Hackers exploit public Wi-Fi because it gives them proximity. In a hotel lobby, airport gate or coffee shop, dozens of people may be joining networks quickly, accepting captive portals and logging in to email, banking, work tools or travel accounts. That rush creates the opening.
Airport networks deserve extra caution because travellers are often tired, distracted and working with sensitive bookings, passport details and payment information. Our separate guide explains why airport Wi-Fi needs extra protection before you connect at the gate.
Why public Wi-Fi gives hackers an opening
A home router normally has a smaller, more predictable group of users. A public hotspot is different: anyone nearby may be able to connect, copy the network name or target users who are already distracted.
The attacker does not need to break every layer of modern encryption. Often, they only need a user to choose the wrong network, ignore a browser warning, enter details into a cloned page or continue working after the VPN has silently dropped.
Attack #1: Evil twin hotspots
An evil twin is a fake Wi-Fi network that imitates a legitimate one. The name might be almost identical to the real venue network, or it may use a generic label such as “Free Airport WiFi” to attract hurried users.
They copy the venue's SSID or create a name that looks official enough for people nearby to trust.
A laptop or phone may even auto-connect if the name matches a network used before.
Traffic now passes through equipment controlled by the attacker, giving them opportunities to observe metadata, redirect pages or launch follow-up attacks.
Evil twin attacks are especially effective in busy travel environments because people expect multiple hotspot names and may be too rushed to verify which one is real. That is why public Wi-Fi at airports should be treated as hostile until your device has a protected connection.
Attack #2: Packet sniffing
Packet sniffing means capturing network traffic and examining what passes over the connection. On modern HTTPS websites, the most sensitive content should be encrypted, but careless apps, old protocols and exposed metadata can still leak useful information.
What attackers may see
Domains, connection patterns, unencrypted requests, device details and traffic timing can all help build a picture of what a user is doing.
Metadata exposureWhat HTTPS hides
Proper HTTPS encrypts page contents, form submissions and session data between the browser and the website.
Strong protectionWhere risk remains
Old apps, misconfigured sites, plain HTTP pages and warning-clicking behaviour can still expose credentials or redirect users into danger.
User-dependentWhy VPNs help
A VPN wraps device traffic in an encrypted tunnel before it crosses the local Wi-Fi network.
Local protectionAttack #3: Man-in-the-Middle
A man-in-the-middle attack places the attacker between your device and the service you think you are using. The attacker may relay traffic, alter responses, downgrade security or push you toward a fake sign-in page.
The easiest way to picture it is a malicious relay: your device talks to the attacker, and the attacker talks onward to the wider internet. For a visual breakdown, see our interactive explainer on how man-in-the-middle attacks work.
| MITM tactic | What the attacker wants | What reduces the risk |
|---|---|---|
| Traffic relay | Observe or manipulate communication passing through their device. | VPN, HTTPS, certificate warnings taken seriously. |
| Session theft | Capture tokens or cookies that keep a user logged in. | Secure cookies, HTTPS-only sessions, logout on shared devices. |
| Security downgrade | Push the user toward a less secure version of a page or protocol. | HSTS, updated browsers, refusing suspicious prompts. |
| Credential capture | Make the user enter a password or MFA code into a fake page. | Password managers, passkeys, MFA and checking the domain. |
Attack #4: DNS spoofing and cloned websites
DNS is the lookup system that turns a human-friendly domain into the server address your device connects to. If an attacker can tamper with that lookup, a familiar address can lead to the wrong place.
For example, a traveller may type a bank, airline or email address and land on a cloned page that looks convincing enough to steal a password. Our separate tool explains how DNS spoofing works in a more visual way.
- Use bookmarks or a password manager instead of clicking captive-portal links for important accounts.
- Check the exact domain before entering a password.
- Do not continue through certificate warnings.
- Use MFA or passkeys so a stolen password alone is less useful.
- Use a VPN that handles DNS inside the encrypted tunnel.
How a VPN Is Your Personal Shield
A VPN does not make every online action safe, but it changes the public Wi-Fi risk model. Instead of sending readable or easily profiled traffic across the local hotspot, your device creates an encrypted tunnel to the VPN provider first.
That tunnel makes it much harder for someone on the same hotspot to inspect your traffic, tamper with DNS or profile the sites you visit. For a step-by-step visual version, see our guide to how a VPN connection works.
Before the VPN connects
Your device is still exposed to the local network. Avoid signing in to sensitive services until the VPN is active.
Follow the checklistWhile the VPN is active
Local attackers have a much harder time reading or altering your traffic because the tunnel encrypts the connection path.
See the VPN explainerIf the VPN drops
A kill switch helps prevent traffic from leaking back onto the public Wi-Fi connection.
Learn how a VPN kill switch worksPublic Wi-Fi safety checklist
Use this checklist before you work, shop, bank or sign in on a public network.
- Confirm the real network name. Ask staff or check official signs before joining a café, hotel or airport hotspot.
- Turn off auto-join for public networks. This reduces the risk of connecting to a copied network name.
- Connect your VPN before logging in. Wait until the VPN is active before using email, banking, work tools or travel accounts.
- Use HTTPS and respect warnings. Do not click through certificate errors or browser security alerts.
- Use a password manager. It helps spot fake domains because it will not autofill on the wrong site.
- Enable MFA or passkeys. Extra login protection reduces the damage from a stolen password.
- Turn off file sharing and AirDrop-style discovery. Public networks should be treated as untrusted.
- Prefer mobile data for high-risk tasks. Banking, password resets and sensitive work may be safer on cellular if you do not need public Wi-Fi.
The bottom line
Hackers exploit public Wi-Fi by getting between you and the services you trust. They may create a fake hotspot, capture exposed traffic, run man-in-the-middle attacks, spoof DNS or send you to a cloned login page.
The safest approach is layered: verify the network, use a reputable VPN, keep HTTPS warnings sacred, rely on a password manager, enable MFA or passkeys, and avoid sensitive logins if anything feels off.