Safe Browsing Check.
SAFE BROWSING CHECK · PUBLIC WIFI Your phone can't see who owns the WiFi. Encryption solved the old café WiFi fear. The risk that stayed is a network built to fool you — and one tool covers the slip.

Most of What You Heard About Public WiFi Is Out of Date. One Risk Isn't.

Marta Lane · Updated March 24, 2026 · 3 min read

For years the advice never changed: stay off the coffee-shop WiFi, or a stranger two tables away will pull your banking password out of the air. That was sound guidance — in about 2012.

Back then, most websites sent your information across the network as plain text. Anyone on the same WiFi with a free, easy tool could read it. Today almost every site encrypts that connection on its own. Google's own measurements put it near 95% of all web traffic, and on phones the share is higher still. The padlock beside a web address means the data leaving your device is already scrambled before it reaches the router.

The Federal Trade Commission now says so directly: because encryption has become so widespread, connecting through public WiFi is "usually safe." Your bank app on the airport network is almost certainly fine. A stranger nearby can no more read your scrambled traffic than read a sealed letter across the room.

So why are you still told to be afraid of it?

Because one risk never left. And it doesn't work the way the old warning said.

The network that isn't real

Instead of eavesdropping on a real network, an attacker today builds a fake one.

The trick has a name: the evil twin. He sets up a hotspot with a name you'd trust — "Airport_Free_WiFi," "Hotel_Guest" — and waits for you to tap the wrong one. It isn't a hypothetical. In 2024, Australian Federal Police arrested a man running exactly this scheme at airports in Perth, Melbourne and Adelaide, and on domestic flights. When travelers joined his network, a convincing free-WiFi page asked them to "sign in" with an email or social account, and passed whatever they typed straight to him. Last November he was sentenced to more than seven years.

The same name twice — nothing tells them apart A reconstructed Wi-Fi list. Your phone can't see who owns each one. Wi-Fi Airport_Free_WiFi Airport_Free_WiFi Terminal_B_Guest A reconstructed example — not a real network list. 1 Two names, identical Same letters, twice — nothing ranks them. 2 A lock isn't honesty The icon means a password, not an honest owner. 3 The owner is hidden Your phone can't see whose router it is; his reroutes you. 4 The fake "sign-in" A real network never asks you to "sign in". THE MOVE — pick the exact network yourself And never "sign in" to use Wi-Fi — a real network doesn't ask for your email or a social login. Turn off auto-join, too.
A reconstructed example — not a real network list. In the 2024 AFP case the evil twin wore a trusted name and a fake “sign-in” page; the list itself can't tell you who owns each network. Source: Australian Federal Police.

Look at why it worked. The padlock held, and it made no difference. People typed their logins willingly, into a page that looked official, because there was no way to tell the real network from the counterfeit.

That's the real gap. Your phone can't see who owns the WiFi it's joining. And once you're on the attacker's network, he decides where your requests actually go.

What actually protects you

Two habits and one tool cover nearly all of it.

The habits cost nothing and you can start today:

The tool handles the part habits can't reach. A VPN, or virtual private network, wraps everything your device sends in its own layer of encryption and routes it through a server you choose rather than whatever network you walked into. On a rogue hotspot, its operator sees only scrambled traffic heading to a single place, with no view of your accounts or the sites behind it.

A VPN won't stop you from typing a password into a fake page; only your own attention does that. What it removes is the operator's ability to watch or redirect your traffic, which is the entire payoff an evil twin is built to collect.

What an evil twin's operator gets from you On a rogue hotspot, the operator decides where your request goes. WITHOUT A VPN you on the hotspot to: yourbank.com login: •••••• (readable) the operator Reads it — can watch or redirect WITH THE VPN ON you on the hotspot VPN tunnel · encrypted ■■■■ ■■■■ the operator One scrambled stream, to one place. Blind. THE MOVE — turn the VPN on before you join the network. It can't stop you typing into a fake page — but it removes what the operator collects.
What changes on a rogue network once the VPN is on.

That's the case for keeping it simple with one tool instead of three. Total VPN packages the VPN together with an ad-blocker and antivirus in a single app, so the encrypted connection, the blocking of malicious ads, and the device scan all run from one subscription. For anyone who'd rather be covered than assemble a shelf of security products, it's the closest thing to simply having it handled.

Get Total VPN's all-in-one protection →

The café WiFi itself is fine. Your job is to join the real one — and to make sure that even if you slip, there's nothing on the line worth stealing.

You might also like