Can a scammer hack me through public Wi-Fi?
Public Wi-Fi carries real risks including rogue access points and traffic interception, but HTTPS encryption protects most browsing; the biggest risks are unencrypted apps and account access on network operator-controlled routers.
Last reviewed: 10 June 2026
Explanation
Public Wi-Fi (in cafes, airports, hotels) is a shared network where all connected devices route traffic through the same router. This creates opportunities for network-level attacks that don't exist on your private home network.
The most common active attack is a rogue access point (evil twin): an attacker sets up a Wi-Fi hotspot with a convincing name (similar to the venue's real network) and waits for devices to connect. Because the attacker controls this router, they can perform SSL stripping attacks on misconfigured sites, inject content into pages, or redirect you to phishing pages when you type a URL.
On legitimate public networks, a sophisticated attacker who is also connected can attempt ARP poisoning to intercept traffic. In practice, HTTPS protects the content of your web browsing, but DNS queries, metadata, and traffic to legacy HTTP sites may be visible.
The most practical risks on public Wi-Fi are: connecting to a rogue hotspot and being redirected to fake login pages; apps that use unencrypted connections being intercepted; and your device being exposed to other devices on the same local network (particularly relevant if file sharing or remote login services are enabled on your computer).
Using a reputable VPN on public Wi-Fi encrypts everything from your device to the VPN server, effectively eliminating these local network threats. If you don't have a VPN, at minimum ensure you are on HTTPS, use two-factor authentication on accounts, and avoid entering financial credentials on public networks.
Common red flags
- Multiple Wi-Fi networks with similar names to the venue's official network
- No password required to join a network in a location where you'd expect one
- You are redirected to unexpected pages or asked to log in via a captive portal with a login form
- Browser shows certificate warnings on pages that normally load fine
- Your device shows an unfamiliar network name in a location you trust
What to do now
- Use a reputable VPN whenever on public Wi-Fi — turn it on before connecting to the network
- Verify the exact network name with venue staff before connecting
- Avoid accessing banking or sensitive accounts on public networks without a VPN
- Turn off file sharing and network discovery on your laptop when on public networks
- Prefer mobile data over unknown public Wi-Fi for sensitive transactions
- Check that sites show HTTPS (padlock icon) before entering any credentials
Frequently asked questions
Is hotel Wi-Fi safer than a coffee shop network?
Not necessarily. Both are shared networks managed by third parties. Hotel networks are often larger and less carefully managed. Use the same precautions — VPN and HTTPS — regardless of venue type.
Can my phone be hacked just by having Wi-Fi turned on near a rogue hotspot?
Simply having Wi-Fi on doesn't expose you — you need to actually connect to a network. On iOS and newer Android, automatic connection to unknown networks is disabled by default.