Public Wi-Fi in 2026: What's Actually Risky and What Isn't
The old warning that hackers can sniff your bank password on cafe Wi-Fi is mostly obsolete, thanks to encryption. But real risks remain. An honest, current guide to staying safe on public networks.
For years the advice was absolute: never check your bank on public Wi-Fi, because a hacker on the same network could read everything you type. In 2026 that warning is mostly out of date, and clinging to it can distract you from the threats that still matter. Here is the honest picture.
The threat that mostly died: why HTTPS broke "Wi-Fi sniffing"
The classic attack relied on reading your traffic as it crossed the air. But almost all web traffic is now encrypted with HTTPS, the padlock in your browser. The US Federal Trade Commission has updated its own guidance to say as much: because of the widespread use of encryption, connecting through a public Wi-Fi network is usually safe. The old image of a stranger plucking your password out of the air no longer fits the modern web.
One caveat from the same FTC guidance: the padlock proves the connection is encrypted, not that the site is honest. Scammers can run HTTPS too.
What still bites in 2026
The danger moved from passive eavesdropping to active deception:
- Evil twins. An attacker sets up a rogue hotspot with a trusted-looking name like "Free_Airport_WiFi" and a strong signal, hoping your device connects. The FBI has warned travellers to confirm the exact network name before joining.
- Captive-portal phishing. Once you are on a rogue network, its "sign-in" page can be fake, harvesting passwords or pushing malware.
- Fake update and install prompts. A hostile network can nudge you to "update" something that is actually malware.
- An exposed device. File sharing left on, or a "discoverable" phone, gives a hostile network a way in.
Do you actually need a VPN? An honest answer
A VPN is useful, but it is a seatbelt, not an invincibility shield. Because HTTPS already encrypts most of your traffic, a VPN's main value on public Wi-Fi is defence-in-depth: it covers the minority of non-encrypted traffic and hides which sites you visit from the network operator. What a VPN does not do is stop you from logging into a fake site, remove malware already on your device, or rescue you from an evil-twin phishing page. Treat it as a sensible extra on untrusted networks, not a cure-all.
The 60-second public Wi-Fi checklist
- Confirm the exact network name with staff; do not trust the strongest "Free" signal.
- Look for HTTPS and be wary of any unexpected login or "update" page.
- Turn off file sharing and auto-connect so your device will not silently rejoin a spoofed network.
- Keep your OS, browser and apps updated.
- For genuinely sensitive tasks, use your mobile data or a personal hotspot instead.
Sources
- FTC, Are public Wi-Fi networks safe?
- FBI IC3, evil-twin Wi-Fi advisory
- CISA, best practices for using public Wi-Fi
- NCSC UK, VPN guidance