QR Code Quishing at Marriott Hotels
Criminals place counterfeit QR codes on Marriott hotel room key packets, lobby signage, and restaurant bill folders, redirecting guests to fake Marriott Bonvoy login pages or fraudulent payment portals.
Part of: Quishing: Physical Payment Point QR Code Scams
Last reviewed: 8 June 2026
Marriott hotels have embraced QR codes throughout the guest experience — from digital menus in restaurants and bars to Wi-Fi login instructions in rooms and Bonvoy loyalty programme sign-up prompts in lobbies. This pervasive use of QR codes creates multiple points at which a criminal can substitute a fraudulent code, exploiting the trust that Marriott's well-known brand inspires.
Guests at luxury hotels often let their guard down relative to a street-facing transaction. They are in a comfortable, professional environment, and QR codes on printed materials — key card envelopes, restaurant bill folders, informational cards — appear authoritative by association with the hotel's branding. Criminals take advantage of this context by placing fake QR stickers on exactly these materials.
The phishing page a victim reaches after scanning may ask them to log in to their Bonvoy account to access a digital room-key feature, claim a stay credit, or complete a Wi-Fi login, harvesting account credentials and any saved payment methods in the process.
How this scam works on the Marriott brand
A scammer gains brief access to a Marriott common area — lobby, restaurant, business centre — and places QR stickers on high-contact surfaces: table-tent cards, Wi-Fi instruction sheets, menu stands, or room-key packet sleeves. The sticker is designed to match Marriott's colour palette and branding enough that a quick glance does not raise suspicion.
When a guest scans the code, they land on a page styled after Marriott Bonvoy's website, prompting them to sign in or enter payment details for a room charge, upgrade, or Wi-Fi fee. Bonvoy credentials captured here give the attacker access to accumulated points, future booking details, and any saved payment cards in the profile.
Some attacks target the restaurant checkout experience specifically: a fake QR code on a bill folder instructs guests to scan and pay, capturing full payment card details on a fraudulent processing page.
Common red flags
- A QR code sticker on hotel materials has slightly raised edges, different paper finish, or is misaligned with surrounding printing
- Scanning the code opens a URL that is not marriott.com or bonvoy.marriott.com
- The page asks for your Bonvoy login or full card details rather than directing you to the app or the hotel's secure portal
- The Wi-Fi login page differs from what the hotel's front desk described and asks for payment details
- The page lacks Marriott's standard HTTPS certificate or shows a certificate from an unfamiliar domain
- A table card or room material has been manually placed rather than professionally integrated into the standard hotel stationery
How to protect yourself
- Use the Marriott Bonvoy app for account access and room-key features rather than scanning external QR codes
- Ask hotel staff directly for Wi-Fi credentials and Bonvoy sign-up links rather than relying on printed QR codes
- Before scanning any in-hotel QR code, check that it is part of the original printed material rather than a sticker overlay
- If a scanned code asks for Bonvoy login credentials, close the page and log in directly through the official Marriott app
- Report any suspicious QR sticker to the hotel manager immediately so it can be removed and other guests protected
- Enable two-factor authentication on your Bonvoy account to protect it even if credentials are captured
How to report it
- Report the fraudulent QR code to Marriott hotel management and to Marriott's customer care at marriott.com/help
- Report to the FTC at reportfraud.ftc.gov
- If Bonvoy points were stolen, contact Marriott Bonvoy customer service to investigate and potentially reverse fraudulent redemptions
- If payment card details were entered, contact your bank immediately to freeze the card
Frequently asked questions
How do I safely use Marriott's QR-based features?
Access all Marriott digital features through the official Marriott Bonvoy app, which is the most secure channel. For Wi-Fi, ask the front desk for the network name and password rather than scanning a QR code.
Can stolen Bonvoy points be recovered?
Marriott can investigate fraudulent redemptions and may reverse them if caught quickly. Contact Bonvoy customer service immediately if you notice points activity you did not authorise.
Are luxury hotels safer from this type of scam?
Not necessarily. Higher-value guests make luxury hotel loyalty accounts more attractive to attackers. The physical access required to place QR stickers is modest, and the trust guests extend to their surroundings works in the scammer's favour.