You’re at the coffee shop, you connect to the free WiFi, and you check your bank balance while waiting for your latte. How worried should you be?
The honest answer: it depends on what you’re doing — and the risk is probably a little different than what you’ve heard.
Public WiFi security advice ranges from “it’s completely fine, websites are encrypted now” to “never connect to public WiFi, ever, criminals are everywhere.” Both of those are wrong. Let me give you the realistic picture.
What Can Actually Go Wrong?
The Evil Twin Attack
This is the sneakiest threat on public WiFi. A criminal sets up a fake WiFi hotspot with a name nearly identical to the legitimate one. “Starbucks WiFi” vs. “Starbucks_WiFi.” You connect to the fake one — it probably even provides internet access — but everything you send flows through the attacker’s device first.
This is called a rogue access point, or “evil twin”, and it requires someone to physically be there running it. It happens, but it requires deliberate effort from a criminal who has chosen your specific location.
Unencrypted Traffic Snooping
On an unencrypted network (one without a password, or an old-style WEP-encrypted network), traffic is transmitted “in the clear.” Anyone on the same network with the right software can potentially see what you’re sending and receiving.
Here’s the important caveat: most websites you visit today use HTTPS — that little padlock in your browser’s address bar. HTTPS encrypts your traffic end-to-end, so even if someone intercepts it on the WiFi network, they can’t read it. If you’re on an HTTPS website, the contents of your browsing are protected even on sketchy public WiFi.
If a website shows “HTTP” (no S) in the address bar — which is increasingly rare but still exists — your traffic is readable to anyone on the same network.
Malware Distribution
On some public networks, attackers can push software update popups that are actually malware installers. If a public WiFi network asks you to “update software” or “install a certificate” before connecting, decline and leave that network.
What’s Actually Safe on Public WiFi?
- Checking news sites, weather, sports scores — basically fine
- Watching streaming video — fine; encrypted and nothing sensitive
- Logging into accounts on HTTPS sites — reasonably safe, but read the caveats below
- Online banking or financial transactions — this is where I’d want a VPN or use my phone’s cellular data instead
When Should You Use a VPN?
A VPN (Virtual Private Network) creates an encrypted tunnel between your device and the internet, so even if someone intercepts your traffic on a public WiFi network, all they see is scrambled data. For sensitive activity on public WiFi — banking, work email, anything involving passwords or personal information — a VPN is a solid layer of protection.
I’ve written a separate post going deep on VPNs and how to choose a trustworthy one. The short version: use a reputable paid VPN rather than a free one, since nearly 40% of free VPN apps have been found to contain malware.
The Simple, Practical Rules
For everyday browsing (news, YouTube, etc.): Public WiFi is fine. Make sure the site has HTTPS (the padlock).
For logging into important accounts: Either use your phone’s cellular data (4G/5G), or use a reputable VPN on your laptop.
For banking and financial transactions: Use cellular data or a VPN. This is not the moment to trust that the “AirportFreeWiFi” network is legitimate.
Always: If a network asks you to install anything before connecting, walk away.
One overlooked trick: When you’re done with a public WiFi network, tell your device to “forget” it. Otherwise, your phone will automatically reconnect to any network with the same name — including a criminal’s evil twin with a matching name set up at the same location another day.
Bottom line: Public WiFi isn’t the boogeyman it’s sometimes made out to be — especially if you’re just browsing. But for anything sensitive, use cellular data or a trusted VPN, look for HTTPS on every site you log into, and don’t let your device silently reconnect to remembered networks.