Public Wi-Fi safety: what's actually risky and what isn't

Public Wi-Fi is not the automatic disaster it was fifteen years ago. The FTC says connecting through public Wi-Fi is usually safe today because most websites use encryption. The real risk now is not "any coffee shop network will instantly steal your bank password." It is using the wrong network, the wrong site, or the wrong device habits.

That is the honest 2026 answer. Public Wi-Fi is often fine for normal browsing. It is still a bad place to be casual.

Sources: FTC on public Wi-Fi safety, CISA public Wi-Fi tip card, NSA guidance on wireless devices in public settings

The short answer: what is risky and what is not

Here is the practical split.

Usually lower risk than people think:

• reading the news on a legitimate HTTPS site
• checking flight times in an airline app
• ordinary browsing on a fully updated phone or laptop
• using a known app or site that already encrypts traffic

Still genuinely risky:

• joining the wrong hotspot because the name looks close enough
• logging in through a fake site that happens to show a padlock
• doing sensitive work on an open network when you could use cellular instead
• using an old, unpatched device on a network you do not control
• letting a browser or pop-up tell you where to sign in, pay, or "fix" a problem

The FTC's guidance is important here because it corrects a lot of outdated internet folklore. It says public Wi-Fi is usually safe now because most sites use encryption. But the FTC also warns that scammers can create fake websites and encrypt those too. So the presence of HTTPS is helpful, not magical.

Why public Wi-Fi is safer than it used to be

The old fear was simple: if you used public Wi-Fi, anyone nearby could casually read your traffic.

That risk has not disappeared, but the baseline changed when most normal websites moved to HTTPS by default. The FTC says that widespread encryption is why connecting through public Wi-Fi is usually safe today.

That means the network is no longer the whole story. The site and app you connect to matter just as much.

If you are opening a legitimate encrypted banking site, that is a very different situation from typing a password into a fake "your account is locked" page that a scam text pushed you toward.

What the real risks look like now

1. Fake hotspots

CISA says to confirm the network name and login process with staff before connecting because criminals can create similarly named hotspots and hope people join the wrong one.

This is one of the most practical public Wi-Fi risks because it does not require exotic hacking. It only requires you to join Hotel Guest Free instead of the real hotel network.

If you travel often, build this habit:

1. Ask staff for the exact network name.
2. Ask whether there is a captive portal or room-number login.
3. If the flow looks different from what staff described, stop.

2. Scam websites and phishing pages

The FTC explicitly warns that a scammer's site can be encrypted too. That matters because a lot of people still treat the padlock like a truth badge.

It is not.

HTTPS mainly tells you the connection to that site is encrypted. It does not tell you the site is honest.

This pairs directly with phishing recognition. The public network is often not the part that tricks people. The message and the fake page are.

3. Sensitive activity on networks you do not control

CISA says to avoid shopping, banking, and other sensitive work on public Wi-Fi when possible. NSA goes further and says to use a personal or corporate mobile hotspot instead of public Wi-Fi when you can.

That does not mean every bank login on hotel Wi-Fi is doomed. It means the conservative choice is still the right one for high-value activity:

• bank and brokerage logins
• online purchases
• work systems
• anything involving client data, privileged access, or regulated information

If your phone has reliable cellular service, use it for those sessions.

What you should actually do in airports, hotels, and coffee shops

The practical checklist is short:

1. Verify the network name with staff.
2. Prefer cellular or your own hotspot for financial or work activity.
3. Keep your device, browser, and apps updated.
4. Use strong passwords and MFA on important accounts.
5. If a message or portal pushes urgency, back out and verify independently.

That last point matters more than people think. The FTC's guidance on scams is relevant here because the same urgent pressure tactics show up on public networks too. If a login page or pop-up tells you to fix a payment problem, renew a subscription, or confirm an account immediately, do not trust the prompt by default.

Where a VPN fits, honestly

A VPN can add protection on unfamiliar public networks by encrypting traffic between your device and the VPN connection. NSA specifically recommends a personal or corporate VPN if you must use public Wi-Fi.

But a VPN is not the whole public Wi-Fi story, and it is not a cure-all.

It does not:

• make a scam site legitimate
• stop you from typing a password into a phishing page
• replace MFA
• replace software updates

If you want the full decision guide, separate the network risk from the VPN decision. This article is about the network risk. The VPN question is about whether the tool is worth using.

The safest mental model

Do not think of public Wi-Fi as a horror movie. Think of it as an environment where you should reduce unnecessary trust.

Trust less:

• the hotspot name
• the captive portal
• surprise pop-ups
• links inside texts or emails

Trust more:

• the real app you already use
• the real website you type yourself
• your own cellular connection for higher-risk activity
• MFA on the accounts that matter

That same mindset also fits the broader family cybersecurity guide. Good security is usually less about panic and more about reducing the number of bad decisions you can make under pressure.

If travel security or account hardening is becoming a recurring problem in your household, the individuals page is the right next step for a more structured setup.

Final answer

Public Wi-Fi is usually safe for ordinary browsing on legitimate encrypted sites and apps. What is still risky is using fake hotspots, trusting scam pages, and handling sensitive work on networks you do not control when you could use cellular instead.

So no, you do not need to panic every time you connect at an airport. You do need to stay deliberate.

FAQ

Is public Wi-Fi safe in 2026?

Usually yes for normal browsing, because encrypted websites and apps are now the norm. But "usually safe" is not the same as "trust everything on the screen."

Can someone steal my passwords on public Wi-Fi?

Old-style snooping is less effective against legitimate HTTPS traffic than it used to be. The more realistic modern failure is that someone tricks you onto a fake network or fake login page.

Should I use cell data instead of hotel Wi-Fi for banking?

Yes, if you can. That is the cleaner option for money, work access, and other high-value activity.

Does HTTPS mean a site is trustworthy?

No. It means the connection is encrypted. The FTC specifically warns that scam sites can be encrypted too.

Do I need a VPN every time I use coffee shop Wi-Fi?

Not every time. It is an extra layer, not a requirement for all browsing. The bigger wins are verified networks, real sites, updated devices, and MFA.

Sources and references

• FTC on public Wi-Fi safety
• CISA public Wi-Fi tip card
• NSA guidance on wireless devices in public settings
• FTC phishing alert