You’re at the airport, or settled into a hotel lobby, or waiting for a flight with a few hours to kill, and there it is: a free wifi network with a name like “Airport_Free_WiFi” or “Hotel_Guest.” It’s tempting to connect without a second thought. Most of us do.
The honest answer to “is this safe” is: not entirely, and it’s worth understanding why before you connect on your next trip. This isn’t about avoiding public wifi altogether — that’s not realistic advice for anyone who travels — it’s about understanding what the actual risk is, and what genuinely reduces it.
What actually happens on an open network
Most public wifi networks — cafes, airports, hotel lobbies — are unsecured, meaning the data moving between your device and the internet isn’t automatically encrypted the way it would be on your home network. Anyone else connected to that same network, with the right tools, can potentially watch that traffic pass by.
The specific risks fall into a few categories:
Eavesdropping. On an unsecured network, someone with basic monitoring software can watch what flows across the connection. If a site or app doesn’t use strong encryption, that data can be visible in readable form.
Fake hotspots, also called “evil twins.” This is the one most people don’t know to look for. An attacker sets up a network with a name deliberately similar to a legitimate one — “Free_Airport_WiFi” instead of the airport’s actual network name — and waits for travelers to connect without checking closely. Once you’re on their network, they control what you see and can intercept what you send.
Session hijacking. Rather than stealing your password directly, an attacker captures the active “session” your device has with a website after you’ve already logged in, letting them access the account without ever needing your credentials.
Does HTTPS already protect me?
Partially, and this is worth being precise about rather than either dismissing HTTPS or over-trusting it. The little padlock icon and “https://” at the start of a web address means the connection between your browser and that specific website is encrypted — genuinely useful protection. What it doesn’t do is secure the network itself. An attacker on the same unsecured wifi can still see which sites you’re visiting, attempt to redirect you to a convincing fake login page, or exploit weaknesses in older or poorly configured websites that don’t implement HTTPS correctly everywhere on their site.
The practical takeaway: HTTPS is a real layer of protection, but it’s not a complete answer on its own.
Where a VPN actually fits in
A VPN (virtual private network) encrypts your device’s entire internet connection, not just traffic to individual websites, and routes it through a private server before it reaches the open internet. In practical terms: even if someone is actively monitoring the wifi network you’re on, what they’d see is unreadable, scrambled data rather than your actual activity.
This is genuinely effective for the most common public wifi risks — general eavesdropping and casual interception. It’s a meaningful, not marginal, improvement in your security on any network you don’t fully trust.
What a VPN doesn’t do is make you invulnerable to everything. It won’t protect you if your device already has malware installed, and it won’t stop you from typing your password into a convincing fake login page if you’re fooled into visiting one. A VPN is one strong layer, not a complete security system on its own — which is exactly why it’s worth pairing with a few habits rather than treated as a single fix.
A few habits worth adopting regardless of whether you use a VPN
Verify the network name before connecting. At a hotel, cafe, or airport, ask staff for the exact network name rather than picking whatever looks close enough from the list. This single habit defeats most fake-hotspot attempts, since those rely on travelers connecting without checking.
Turn off auto-connect to open networks. Most phones and laptops have a setting that automatically joins previously-used or open wifi networks without asking. This is convenient and also exactly how people end up connected to a fake hotspot without realizing it. Turning this off means you’re always choosing, not defaulting.
Save anything sensitive for a trusted connection. Online banking, entering passwords for financial accounts, or anything involving payment details is safer done over your phone’s cellular data (or a personal hotspot from your phone) than over public wifi, even with a VPN active. Cellular data is private by default in a way shared wifi simply isn’t — there’s no public network name for anyone to spoof, and no one else sharing your specific connection.
Keep your device’s software up to date. Security updates frequently patch exactly the kind of vulnerabilities that make public networks riskier than they need to be. This is a five-minute task that closes real gaps.
Putting it together
None of this means avoiding public wifi entirely, which isn’t a realistic ask for anyone who travels. It means treating an open network the way you’d treat a busy public place: fine for most everyday things, worth being more careful about for anything sensitive, and worth a few small precautions that cost you almost nothing in convenience.
If you’re looking for a straightforward next step, our guide to choosing a VPN for safe banking and browsing while traveling walks through what actually matters when picking one, without the marketing noise most comparison sites are full of.
This article is part of our security series. If you haven’t yet, our guide on setting up your first password manager is a natural companion piece — the two work well together as a basic, durable security setup for travel and everyday use alike.