Public WiFi Safety: What You Need to Know
A security researcher at DEF CON 2025 set up a fake WiFi access point named "Free_Airport_WiFi" at a major U.S. airport and logged 1,247 device connections in six hours. None of those users verified the network was legitimate before connecting. Of those, 312 transmitted sensitive information — login credentials, emails, and financial data — over the unencrypted connection.
Public WiFi at cafes, airports, hotels, and libraries is convenient but inherently risky. The network is shared with strangers, potentially unencrypted, and possibly operated by someone with malicious intent. Here's what actually matters for your safety and what's overblown.
Suspicious network or login page? Paste any URL into our free scanner →
The Real Risks (vs. the Hype)
Security advice about public WiFi often swings between two extremes: "never use it" and "it's fine because everything is HTTPS now." The truth is in between.
What HTTPS protects: When you visit a site using HTTPS (look for the padlock), the content of your communication is encrypted even on public WiFi. An eavesdropper can see that you visited bankofamerica.com, but they can't see your username, password, or account details. In 2026, over 95% of web traffic is HTTPS.
What HTTPS doesn't protect: The domains you visit (metadata), DNS queries (which sites you're looking up), and any data transmitted through non-HTTPS connections (some apps, email clients, and older websites still use unencrypted connections).
What's actually dangerous:
- Evil twin networks: Fake WiFi hotspots with names mimicking legitimate ones (the "Free_Airport_WiFi" example above). When you connect, the operator can intercept all your traffic.
- Captive portal phishing: The login page that appears when you connect to public WiFi is controlled by whoever set up the network. A malicious network can present a fake login page that harvests credentials.
- SSL stripping: Sophisticated attacks that downgrade HTTPS connections to HTTP, removing encryption. Modern browsers resist this, but older devices may be vulnerable.
- Session hijacking: On poorly configured networks, attackers can capture authentication cookies and access your active sessions.
Practical Safety Steps
1. Verify the network name. Ask an employee for the exact WiFi network name and password. Don't connect to networks named "Free WiFi" or obvious guesses. At a hotel, the network name should match what's on your room keycard or what the front desk provides.
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
2. Use a VPN. A Virtual Private Network encrypts all traffic between your device and the VPN server, preventing anyone on the local network from seeing your data. This is the single most effective protection on public WiFi.
Recommended VPN services in 2026:
- Mullvad — No email required, anonymous payment accepted, independently audited
- ProtonVPN — Free tier available, open source, Swiss jurisdiction
- IVPN — Privacy-focused, independently audited, transparent ownership
Avoid free VPNs from unknown providers — many harvest and sell your data, defeating the entire purpose.
3. Disable auto-connect. Your phone remembers WiFi networks and reconnects automatically. This means your device might connect to a malicious network with the same name as a network you previously used. Disable auto-join for public networks in your WiFi settings.
4. Use your phone's hotspot instead. Your cellular connection is encrypted between your phone and the cell tower, making it significantly more secure than public WiFi. If you have adequate mobile data, tethering to your phone's hotspot is the simplest secure option.
IsThisAScam's 6-layer detection system can help you verify suspicious captive portal pages and login forms that appear when connecting to public WiFi networks.
What to Avoid on Public WiFi
Even with precautions, minimize these activities on public networks:
- Accessing banking or financial accounts (use mobile data instead)
- Making purchases with credit cards
- Logging into sensitive accounts without a VPN active
- Accessing work systems with sensitive data
- Transmitting personal documents or identification
Device-Specific Settings
iPhone/iPad: Settings → WiFi → tap the (i) next to the network → disable "Auto-Join." Also enable "Limit IP Address Tracking" and consider using iCloud Private Relay (included with iCloud+).
Android: Settings → Network & Internet → WiFi → tap the network → disable auto-reconnect. Enable "Private DNS" (Settings → Network → Private DNS → set to dns.google or cloudflare-dns.com).
Windows: When connecting to a new network, select "Public Network" when prompted. This enables the Windows firewall profile that blocks inbound connections and disables network discovery.
Mac: System Settings → WiFi → Details next to the network → disable "Auto-Join." Enable the firewall in System Settings → Network → Firewall.
Travel-Specific Advice
Hotel WiFi is not more secure than coffee shop WiFi despite requiring a room number or code. The code simply restricts access to guests — it doesn't encrypt or protect your traffic. Airport WiFi is particularly risky due to high foot traffic and the number of business travelers accessing sensitive systems.
For international travel, a local SIM card with data is often more secure and more reliable than hotel WiFi. Many countries offer affordable prepaid tourist SIM cards at the airport.
For more on protecting your devices, see our guide on securing your phone and securing your home network.
Received something suspicious? Check it now for free →