Public Wi‑Fi Safety: Hotspots, Logins, VPN Myths
Treat public Wi‑Fi as untrusted: avoid sensitive logins where possible, use encrypted services, keep devices updated, and assume attackers on the same network may try to intercept or manipulate traffic.
Public Wi‑Fi increases exposure because other users share the same network, and malicious actors may attempt interception or tampering. NCSC training materials explicitly flag public Wi‑Fi as a scenario where attackers can intercept or modify data. This guide is a practical "before you connect" checklist for UK users in cafés, hotels, airports, and anyone tethering work or personal devices in public.
Before you connect
- Update your device before connecting.
- Disable file sharing and network discovery.
- Prefer known networks when possible; avoid auto-join for open hotspots.
- Assume others on the network may try to intercept or tamper with traffic.
What can go wrong on public Wi‑Fi
On shared networks, attackers on the same Wi‑Fi can attempt to intercept or modify your traffic. NCSC training materials warn that public Wi‑Fi can allow attackers to intercept or modify data. The NCSC "don't trust any network" principle includes treating the local network as untrusted in security design. Encryption (HTTPS, app-level encryption) helps protect data in transit—but you still need to verify you are connecting to the right sites and not falling for phishing.
"Before you connect" checklist
- Update your device: Apply security updates before connecting so known vulnerabilities are patched.
- Disable sharing: Turn off file sharing and network discovery to reduce what others can see.
- Prefer known networks: Use networks you trust when you can; avoid auto-joining open hotspots.
- Assume the worst: Treat the network as untrusted; do not rely on it to protect your data.
What is "encrypted traffic" in plain English
HTTPS and app encryption protect data as it travels between your device and the server. That means someone on the same Wi‑Fi typically cannot read the contents of your banking session or your passwords—as long as you are really connected to the genuine bank, not a fake site. Encryption does not protect you from phishing, social engineering, or malicious apps. You still need to verify URLs and avoid entering credentials on lookalike sites.
VPN myths and realities
A VPN can help protect some traffic paths by encrypting data between your device and the VPN provider. But it does not make public Wi‑Fi "safe." It will not stop you visiting a scam site, falling for phishing, or downloading malware. If the VPN provider is compromised or dishonest, your traffic may still be at risk. Use a reputable VPN if it adds value for your use case—but do not assume it is a substitute for verifying sites and avoiding sensitive actions on untrusted networks.
Safer alternatives
Use mobile data or a personal hotspot for sensitive actions (banking, important logins) when practical. If you must use public Wi‑Fi for something sensitive, ensure you are on a genuine HTTPS site (check the URL) and that you have not been redirected to a lookalike. Prefer apps from official stores that use proper encryption over web logins on unfamiliar networks.
If you think something went wrong
Change passwords for any accounts you used on the network, log out of sessions on those services, and monitor accounts for unusual activity. If you entered banking details on a suspicious page, contact your bank immediately.
Frequently asked questions
- Can someone on the same Wi‑Fi read my data?
- On insecure setups, attackers may intercept or modify traffic; encryption helps reduce exposure.
- Is a VPN enough to make public Wi‑Fi "safe"?
- It helps in some cases, but it won't stop you visiting a scam site or falling for phishing.
- Should I use public Wi‑Fi for online banking?
- Prefer safer alternatives (like mobile data) for sensitive tasks when practical.