wi-Fi information
- A restaurant bill folder contains a QR code asking for direct card payment rather than directing you to flag down a server
- The page design lacks Hilton's standard HTTPS certificate or shows a domain not associated with Hilton
- The code appears on a hand-placed card or insert rather than integrated into the original printed hotel material
How to protect yourself
- Use the Hilton Honors app for account access and loyalty features rather than scanning unknown in-hotel QR codes
- Ask hotel staff directly for Wi-Fi credentials and sign-up links rather than trusting printed QR codes alone
- Inspect QR codes on hotel materials before scanning — look for physical stickers placed over original print
- Close immediately without entering data if a scanned code opens a non-hilton.com URL
- Report suspicious QR stickers to hotel management so they can be removed
- Enable two-factor authentication on your Hilton Honors account to protect it even if credentials are captured
How to report it
- Report the fraudulent QR code to Hilton hotel management and to Hilton Honors customer care at 1-800-4HONORS
- Report financial fraud to the FTC at reportfraud.ftc.gov
- If Honors points were stolen, contact Hilton Honors immediately to request an investigation and reversal
- Contact your bank if payment card details were entered on a fraudulent page
Frequently asked questions
Does Hilton use QR codes for legitimate guest services?
Yes. Hilton uses QR codes for digital menus, Wi-Fi access, and Honors promotions. Always verify that the URL from a scanned code begins with hilton.com before entering any information.
Is paying by QR code at a Hilton restaurant safe?
Hilton properties that offer digital payment via QR will use their own verified system. If a table card asks you to scan and enter card details on an external page, alert the server and hotel management.
How are fake QR stickers placed in a hotel without being noticed?
Criminals typically visit during busy periods and place stickers quickly on materials that are not immediately inspected by staff. Table cards, key-card envelopes, and lobby literature are easy to tamper with briefly.