Hackers exploit public Wi-Fi because it gives them proximity. In a hotel lobby, airport gate or coffee shop, dozens of people may be joining networks quickly, accepting captive portals and logging in to email, banking, work tools or travel accounts. That rush creates the opening.

Airport networks deserve extra caution because travellers are often tired, distracted and working with sensitive bookings, passport details and payment information. Our separate guide explains why airport Wi-Fi needs extra protection before you connect at the gate.

Hackers exploiting public Wi-Fi networks with fake hotspots and intercepted traffic
Public Wi-Fi attacks usually rely on a combination of proximity, fake network names, traffic interception and convincing login pages.

Why public Wi-Fi gives hackers an opening

A home router normally has a smaller, more predictable group of users. A public hotspot is different: anyone nearby may be able to connect, copy the network name or target users who are already distracted.

Common targets Hotels, cafés, airports and stations
Common goal Credentials, sessions and payment data
Common trick Fake network or fake login page
Best defence VPN, HTTPS, MFA and caution

The attacker does not need to break every layer of modern encryption. Often, they only need a user to choose the wrong network, ignore a browser warning, enter details into a cloned page or continue working after the VPN has silently dropped.

Important: HTTPS protects the contents of most modern websites, but it does not make public Wi-Fi harmless. Network names can still be spoofed, DNS can still be manipulated in some setups, and users can still be phished by convincing pages.

Attack #1: Evil twin hotspots

An evil twin is a fake Wi-Fi network that imitates a legitimate one. The name might be almost identical to the real venue network, or it may use a generic label such as “Free Airport WiFi” to attract hurried users.

The attacker creates a convincing hotspot name

They copy the venue's SSID or create a name that looks official enough for people nearby to trust.

Users connect before checking with staff

A laptop or phone may even auto-connect if the name matches a network used before.

The attacker controls the path to the internet

Traffic now passes through equipment controlled by the attacker, giving them opportunities to observe metadata, redirect pages or launch follow-up attacks.

Evil twin attacks are especially effective in busy travel environments because people expect multiple hotspot names and may be too rushed to verify which one is real. That is why public Wi-Fi at airports should be treated as hostile until your device has a protected connection.

Attack #2: Packet sniffing

Packet sniffing means capturing network traffic and examining what passes over the connection. On modern HTTPS websites, the most sensitive content should be encrypted, but careless apps, old protocols and exposed metadata can still leak useful information.

What attackers may see

Domains, connection patterns, unencrypted requests, device details and traffic timing can all help build a picture of what a user is doing.

Metadata exposure

What HTTPS hides

Proper HTTPS encrypts page contents, form submissions and session data between the browser and the website.

Strong protection

Where risk remains

Old apps, misconfigured sites, plain HTTP pages and warning-clicking behaviour can still expose credentials or redirect users into danger.

User-dependent

Why VPNs help

A VPN wraps device traffic in an encrypted tunnel before it crosses the local Wi-Fi network.

Local protection
Simple rule: never type passwords, payment details or recovery codes into a page that shows a browser warning or lacks HTTPS on the real domain you intended to visit.

Attack #3: Man-in-the-Middle

A man-in-the-middle attack places the attacker between your device and the service you think you are using. The attacker may relay traffic, alter responses, downgrade security or push you toward a fake sign-in page.

The easiest way to picture it is a malicious relay: your device talks to the attacker, and the attacker talks onward to the wider internet. For a visual breakdown, see our interactive explainer on how man-in-the-middle attacks work.

MITM tactic What the attacker wants What reduces the risk
Traffic relay Observe or manipulate communication passing through their device. VPN, HTTPS, certificate warnings taken seriously.
Session theft Capture tokens or cookies that keep a user logged in. Secure cookies, HTTPS-only sessions, logout on shared devices.
Security downgrade Push the user toward a less secure version of a page or protocol. HSTS, updated browsers, refusing suspicious prompts.
Credential capture Make the user enter a password or MFA code into a fake page. Password managers, passkeys, MFA and checking the domain.

Attack #4: DNS spoofing and cloned websites

DNS is the lookup system that turns a human-friendly domain into the server address your device connects to. If an attacker can tamper with that lookup, a familiar address can lead to the wrong place.

For example, a traveller may type a bank, airline or email address and land on a cloned page that looks convincing enough to steal a password. Our separate tool explains how DNS spoofing works in a more visual way.

Fake bank page warning: if a login page looks slightly different, asks for unusual details, requests a full card number, asks for a one-time code out of context or triggers a browser warning, stop and leave the page.
  • Use bookmarks or a password manager instead of clicking captive-portal links for important accounts.
  • Check the exact domain before entering a password.
  • Do not continue through certificate warnings.
  • Use MFA or passkeys so a stolen password alone is less useful.
  • Use a VPN that handles DNS inside the encrypted tunnel.

How a VPN Is Your Personal Shield

A VPN does not make every online action safe, but it changes the public Wi-Fi risk model. Instead of sending readable or easily profiled traffic across the local hotspot, your device creates an encrypted tunnel to the VPN provider first.

That tunnel makes it much harder for someone on the same hotspot to inspect your traffic, tamper with DNS or profile the sites you visit. For a step-by-step visual version, see our guide to how a VPN connection works.

Before the VPN connects

Your device is still exposed to the local network. Avoid signing in to sensitive services until the VPN is active.

Follow the checklist

While the VPN is active

Local attackers have a much harder time reading or altering your traffic because the tunnel encrypts the connection path.

See the VPN explainer

If the VPN drops

A kill switch helps prevent traffic from leaking back onto the public Wi-Fi connection.

Learn how a VPN kill switch works
VPN limits: a VPN protects the connection path; it does not make phishing pages safe, remove malware, fix weak passwords or stop you from entering details into the wrong website.

Public Wi-Fi safety checklist

Use this checklist before you work, shop, bank or sign in on a public network.

  1. Confirm the real network name. Ask staff or check official signs before joining a café, hotel or airport hotspot.
  2. Turn off auto-join for public networks. This reduces the risk of connecting to a copied network name.
  3. Connect your VPN before logging in. Wait until the VPN is active before using email, banking, work tools or travel accounts.
  4. Use HTTPS and respect warnings. Do not click through certificate errors or browser security alerts.
  5. Use a password manager. It helps spot fake domains because it will not autofill on the wrong site.
  6. Enable MFA or passkeys. Extra login protection reduces the damage from a stolen password.
  7. Turn off file sharing and AirDrop-style discovery. Public networks should be treated as untrusted.
  8. Prefer mobile data for high-risk tasks. Banking, password resets and sensitive work may be safer on cellular if you do not need public Wi-Fi.

The bottom line

Hackers exploit public Wi-Fi by getting between you and the services you trust. They may create a fake hotspot, capture exposed traffic, run man-in-the-middle attacks, spoof DNS or send you to a cloned login page.

The safest approach is layered: verify the network, use a reputable VPN, keep HTTPS warnings sacred, rely on a password manager, enable MFA or passkeys, and avoid sensitive logins if anything feels off.

How hackers exploit public Wi-Fi FAQs

Can hackers steal passwords on public Wi-Fi?
Yes. The highest-risk scenarios are fake hotspots, cloned login pages, unencrypted websites and users who ignore browser warnings. HTTPS reduces the risk, but it does not protect you if you type credentials into the wrong website.
How do hackers create fake public Wi-Fi networks?
They set up a hotspot with a convincing name, such as a café, airport, hotel or conference network. If users connect to the fake network, the attacker can route, inspect or redirect traffic from that device.
What is an evil twin Wi-Fi attack?
An evil twin is a fake Wi-Fi network that imitates a real public hotspot. The attacker relies on familiar network names, weak verification and hurried users to make the fake network look trustworthy.
What is packet sniffing on public Wi-Fi?
Packet sniffing is the capture of network traffic moving across a Wi-Fi environment. Strong encryption, HTTPS and VPN tunnelling limit what an attacker can read, but exposed or misconfigured traffic can still leak information.
How do man-in-the-middle attacks happen on public Wi-Fi?
A man-in-the-middle attack happens when an attacker positions themselves between your device and the service you are trying to reach. On public Wi-Fi, this may involve a rogue hotspot, traffic redirection, downgrade attempts or fake login pages.
What is DNS spoofing on public Wi-Fi?
DNS spoofing manipulates the lookup process that sends a domain name to an IP address. On a hostile network, it can send users toward cloned banking, email or booking pages designed to capture login details.