You're at a hotel. You connect to the free wifi, prop your phone against the pillow, and check your bank account. Maybe browse your email. Look up restaurants nearby. Totally normal: it's something most people do without thinking twice.
Now picture someone two rooms down watching everything you just did. Not a figure of speech. On most public wifi networks, this is technically possible with free tools you can download in five minutes.
The reason nobody worries about it is simple: attacks on public wifi don't announce themselves. There's no pop-up, no warning, no sign that anything happened. You go home, everything looks fine, and then weeks later something doesn't add up.
You don't need to stop using public wifi. You need one simple tool that makes it safe. A VPN. This article explains exactly what's at risk, why the tool works, and which one to get.
Find Out Where Your Account Is Exposed
The free BuyWiseGuy security audit walks through everything in this article, checks your specific situation, and gives you a clear action list. It takes about 3 minutes and costs nothing.
Take the Free Security Audit →Free. No email required to start.
What Makes Public WiFi Different From Your Home Network
The difference matters more than most people realize.
Your home wifi is a private network. You control who's on it. It's password-protected. The traffic stays between your devices and your router. If you wanted to see every device connected right now, you could.
Public wifi is different in every one of those ways. Everyone at that hotel, in that airport terminal, at that coffee shop, in that library is on the same network. Most public networks have minimal security. Many have no encryption at all. Some don't even require a password, and the ones that do often post the same one for every guest: on a sign at the counter, printed on the receipt, scrawled on a chalkboard.
Think of your home wifi as a private phone line. Public wifi is a party line from the old days: the call connects, but there are other people on it, and they can listen in. You can't tell when it's happening.
This doesn't mean every public network is actively being monitored right now. It means any of them could be, and you would have no way of knowing.
What Can Actually Happen on Public WiFi
Concrete, plain-language descriptions of each risk.
These are the real threats, not hypothetical ones. Each has happened at scale and continues to.
Someone Sees Which Sites You're Visiting
On an unencrypted network, your browsing activity is visible to anyone on that network using basic, free tools. They can see which websites you visit, how long you spend on them, and which pages you load.
Even on sites with the padlock icon (HTTPS), the domain name itself is still visible. An attacker can see that you visited yourbank.com even if they can't see your password. Over 20 minutes at an airport, that builds a profile: where you bank, where you shop, which services you use. That information is useful for targeted attacks later.
Man-in-the-Middle: Someone Intercepts Your Traffic
A more active attack: someone positions themselves between your device and the wifi router, intercepting data as it passes through. Think of it like someone opening your mail, reading it, resealing it, and sending it on. The mail arrives. You never know it was opened.
On poorly secured networks this is not technically difficult. Free software tools exist that can do it. Depending on the site's own security, this can capture login credentials, form data, email contents, and account information.
Fake Hotspots: The Network Isn't What It Claims to Be
An attacker sets up a wifi network with a name that looks like the real one. At a hotel called The Meridian, they create a network called "Meridian Hotel WiFi" or "Meridian_Guest." You connect thinking it's the hotel's network. Every byte of your traffic flows through their device first.
You have no visual way to tell the difference. Your phone's wifi list shows both networks. One has slightly more bars. You pick it.
This is especially common in airports, where there are dozens of networks visible at once and nobody questions which is real. Security researchers demonstrate this attack at conferences regularly because it takes about ten minutes to set up and is nearly undetectable.
Session Hijacking: Getting In Without Your Password
Even without capturing your password, an attacker can sometimes steal your active login session. When you're logged into email or a social media account, your browser holds a session cookie that proves you're authenticated. Under the right conditions on a public network, that cookie can be captured.
The result: you stay logged in on your device, and they're also logged in on theirs. No password needed. Nothing looks wrong on your end. They quietly read your email, access your accounts, and gather information for further attacks. You wouldn't find out unless you went into your account settings and checked active sessions, which almost nobody does.
Malware Pushed Through the Network
Some attacks use public wifi to push fake software update prompts to devices on the network. A pop-up appears that looks like a system notification: "A critical security update is available. Install now." It looks genuine. It installs malware.
File sharing features (AirDrop on iPhone, Nearby Share on Android, network sharing on laptops) can also be exploited when left enabled on a public network. Things your device is designed to share automatically at home become vulnerabilities in a room full of strangers.
The Places Where You're Most Exposed
Some places are riskier than they feel.
Not all public wifi carries the same risk level. Here's an honest look at the most common locations and what makes each one more or less dangerous.
Hotels
Hotel wifi often feels the most trustworthy because it's a paid, private environment. In practice, it's among the least secure public networks you'll use. Many hotels run a single shared network for all guests with no device isolation, meaning your laptop and the one two rooms down are on the same network.
That login portal where you enter your room number? It proves you're a registered guest. It does not encrypt your traffic. Security and authentication are different things.
Business center computers in hotels are a separate concern entirely: shared devices with unknown software, used by hundreds of different people, often running outdated operating systems. Never log into anything sensitive on a hotel business center computer.
Airports
Large, crowded, with dozens of visible networks at once. Airports are ideal for fake hotspot attacks. Long wait times mean people do real work: checking email, accessing company files, logging into financial accounts. Travelers are tired and distracted, less likely to notice anything unusual.
Many airport networks are completely open with no password at all. Others use the same shared password printed on signage throughout the terminal. Neither configuration provides meaningful protection.
Coffee Shops and Restaurants
Smaller networks where you are physically close to every other connected device. The wifi password is given to anyone who asks with no access control whatsoever. Regular customers develop a false sense of familiarity: "I use this wifi every day, nothing has ever happened." That reasoning misunderstands how these attacks work: they're quiet, and they take time to show consequences.
People sit for extended periods doing real work here: banking, shopping, email. Longer sessions mean longer exposure windows.
Libraries and Community Centers
Public in every sense: open access, no monitoring, no security features beyond a basic router. The activities people tend to do here are among the most sensitive: paying bills, accessing government portals, managing healthcare accounts, checking Social Security or Medicare information.
The combination of sensitive tasks and minimal network security is exactly the wrong pairing.
Vacation Rentals and Airbnbs
The wifi is configured by the property owner. You have no information about how it's set up, whether the router firmware is current, or who else has connected previously. A router running outdated firmware may have known vulnerabilities that are trivially exploitable.
People on vacation are also naturally more relaxed about security habits. They're posting travel updates, doing online shopping, checking bank accounts to manage trip spending, logging into accounts they might be more careful about at home. The let-your-guard-down effect is real.
"But I See the Padlock Icon. Doesn't That Mean I'm Safe?"
It's good. It doesn't cover everything you think it covers.
HTTPS (the padlock in your browser address bar) encrypts the connection between your browser and the specific website you're visiting. This is genuinely good and genuinely important. It means an attacker who intercepts your traffic can't read the contents of what passes between you and that site.
What it doesn't protect is the address you're visiting. The domain name is still visible on the network. An attacker can see you went to yourbank.com, your email provider, your healthcare portal. The contents are sealed; the destination isn't.
DNS queries compound this. When your device looks up a website's address, that lookup is often sent in plain text before the encrypted connection is established. Anyone monitoring the network can see every site you look up.
HTTPS also doesn't protect against fake hotspots. You'll see the padlock even on a fraudulent network, because the padlock reflects the website's own security, not the safety of the network carrying it.
And HTTPS covers your browser tab. Other apps on your device (email clients, banking apps, background services syncing data) may use varying levels of encryption that you have no visibility into.
The Fix: What a VPN Actually Does
In plain English, no jargon.
VPN stands for Virtual Private Network. Ignore the acronym. What it actually does is create an encrypted tunnel between your device and the internet. Everything you do goes through this tunnel. Nobody on the wifi network can see inside it.
Without a VPN: your device communicates directly through the wifi router, and anyone on that same network with the right tools can potentially intercept and read that communication.
With a VPN: your device first connects to a VPN server through an encrypted channel. That server then communicates with the internet on your behalf. The wifi network only sees an encrypted stream of data going to the VPN server. The destination, the content, the login credentials: none of it is visible.
Think of it as a private, soundproof tube between your device and the exit of the building. Other people in the building can see the tube exists, but they can't hear what you're saying inside it or see where you come out the other end.
Every threat described earlier in this article is blocked by the VPN tunnel: the browsing activity visible to others, the man-in-the-middle interception, the fake hotspot, the session cookie capture. The attacker can see that you're connected to something, but the data is encrypted gibberish from their perspective.
Download the app on your phone and computer. Open the app, tap one button to connect. That's the entire process. You browse normally, everything is encrypted, and it runs quietly in the background without noticeably slowing you down.
Most good VPNs also offer auto-connect: whenever you join a new wifi network, the VPN turns on automatically. You never have to remember to do it.
Not sure where you stand?
The free BuyWiseGuy security audit checks your setup and tells you exactly what needs attention. No technical knowledge required. Takes about 3 minutes.
Which VPN Should You Use?
A short list of ones worth trusting, with plain-language reasoning.
VPNs are not all equal, and the free ones are a specific problem. Free VPN apps have to make money somehow. Most do it by collecting your browsing data and selling it to advertisers. The exact thing you were trying to prevent. Choosing a free VPN to protect your privacy often creates a new privacy problem while solving the old one.
What to look for in plain terms: a company with a solid reputation, a no-logs policy (they don't record what you do), fast speeds that don't make browsing noticeably slower, and apps that are easy to use on both phone and computer.
ExpressVPN
- →The simplest apps across iPhone, Android, Windows, and Mac
- →One-tap connect, and auto-connect works reliably on new networks
- →Fast enough that you won't notice it running in the background
Best for travelers who want something that just works
Read the full review →NordVPN
- →Strong security reputation with regular independent audits
- →Slightly less expensive than ExpressVPN for comparable quality
- →Excellent no-logs record and well-tested apps
Best for strong security at a lower price
Read the full review →Surfshark
- →Least expensive of the three without major security tradeoffs
- →Unlimited devices on one plan, protecting your whole household
- →Read the full review for a note on their jurisdiction
Best for budget-conscious users or families
Read the full review →The reviews linked above go deep on each VPN's security, speed, and pricing. If you want a quick side-by-side comparison before committing to one, the review page lays them all out together.
Compare all VPN reviews →Other Steps to Take on Public WiFi
VPN is the main one. These layer on top of it.
A VPN handles the biggest risks. These additional steps are simple habits that add meaningful protection on top.
Turn Off Auto-Connect for Public Networks
Your phone remembers wifi networks and reconnects automatically when in range. This means it might silently join a fake network with the same name as one you've used before, without you choosing anything.
In your device's wifi settings, disable auto-join for public networks. Connect manually each time, intentionally. It takes three extra seconds and removes a whole class of risk.
Disable File Sharing and AirDrop
AirDrop on iPhone, Nearby Share on Android, and file sharing on laptops are convenient features that become vulnerabilities on a public network. They're designed to make your device findable and transferable to nearby devices.
Turn AirDrop to "Contacts Only" or off entirely when you're on public wifi. On Windows, when prompted after connecting to a new network, choose "Public network" mode: this automatically disables sharing features.
Save Sensitive Tasks for Your Home Network When Possible
Even with a VPN running, good practice is to avoid banking and financial account access on public wifi when you have the option to wait. If you need to check your bank while traveling, use the bank's official app rather than a browser: banking apps typically have their own encryption layer in addition to the VPN.
VPN plus banking app is a solid combination when access on the go is necessary.
Forget the Network When You Leave
After you check out of the hotel or leave the coffee shop, go into your wifi settings and tell your device to forget that network. This prevents automatic reconnection next time you're in range of the same or a spoofed version of the same network name.
Small step, zero cost, eliminates lingering exposure.
Keep Your Device Software Updated
Software updates close security vulnerabilities that attackers actively exploit on public networks. That update notification you keep dismissing could be patching exactly the gap someone uses to push malware to your device. Turn on automatic updates on your phone and computer so you don't have to think about it.
Real Scenarios: What Happens When You Don't Use a VPN
What this actually looks like in practice.
These scenarios reflect attack patterns that security researchers document regularly. The victims didn't do anything obviously reckless. They used wifi the way most people do.
The Hotel Bank Check
On vacation, you connect to hotel wifi and log into your bank to verify a charge on your card. Someone on the network captures your session. Two days later there's a transaction you didn't make. You don't connect it to the hotel wifi because it happened days later. You assume your card was skimmed somewhere. The timeline never lines up in your memory.
The Airport Email
Long layover, so you connect to airport wifi and check your email. An attacker on a fake hotspot captures your login credentials. They don't do anything obvious right away. For the next few weeks they quietly read your emails, gathering account names, names of your contacts, recurring services, any financial references. Then they send you a targeted phishing email that references specific things they've learned. You click because it looks real.
The Coffee Shop Session
At your regular coffee shop, doing some online shopping. Someone on the network captures a session cookie from your shopping account. They don't take your password. They don't need it. They access your account using the active session, see your saved payment method and default shipping address, and place an order to a different address. You find out when a shipping confirmation arrives for something you didn't order.
Public wifi isn't something you need to avoid. It's something you need to be on correctly. The same way you'd lock your car in a parking lot without thinking twice, turning on a VPN before connecting to public wifi should be automatic.
The fix genuinely is that simple. Download a reputable VPN app, tap connect before you join the hotel or airport network, and everything in this article stops being a concern. One tap, a few seconds to connect, and the tunnel is up.
I recommend a VPN to everyone I know, and public wifi is the primary reason why. The other reasons (privacy from your ISP, security on home networks, access when traveling internationally) are real benefits too. But the public wifi protection alone is worth it for anyone who travels, works from coffee shops, or uses any network they don't personally control.
Pick one from the recommendations above, read the full review, and get it set up before your next trip.
Find Out Where Your Account Is Exposed
The free BuyWiseGuy security audit walks through everything in this article, checks your specific situation, and gives you a clear action list. It takes about 3 minutes and costs nothing.
Take the Free Security Audit →Free. No email required to start.
Related Reading
Free checklist
10 Security Moves That Take 10 Minutes
No fluff. Quick wins you can actually do today — VPN, passwords, 2FA, and more.
No spam. Unsubscribe anytime.