Safe Browsing Check.
SAFE BROWSING CHECK · TRAVEL The sign-in page loads before your VPN can. On a fake network that unprotected moment is the whole game. What closes it, plus the two gaps a VPN never covered.

Why a VPN Alone Won't Protect You on Hotel Wi-Fi

Marta Lane · Updated January 31, 2026 · 5 min read

You've heard the advice a hundred times. You check in, you reach for the free Wi-Fi, and some part of your brain says: turn on the VPN first. It's good advice. It's also only half of what keeps you safe, and the missing half is where travelers actually get robbed.

A VPN does one job well. It scrambles the traffic between your device and the websites you visit, so anyone snooping on the same network sees gibberish instead of your email or your bank login. On a network you can't trust, that matters. But a VPN protects the road your data travels on. It does nothing about the door you walk through to reach the network, or the destination you end up at. Three gaps live in that gap.

The login page comes before the VPN

Picture the usual sequence. You pick "Hotel Guest Wi-Fi" from the list, a sign-in page appears asking for your room number or your email, maybe a tap to "sign in with Google," and only after you fill it in do you get internet.

Your VPN can't run during that step. A VPN needs a working connection to build its encrypted tunnel, and you don't have one until you clear that sign-in page. So the login screen is an unprotected moment by design. On the real hotel network, that's fine. On a fake one, everything you type there goes straight to whoever built it.

Why the sign-in page comes before the VPN You pick the network the sign-in page (no tunnel yet) The real network Clear it — now start the VPN An evil twin Your typing goes to its owner A VPN needs a working connection first. The login screen never has one.
The timing problem: the unprotected step is built into how Wi-Fi sign-in works.

The fake-network trick has a name: an evil twin. An attacker broadcasts a network with a friendly, official-looking name, you connect, and a convincing login page collects whatever you enter. In 2024, Australian police charged a man who carried a portable device through airports and onto domestic flights, spun up free Wi-Fi networks named to look legitimate, and harvested email and social-media logins from passengers who signed in. A court later jailed him for more than seven years. Airports and planes, not hotels, but the setup is identical, and a lobby full of tired travelers is exactly the crowd it's built for.

This is not a rare lab scenario. When the security firm WatchGuard tested public Wi-Fi against evil-twin attacks at more than 45 locations across five countries, not one of the hotels passed.

A VPN encrypts the trip, even to a bad place

Say you're on the genuine network with your VPN running. You're still not done.

A VPN encrypts where your data goes. It doesn't judge whether that destination is safe. If a sign-in page tells you to "install this app to connect" or "update your browser to continue" and you do it, the VPN faithfully encrypts the malware on its way to your laptop. If you land on a lookalike of your bank's website and type your password, the VPN protects that password in transit and hands it to the scammer in perfect privacy.

Encryption is not the same as judgment about what's on the other end. That's the second gap.

Once it's on your device, the VPN is irrelevant

The third gap is the machine itself. The moment malware is installed, encrypting your traffic does nothing, because the threat is already inside, reading your files and your keystrokes from the same side of the tunnel as you.

Closing these gaps takes three layers working together:

This is, quietly, what the FBI recommended in 2020 when it warned people about working from hotels. The advice wasn't "use a VPN." It was use a VPN, confirm the network name with staff, and lean on your phone's hotspot when you can.

On hotel Wi-FiVPN aloneVPN + blocker + antivirus
Someone snooping your trafficCoveredCovered
A fake login page on a rogue networkExposedBlocked before it loads
Malware from a fake "update to connect" promptExposedCaught on the device
Malicious ads and redirectsExposedBlocked

What to actually do on hotel Wi-Fi

You don't need to be technical to close the gaps. Five habits cover most of it:

  1. Confirm the exact network name with the front desk before connecting. Spell it out. Two networks with nearly the same name is a red flag.
  2. Clear the login page, then turn the VPN on before you open your email, your bank, or anything that matters.
  3. Install nothing a Wi-Fi page tells you to. No real hotel network needs you to download an app or update your browser to get online.
  4. Keep antivirus running so a bad download gets caught instead of settling in.
  5. Use your phone's hotspot for anything sensitive. Cellular data is encrypted by default and isn't shared with the lobby.

Most people won't keep three apps running

Knowing you need three layers and actually keeping three separate subscriptions current, on every device you travel with, are different things. Most people set one up and forget the rest, which leaves the same gaps open as before.

That's the real case for an all-in-one. Total VPN is built as a single app that covers all three layers: the VPN for encryption, an ad and malicious-site blocker for the fake pages and bad ads, and antivirus for the device. One thing to switch on before you trust a network, instead of three things to remember.

**Get all three layers in one app →**

Treat the network as untrusted, then cover it

There's no need to panic over hotel Wi-Fi — treat it as untrusted, cover it properly before you type anything you'd hate to lose, and then use it freely. A VPN is the start of that. It just isn't the whole of it.

You might also like