Connecting to public Wi-Fi networks - threat or scare?
Avoid carrying out banking transactions on public networks – especially at airports! Hackers can steal your login credentials or spy on your communication. Never connect to public Wi-Fi without a VPN. But is it really that bad?
You've almost certainly come across these warnings – or some version of them – in dozens of articles that pop up online every year as the holiday season approaches. But is it truly the case that if a hacker sets up a fake Wi-Fi network, they can see everything you do online and even steal your banking or login details? This article aims to set the record straight.
We'll examine the three most common myths surrounding public Wi-Fi and reveal what’s actually true. And as a bonus, we’ve tested what a hacker can really see when you connect to a fake Wi-Fi network.
Myth 1
Hackers can see everything you do on public Wi-Fi.
Reality: If you’re browsing a legitimate website that uses the HTTPS protocol (you’ll recognize it by the “https://” in the address bar or a message like “Connection is secure” when you click the padlock icon), your communication with the server is encrypted. This means hackers cannot see the content of the page, any text you enter, passwords, or other sensitive data. However, they may still be able to view some external metadata, such as:
- The domain you're visiting (e.g. google.com)
- The timing and volume of data sent and received
- Some technical details about your device
What they cannot see:
- The actual content of the page (text, images, forms)
- Passwords and/ or personal information entered into forms
- Messages, login tokens, or other sensitive content
Most websites in the Czech Republic now use HTTPS, so you’ll rarely encounter unencrypted ones locally. However, when traveling abroad, you may still come across unsecured sites. That’s why it’s important to stay cautious and pay close attention to the websites you access while on the go.
Summary: When visiting a legitimate HTTPS website, your communication is encrypted. Hackers can't see the contents, passwords, or personal information you enter, though they may still access limited metadata like the domain name and some device info. HTTPS is common in the Czech Republic but may be less widespread in other countries.
Myth 2
Never perform financial transactions over public Wi-Fi – a hacker can easily redirect you to a fake site.
Reality: Most people today use their bank’s official mobile app for financial transactions. These apps are specifically designed to remain secure even on unprotected public networks, such as those in cafés or airports. They use strong encryption to safeguard your data during transmission and typically include additional security layers like user verification and certificate validation. This protection only applies if you’re using the official banking app downloaded from a trusted source (like Google Play, or the App Store) and keep your device regularly updated — as updates often fix known security vulnerabilities.
The same general principles apply when you use a secure web browser to access online banking or other HTTPS-enabled websites.
You may have heard that a hacker on public Wi-Fi can redirect you to a fake site, even if you enter the correct web address. Technically, this is possible — but it’s far from easy. Here’s how such a scenario might play out:
Example
- You connect to a hacker's Wi-Fi and type “amazon.com” into your browser
- The hacker attempts to redirect you to “amaz0n.com” (with a zero instead of an “o”)
- If the fake site uses HTTPS, your browser checks whether the website’s certificate matches the domain
- If there’s a mismatch, you’ll see a warning like “Your connection is not private”
- Important: Never ignore this warning or click “Proceed to amazon.com.” This is a phishing attempt. Disconnect from the Wi-Fi immediately — the attacker controls the network and is trying to steal your login credentials or credit card details
⚠️ A different and more dangerous scenario occurs if you mistype the address or click a phishing link — for example, entering “amaz0n.com” instead of “amazon.com.” In this case, the fake domain may have a valid HTTPS certificate and closely mimic the original. Since everything looks legitimate, the browser won't issue any warning. You’ll learn more about identifying these types of attacks in the Phishing module of our Cyber Compass course.
Summary: If you use internet banking via a web browser and visit HTTPS-secured sites, the browser protects you from being redirected to fake servers by displaying a warning if there are problems with the certificate. However, the greatest risk is when a user visits a fake address themselves - for example, by clicking on a phishing link in an email or SMS, or when they access a site without HTTPS security (HTTP only). Therefore, it is always important to check the entire address in the browser carefully, not just the lock icon. You can learn more about how to protect yourself from phishing attacks in our Cyber Compass course in the Phishing module.
Myth 3
A VPN is the only way to stay safe on public Wi-Fi.
Reality: While a VPN is a valuable security tool, it's not the only way to protect yourself. A VPN encrypts all data traffic between your device and the VPN server, preventing hackers on the same Wi-Fi network from seeing not only your content but also metadata such as the websites you visit, the timing, and the amount of data transferred. This is especially useful when browsing unsecured (HTTP) websites.
A VPN also helps protect against DNS-based attacks, such as DNS spoofing. Instead of your device sending DNS queries over a potentially compromised local network, those queries are routed through a secure VPN server. This makes it virtually impossible for an attacker to redirect you to a fake site by manipulating DNS responses.
However, even without a VPN, you can stay safe by following a few key practices:
- Use HTTPS websites: These encrypt communication between your device and the server, so hackers can’t view the content or data you submit (keep in mind, though, that phishing websites can also use HTTPS — see Myth 2 for more details)
- Keep your operating system, browser, and apps updated: Updates fix known vulnerabilities that attackers could exploit
- Be cautious online: Pay attention to what you're clicking and always verify URLs. For example, double-check that you're visiting “facebook.com” — not a lookalike like “facepook.com”
- Use official apps: Apps like mobile banking apps are built to operate securely, even on public Wi-Fi, without needing a VPN
If you prefer to use a VPN, Masaryk University offers one for free to students and staff. You can easily set it up by following the guide here: https://it.muni.cz/sluzby/eduvpn
Summary: A VPN is a powerful tool for enhancing online security, particularly when accessing HTTP sites or protecting against DNS manipulation. However, it’s not foolproof — it won't prevent you from falling for phishing attacks via email or SMS. HTTPS connections already provide strong protection, and official apps are designed to remain secure even on public networks. To learn more about safe online communication, explore the Secure Connection module in our Cyber Compass course.
What else should you watch out for?
Beware of fake Wi-Fi login pages (so-called captive portals)
When connecting to public Wi-Fi, a login page often appears where you need to accept the terms of use. This mechanism is called a captive portal. However, an attacker can create a fake portal that pretends to be an official page (e.g., Starbucks, Facebook, or the Wi-Fi provider) but is actually used to collect data or spread malicious code.
How to protect yourself:
- Never enter passwords for your personal accounts (such as Google, Facebook, or other online services) on pages that open automatically after connecting to Wi-Fi. Legitimate public network login portals may sometimes request your email address or agreement to terms, but they will never ask you to log into your personal accounts
- Check the address in your browser – if you see a suspicious or shortened domain (e.g., freewifi-login.com, go0gle-login.net), it’s better not to use that Wi-Fi
- Do not install any “required plugins” or applications suggested by the captive portal. No regular Wi-Fi requires you to download software
- Be cautious – if the captive portal looks different than usual, it’s best to disconnect from the Wi-Fi immediately
Final word
Public Wi-Fi networks aren’t automatically dangerous – but risks rise if you ignore browser warnings or miss key security signals. Many of the threats associated with public Wi-Fi are based on real attack methods – but are often exaggerated. Today’s devices, apps and browsers include numerous security features. VPNs are a great additional layer of protection, but far from the only one. Visiting HTTPS websites is highly protective – and no VPN can shield you from your own inattention (like falling for a phishing scam).
If you'd like to learn more about cybersecurity, take one of our courses, sign up for training, or explore more of our articles.
Bonus for the Curious: The Difference Between HTTP and HTTPS
As an experiment, we created our own Wi-Fi network and connected to it. We then set up a website with a registration form – first without a certificate (i.e. over HTTP), and later added a certificate so it ran over HTTPS. Using network analysis tools, we monitored the data flowing between the device and the internet.See below in the drop down boxes to see what it looked like.
HTTP
When we visited the unsecured HTTP page at nocvedcu.csirt.muni.cz, the browser showed a crossed-out padlock. Clicking it revealed a warning that the connection was not secure.
We filled in and submitted the registration form. What could the network administrator (or potential attacker) see? A lot! They could see not only the visited site but also all data entered – name, password, email address, date and time of submission. They also saw technical info like browser type and version, operating system, and other details from the User-Agent header.
HTTPS
We then secured the site with a certificate so it worked over HTTPS. We filled out the same form and submitted it again.
What could the administrator see now? Almost nothing! The communication was encrypted, and instead of readable data, they saw a meaningless string of characters that couldn’t be deciphered. The only visible information was the device’s IP address and the domain visited.