Public Wi-Fi Risks and When to Use a VPN

The Real Risks of Public Wi-Fi

Public Wi-Fi networks — in cafes, airports, hotels, and shopping centres — are convenient, but they come with real security trade-offs. Because these networks are open and shared, other users on the same network can potentially observe your traffic. Two attack types are most common in this environment.

A man-in-the-middle (MITM) attack occurs when an attacker positions themselves between your device and the network. Any unencrypted traffic — including HTTP requests, DNS queries, and login sessions on poorly configured sites — can be intercepted and read in plaintext. Attackers can also inject content into unencrypted pages you visit.

An evil twin access point is a rogue hotspot configured to broadcast the same name (SSID) as a legitimate network. When your device connects automatically, all your traffic flows through the attacker's hardware. The Wi-Fi looks identical to the real thing, but the attacker can inspect, log, and manipulate everything that passes through it.

What a VPN Actually Does

A Virtual Private Network (VPN) creates an encrypted tunnel between your device and a VPN server operated by your VPN provider. All traffic leaving your device is encrypted before it touches the local network, which means anyone observing traffic on the coffee shop Wi-Fi — whether it's another customer or the hotspot operator — sees only encrypted noise.

This provides two meaningful protections:

• Network-level eavesdroppers on public Wi-Fi cannot read your traffic
• Your internet service provider (ISP) cannot see which sites you visit, only that you're connected to a VPN server
• Evil twin operators intercepting your connection get encrypted data they cannot easily read

When VPNs Don't Help

VPNs are frequently oversold. There are important threats a VPN provides no protection against whatsoever. A VPN does not protect you from phishing attacks — if you click a malicious link and enter your credentials on a fake website, the VPN is irrelevant. It does not protect against malware already running on your device. It does not prevent a breach on the destination server — if you log into a service that then gets hacked, the VPN had no bearing on that outcome.

A VPN also shifts your trust from your ISP and local network to the VPN provider itself. The VPN provider can see all your decrypted traffic if they choose to log it — which is why choosing a trustworthy provider matters enormously.

Choosing a Reputable VPN

Not all VPNs are equal. The VPN market is saturated with providers that log your activity, sell your data, or are outright malicious. Prioritise providers with independently audited no-log policies and a clear business model that doesn't depend on selling user data.

• Mullvad — accepts anonymous payment, strong privacy stance, independently audited, no accounts required
• ProtonVPN — Swiss-based, open-source clients, independently audited, free tier available
• ExpressVPN — widely used, audited, fast — though owned by Kape Technologies, which some researchers flag as a concern
• Free VPNs — avoid these almost universally; many monetise by logging and selling your browsing data, which is the exact opposite of what you want

Practical Tips for Public Wi-Fi

Even without a VPN, you can significantly reduce your exposure on public networks by following sensible habits.

• Always check that sites use HTTPS — look for the padlock in the address bar — before entering any credentials
• Avoid banking, shopping, or accessing sensitive accounts on public Wi-Fi — use your mobile data connection instead
• Turn off auto-join for open networks in your device's Wi-Fi settings so your device doesn't silently connect to evil twins
• Forget public Wi-Fi networks after use — this prevents automatic reconnection in future
• Keep your device's firewall and operating system updated to reduce exposure to local network attacks
• If you must use public Wi-Fi for sensitive tasks, a reputable VPN is your best additional protection