The Setup
You land at the airport. Open your laptop. The Wi-Fi network is called "Free_Airport_WiFi." You connect, check your email, log into your bank, scroll your work Slack. Everything works fine.
Except the network you connected to was not the airport. It was a $40 hardware device sitting in someone's backpack three rows away, broadcasting an identical SSID. Every login credential, every email, every Slack message — all of it routed through the attacker's device before reaching the actual internet.
This is called an evil twin attack. It takes about ten minutes to set up. It is the single most common attack on travelers in 2026.
Why Public Wi-Fi Is Worse Than You Think
The internet is mostly encrypted now. HTTPS is everywhere. That should protect you on public Wi-Fi, right?
Not really. HTTPS protects the contents of your communication with a website — but not the metadata. An attacker on the same network can see every site you visit, every app you use, every device you have connected. They can see when you log into your banking app even if they cannot see your password. That is enough to target you for follow-up attacks.
And HTTPS does not save you from the more common attack: a captive portal that intercepts your traffic at the edge, presents fake certificates, and tricks your browser into accepting them. Most people click "accept" on certificate warnings without reading them. The attacker reads everything from that point on.
The Hotel Wi-Fi Problem
Hotels are worse than airports. Hotel Wi-Fi networks are notorious for poor security configurations, lack of network isolation between rooms, and outdated infrastructure. The Mandiant DarkHotel campaigns have specifically targeted business travelers for over a decade by compromising hotel Wi-Fi networks.
If you are traveling for business and you log into corporate systems from hotel Wi-Fi, you are giving any attacker on that network — guests in other rooms included — a window into your corporate accounts.
The Coffee Shop Trap
Coffee shops, libraries, co-working spaces, gyms — every location with public Wi-Fi has the same problem. The network is open or shared, the equipment is consumer-grade, and there is no IT team monitoring for threats.
Packet sniffers like Wireshark are free and trivial to use. A bored teenager with a laptop can capture every unencrypted DNS request on the network — meaning they can see exactly what websites everyone is visiting. Even with HTTPS, that is enough information to build a behavioral profile and craft a targeted phishing attack.
What Actually Works
1. Use a VPN — always. A reputable VPN encrypts ALL your traffic, not just HTTPS. The attacker sees encrypted noise instead of your activity. The evil twin network captures nothing useful. The packet sniffer sees gibberish. NordVPN is what we recommend — Panama-based jurisdiction, audited no-logs, NordLynx protocol that is fast enough you will not even notice it is on. Set it to auto-connect on untrusted networks and you are protected by default.
2. Use cellular data when possible. Your phone's LTE or 5G connection is encrypted at the carrier level and not shared with anyone in physical proximity. Hotspot from your phone if you need a laptop online. The data cost is worth it.
3. Disable auto-connect to known networks. Your phone remembers every Wi-Fi network you have ever connected to. Attackers can broadcast SSIDs matching common networks ("attwifi", "xfinitywifi", "Starbucks") and your phone will silently auto-connect. Turn this off.
4. Use a firewall. macOS and Windows both have built-in firewalls. Turn them on. Block all incoming connections when on a public network.
5. Forget the network when you leave. "Forget This Network" prevents your device from auto-connecting to it later. Worth doing for any public Wi-Fi you use.
The Travel Bonus
A VPN does one more thing that matters when traveling: it lets you appear to be in a different country. This means you can access your home Netflix library from abroad, your home banking sites that block foreign IPs, and your home news sites that geo-restrict content. It also bypasses the price discrimination that travel sites use — the same flight often costs less when booked from a different country IP.
The privacy use case is the foundation. The travel use case pays for the subscription twice over.
The Bottom Line
Public Wi-Fi was a 2010 problem that everyone forgot about because they assumed HTTPS solved it. It did not. Evil twin attacks, captive portal exploits, packet sniffing, and DNS hijacking are all alive and well in 2026 — and the average traveler has zero defenses.
The defense is simple: encrypt everything, all the time, automatically. A VPN is the cheapest insurance policy you will ever buy. Five dollars a month to make every coffee shop, hotel, and airport network safe to use.
