You’ve connected to a cafe’s Wi-Fi dozens of times without incident. But that doesn’t mean you were safe — it just means nobody was watching that particular day.
Public Wi-Fi is one of the most common attack vectors for casual hackers. Here’s what’s actually at risk and how to protect yourself.
What Attackers Can Do on Public Wi-Fi
Man-in-the-Middle (MITM) Attacks
An attacker on the same network can position themselves between you and the internet, intercepting traffic that passes through them. On unencrypted connections, they can:
- Read the content of web pages you visit
- Capture login credentials entered over HTTP
- Inject malicious content into pages you visit
HTTPS significantly reduces this risk — encrypted connections can’t be read — but not all traffic is HTTPS.
Rogue Hotspots (Evil Twin Attacks)
An attacker creates a Wi-Fi network named “Starbucks” or “Airport Free WiFi” with a stronger signal than the real one. Your device connects automatically — and all your traffic goes through the attacker’s machine.
You can’t tell by looking at the network name. The only real protection is a VPN.
Packet Sniffing
Using freely available tools like Wireshark, anyone on the same network can capture raw data packets. On unencrypted connections, usernames, passwords, and session tokens are visible in plain text.
Session Hijacking
Some attacks don’t need your password. They steal your session cookie — the token that keeps you logged in. With the right cookie, an attacker can log in as you without ever knowing your password.
How to Protect Yourself on Public Wi-Fi
1. Use a VPN — This Is the Most Important Step
A VPN encrypts all traffic between your device and the VPN server, making it completely unreadable to anyone on the same local network. Even if an attacker captures your packets, they see encrypted noise.
Encrypts all your traffic on public Wi-Fi. Auto-connect on untrusted networks. Threat Protection blocks malicious URLs.
From $3.99/mo
Enable auto-connect in your VPN settings so it activates automatically whenever you join a non-home/work network.
2. Only Use HTTPS Websites
Look for the padlock icon and https:// in every URL. Avoid entering credentials on HTTP sites, period.
3. Turn Off Automatic Wi-Fi Connections
Your phone remembers every network it has ever connected to and reconnects automatically. This is how evil twin attacks work.
- iOS: Settings → Wi-Fi → tap each saved network → Auto-Join → Off
- Android: Settings → Network → Wi-Fi → Saved Networks → forget old ones
4. Use Your Phone’s Hotspot for Sensitive Tasks
If you need to do something sensitive (banking, work email, entering passwords), your phone’s cellular data connection is far safer than any public Wi-Fi.
5. Enable Two-Factor Authentication Everywhere
Even if an attacker captures your password, 2FA prevents them from using it. Enable it on email, banking, social media, and any account containing personal data.
6. Disable File Sharing
On public networks, disable any file sharing or AirDrop features that are open to “Everyone.”
Threat Level by Location
| Location | Risk Level | Notes |
|---|---|---|
| Hotel (password protected) | Medium | Many guests, network may be outdated |
| Airport free Wi-Fi | High | High-value target, often crowded |
| Coffee shop | Medium-High | Easy target, often open access |
| Library | Medium | Typically managed, but shared |
| Cellular hotspot (your own) | Low | Only you on the network |
Quick Checklist for Public Wi-Fi
- VPN connected before joining any public network
- Auto-connect to known networks disabled
- HTTPS verified on any site requiring login
- 2FA enabled on all important accounts
- Sensitive tasks done on mobile hotspot
Public Wi-Fi is fine for casual browsing with a VPN. For anything sensitive, use your phone’s hotspot.
Get Surfshark — Unlimited Devices, Auto Wi-Fi Protection