CyberCodeLab logo — neon green lab flask with terminal symbolCyberCodeLab
Laptop at a cyber café protected by a glowing security shield and padlock — public Wi-Fi safety with VPN protection

cybersecurity · Basic · 2026-07-05

Public Wi-Fi Safety: How to Stay Secure at Cafés, Airports & Hotels

Free public Wi-Fi is convenient but risky — learn the real threats (evil twins, snooping, fake login pages) and the simple habits that keep your data safe.

Free Wi-Fi at a café, airport or hotel feels like a gift. But connecting to a network you don't control means trusting everyone who set it up — and everyone else connected to it. Here's what can actually go wrong, and the simple habits that keep you safe.

The real threats on public Wi-Fi

Evil twin networks

An attacker sets up a hotspot named "Airport_Free_WiFi" right next to the real one. Your phone can't tell the difference — and once you connect, all your traffic flows through the attacker's device. This is the single most common public Wi-Fi attack because it costs almost nothing to run.

Snooping on open networks

On networks with no password, traffic is broadcast unencrypted over the air. Anyone nearby with free software can capture it. HTTPS protects the content of what you send, but the sites you visit can still be visible.

Fake captive portals

That login page asking for your email — or worse, a social login — before you can browse? Sometimes it's legitimate. Sometimes it's a harvesting page collecting credentials. If a Wi-Fi login page asks for a password to an existing account (Google, Facebook, Apple), close it immediately — real captive portals never need that.

The safety checklist

Before connecting

  1. Confirm the exact network name with staff. "CafeGuest" and "Cafe_Guest" may be two very different things.
  2. Turn off auto-connect for public networks — otherwise your phone joins the evil twin automatically next time.
  3. Update your device. Most Wi-Fi exploits target already-patched holes.

While connected

  1. Look for the padlock (HTTPS) on every site — and never ignore a certificate warning on a public network. That warning may literally mean someone is intercepting you.
  2. Avoid banking and shopping if you can — use mobile data for anything sensitive. Cellular data is significantly harder to intercept than open Wi-Fi.
  3. Use a VPN if you often work from cafés or airports. A VPN encrypts all your traffic, so even on a hostile network the snooper only sees scrambled data.
  4. Turn off file sharing / AirDrop for everyone — set it to contacts only.

After disconnecting

  1. Tell your device to "forget" the network so it never auto-joins again.

Do you always need a VPN?

Not necessarily. In 2026, nearly every major website uses HTTPS, which already encrypts your passwords and messages. For casual browsing, HTTPS plus the habits above is reasonable protection. A VPN becomes genuinely important when you:

  • handle work or client data on public networks regularly
  • want to hide which sites you visit from the network operator
  • must use apps that might not encrypt properly

Choose a reputable paid VPN — free VPNs often fund themselves by logging and selling exactly the data you are trying to protect.

The one-line summary

Treat every public network as hostile: verify the name, insist on HTTPS, save sensitive tasks for mobile data or a VPN, and forget the network when you leave.

Want to lock down your accounts even further? Read our guide on passwords and two-factor authentication — 2FA is exactly what saves you if a password does get intercepted.

Practice exercises

Do these on the device you are reading this on — 15 minutes, real protection.

Exercise 1 (5 min): Open your saved Wi-Fi networks list (Settings → Wi-Fi → Saved/Known networks). Forget every public network you no longer use — each one is a standing invitation for an evil twin to auto-connect you.

Exercise 2 (5 min): For the public networks you keep (office, university), turn off auto-connect/auto-join individually. While you are in settings, set AirDrop/Nearby Share to "Contacts only".

Exercise 3 (5 min): Dry-run the checklist: connect to any network and visit three sites you use often, checking for the padlock (HTTPS) on each. Then practise the exit routine — disconnect and forget the network. Doing the sequence once calmly means you will do it automatically at the airport.

Test yourself

Answer from memory first, then check yourself against the answer.

Q1What is an evil twin attack?

An attacker sets up a hotspot with the same or nearly identical name as a legitimate network — 'Airport_Free_WiFi' next to the real one. Devices cannot tell the difference, and all traffic through the fake hotspot passes through the attacker.

Q2If HTTPS already encrypts my traffic, what does a VPN add on public Wi-Fi?

HTTPS protects the content of each connection, but the network can still see which sites you visit, and non-HTTPS apps stay exposed. A VPN encrypts all traffic into a single tunnel, hiding both content and destinations from the local network.

Q3Why should you tell your device to forget a public network after using it?

Otherwise your device auto-reconnects to any network broadcasting that name in the future — including an attacker's evil twin imitating it. Forgetting the network removes that standing risk.