Public Wi-Fi is everywhere. Coffee shops, airports, hotels, libraries, train stations — almost every public space offers free wireless internet. It's convenient, and most of the time, nothing bad happens. But the security risks are real, and understanding them helps you make informed decisions about when to connect and how to protect yourself.
What Actually Happens on Public Wi-Fi?
When you connect to a home broadband router, you're on a private network that you control. When you connect to a public Wi-Fi hotspot, you're on a shared network alongside dozens or hundreds of strangers — and potentially alongside criminals who have deliberately positioned themselves there to intercept data.
Public Wi-Fi networks are almost always unencrypted or weakly encrypted. The password you enter (if there is one) is typically the same for every user in the building, which provides minimal security — everyone on the network shares the same key, so that key provides no protection from other users on the same network.
The Main Security Risks
1. Man-in-the-Middle Attacks
The most serious risk on public Wi-Fi is a man-in-the-middle (MITM) attack. Here's how it works:
An attacker positions themselves between you and the network — often by creating their own hotspot with a convincing name ("Starbucks Free WiFi" or "Airport_WiFi") that tricks your device into connecting to them instead of the legitimate network. Once you're connected, all your traffic flows through their device before reaching the internet. They can read, modify, or capture anything that isn't encrypted end-to-end.
2. Packet Sniffing
On an unencrypted network, it's possible to use freely available tools to capture ("sniff") the raw network traffic being sent by other users on the same Wi-Fi network. Any data sent over plain HTTP (rather than HTTPS) is completely readable. This includes website content, form data, and in some cases, session tokens that could be used to hijack logged-in accounts.
The good news is that the widespread adoption of HTTPS means most website traffic is now encrypted between your browser and the destination server, even on public Wi-Fi. However, not all apps use HTTPS, and HTTPS only protects the content — not the metadata about which servers you're connecting to.
3. Evil Twin Networks
An attacker can set up a rogue Wi-Fi hotspot designed to look like a legitimate one. If your device is set to auto-connect to networks it has previously used, it may connect to a fake version automatically. The attacker can then intercept all your traffic and serve fake versions of websites — for example, a fake bank login page that captures your credentials.
4. Session Hijacking
Even on HTTPS connections, session tokens (the credentials that keep you logged in without re-entering your password) can sometimes be stolen if a network is compromised. This allows an attacker to impersonate you on websites without knowing your password.
5. Malware Distribution
Some attackers use network access to push malware to connected devices — particularly if your device has vulnerabilities from not being updated, or if you're tricked into accepting a "required" software update that is actually malicious.
How Much Risk Is There Really?
It's worth keeping perspective. The average coffee shop visit is very unlikely to result in an attack. Most users on public Wi-Fi are just checking emails and browsing normally. Active, targeted attacks on public networks require effort and technical skill — they're not random.
The highest-risk scenarios involve:
- Using public Wi-Fi for banking or financial transactions
- Accessing work systems with sensitive data
- Using apps that don't implement proper encryption
- Connecting to networks in high-traffic environments where attackers are more likely (major airports, busy city centre venues)
For most casual browsing, the risk is low. For anything involving passwords, payments, or sensitive data, the risk is worth taking seriously.
How to Stay Safe on Public Wi-Fi
Use a VPN
A VPN (Virtual Private Network) is the most effective single measure you can take on public Wi-Fi. It encrypts all your traffic between your device and the VPN server, making it unreadable to anyone on the same network — whether they're sniffing packets or running a man-in-the-middle attack. Even if an attacker captures your traffic, they see only encrypted gibberish.
VPN apps are available for iOS, Android, Windows, and Mac. Connect the VPN before connecting to any public network, and keep it active throughout your session. See our guide to what a VPN is and how to choose one.
Check for HTTPS
Before entering any information into a website on public Wi-Fi, verify that the site uses HTTPS — look for the padlock icon in your browser's address bar. If a site is using plain HTTP, your data is transmitted in the clear and should not be trusted on a public network.
Modern browsers warn you about non-HTTPS sites, but older or less-used websites may still lack it.
Disable Auto-Connect
Turn off the setting that automatically connects your device to previously used Wi-Fi networks. This prevents your phone from automatically connecting to a fake hotspot imitating a network you've used before.
- On iPhone: Settings → Wi-Fi → tap the ⓘ next to a saved network → disable "Auto-Join"
- On Android: Settings → Network → Wi-Fi → Saved Networks → remove networks you don't regularly use
Use Mobile Data for Sensitive Tasks
Your mobile data connection is encrypted by your carrier and not shared with strangers on a local network. For banking, accessing work systems, or anything involving sensitive credentials, switching to your phone's data connection rather than public Wi-Fi is the simplest protection.
Keep Your Device Updated
Software vulnerabilities are sometimes exploited on network level. Keeping your operating system and apps updated closes known security holes that attackers might use to compromise your device on a shared network.
Use a Firewall
Enable the built-in firewall on your laptop (Windows Defender Firewall on Windows, or the built-in firewall on macOS). This prevents other devices on the same network from directly probing your device for vulnerabilities.
Log Out After Sessions
When you've finished using a website on public Wi-Fi, log out rather than just closing the browser. This invalidates your session token and prevents it from being reused if captured.
What About Hotel Wi-Fi Specifically?
Hotel Wi-Fi carries an additional risk that's less discussed: the hotel itself may be logging your browsing activity. Business hotels in particular are common targets for state-sponsored espionage — attackers compromise the hotel network to monitor the activities of corporate guests. If you're travelling for business and handle sensitive information, this is a serious consideration that makes a VPN essential rather than merely advisable.
Airport Wi-Fi: Extra Caution Warranted
Major airports are among the highest-risk environments for public Wi-Fi attacks. They're high-traffic, internationally diverse environments where criminals know people are using their devices for sensitive tasks (checking travel documents, accessing financial accounts). Multiple studies have found suspicious Wi-Fi hotspots operating near airport gates. A VPN is strongly advisable whenever using airport Wi-Fi.
Frequently Asked Questions
Is it safe to check my bank account on coffee shop Wi-Fi?
Without a VPN, it carries some risk — particularly from session hijacking if the bank's app has any vulnerabilities. Your bank's app uses HTTPS, which protects the content, but the session could still be vulnerable. Using your mobile data connection or a VPN is the safer choice for banking.
Does using HTTPS mean I'm safe on public Wi-Fi?
HTTPS protects the content of your communication, but it doesn't prevent an attacker from seeing which sites you're visiting (DNS lookups are often unencrypted), and it doesn't prevent all forms of session hijacking. HTTPS is essential but not sufficient on its own.
Can the coffee shop see what I'm doing on their Wi-Fi?
In principle, yes — the network operator can see traffic metadata. For HTTPS sites, they cannot see the content, but they can see which domains you're visiting. A VPN prevents even this.
Is my phone's hotspot safer than public Wi-Fi?
Yes, significantly. A personal hotspot from your phone creates a private Wi-Fi network that only you control. It's encrypted and not shared with strangers. The trade-off is mobile data usage and battery drain.