Is a free Wi-Fi QR code at a hotel or airport safe to scan?
Public Wi-Fi QR codes can be cloned or faked by attackers to intercept your traffic. Verify with staff and use a VPN on any public network.
Last reviewed: 1 June 2026
Explanation
Fake Wi-Fi access point attacks using QR codes work as follows: an attacker creates a hotspot with a name similar to the venue's genuine network and posts a QR code sticker nearby, sometimes covering the real one. When you connect via the fake QR code, all your unencrypted internet traffic passes through the attacker's device. Modern HTTPS encryption protects most browsing, but credential harvesting pages that intercept app traffic or inject content into HTTP connections remain risks. When connecting to hotel or airport Wi-Fi, always verify the network name with reception or the venue's official signage, avoid accessing sensitive accounts (especially banking) on public networks, and use a VPN to encrypt your traffic.
Common red flags
- QR code sticker is placed on a piece of paper rather than embedded in official signage
- Network name after scanning is slightly different from the venue's listed network
- You are asked to log in to a portal requesting email and full name but also a password
What to do now
- Ask staff to confirm the official network name and password before connecting
- Use a reputable VPN when on any public Wi-Fi network
- Avoid logging into banking or sensitive accounts on public networks
- Report suspicious Wi-Fi stickers to venue staff
Frequently asked questions
Is HTTPS enough to protect me on public Wi-Fi?
HTTPS protects the content of most communications, but a malicious hotspot can still intercept metadata, target apps that do not use full encryption, or serve you fake pages. A VPN adds an important additional layer.