Public Wi-Fi is no longer the digital danger zone it was a decade ago. Most serious websites now use HTTPS by default, browsers scream at you when a page is insecure, and banking apps are generally better engineered than the average hotel router that has not seen a firmware update since the Abbott years.

That does not mean airport, cafe and hotel Wi-Fi is harmless. The threat model has changed. The old fear was that someone nearby could casually read every password you typed. In 2026, the more realistic risks are trickier: fake hotspots, malicious login pages, DNS tampering, devices auto-joining networks you forgot existed, and sharing settings that make your laptop a little too friendly to strangers.

The good news is that most of this is easy to fix. You do not need to become paranoid, carry a Faraday bag, or conduct every Zoom call through carrier pigeon. You just need to stop making a few common mistakes.

Thinking HTTPS solves everything

HTTPS has done a huge amount of work to make public Wi-Fi safer. When you see the padlock in your browser, the connection between your device and that website is encrypted. Someone on the same Wi-Fi network should not be able to read the contents of your online banking session, your email, or your shopping cart just by listening to traffic.

But HTTPS does not protect everything. It does not guarantee that the Wi-Fi network itself is legitimate. It does not stop you from typing your password into a fake login page. It does not prevent every app from leaking metadata. It does not stop a dodgy hotspot from blocking, redirecting, or interfering with some connections.

The realistic danger is not usually a shadowy person in the corner instantly stealing your bank balance. It is a messy chain of small failures: you join a fake network, accept a weird captive portal, reuse an email password, ignore a browser warning, or leave your laptop discoverable. Public Wi-Fi security is now less about one dramatic hack and more about not handing attackers convenient shortcuts.

Joining evil-twin hotspots at airports and cafes

An evil-twin hotspot is a fake Wi-Fi network made to look like the real one. At an airport, it might be called something like “Free Airport WiFi” instead of the official network name. At a cafe, it might copy the venue name with a tiny variation. Your device cannot judge intent. If the signal is strong and the name looks plausible, it will happily connect.

This is especially common in places where people are tired, rushed, or juggling bags: airports, conference centres, hotels, food courts and busy cafes. The attacker does not need to break into the venue’s actual router. They just need to create a convincing network name and wait for people to connect.

Before joining public Wi-Fi, check the exact network name with signage, staff, or the venue’s official material. Be suspicious of duplicates, spelling oddities, “free” networks with no clear owner, and any hotspot that asks you to install a certificate, profile, VPN, browser extension, or “security update” before you can browse. That is not normal cafe Wi-Fi behaviour.

If you are at an airport in Australia, use the network name shown on official airport signage or the airport’s website. If you are at a cafe, ask the staff. It takes ten seconds and saves you from trusting the loudest signal in the room.

Letting your device auto-join old networks

Auto-join is convenient until it is not. Phones and laptops remember networks you have used before, then reconnect when they see the same name again. That is fine at home. It is less fine when your device has years of saved networks called “Guest WiFi”, “Airport Free WiFi”, “Hotel Lobby” and “CafeNet”.

A fake hotspot using a familiar network name can sometimes lure devices into reconnecting automatically. Even when that does not happen, old saved networks are clutter you do not need. They make it easier to connect to the wrong thing, especially when you are moving between airports, hotels and coworking spaces.

After using public Wi-Fi, forget the network. On iPhone, go to Wi-Fi settings, tap the information icon next to the network, then choose “Forget This Network”. On Android, open the saved network details and remove it. On Windows and macOS, remove old networks from known or preferred networks.

Also turn off auto-join for public networks you need only once. Your phone does not need to maintain a lifelong emotional attachment to the Wi-Fi at a Gold Coast hotel you visited in 2023.

Trusting captive portals and hotspot login pages

Captive portals are the pop-up pages that ask you to accept terms, enter an email address, or log in before using Wi-Fi. Some are legitimate. Some are badly built. Some are outright traps.

The big mistake is treating a hotspot login page like a normal trusted website. Do not enter passwords you use elsewhere. Do not sign in with your main email password. Do not use “Sign in with Google” or another identity provider unless you are confident the portal is legitimate and the sign-in page is actually from that provider. Check the address bar carefully.

Be especially wary if a Wi-Fi portal asks for unusual information: date of birth, home address, payment details for a supposedly free network, work credentials, or permission to install anything. A cafe does not need your corporate Microsoft login so you can check Slack over a flat white.

If a portal requires an email address, consider using an alias or secondary address. If it requires a password, use a unique one generated by your password manager. Better still, use mobile data or tether from your phone when the portal feels off.

Ignoring DNS leakage and network tampering

DNS is the system that turns website names into the server addresses your device connects to. On a public network, DNS can reveal the sites or services you are trying to reach, even when the content itself is protected by HTTPS. A poorly run or hostile hotspot may also try to redirect lookups, block certain domains, or push you through its own filtering system.

This is where a reputable VPN can still be useful. It is not magic privacy fairy dust, and it does not make unsafe behaviour safe. But on public Wi-Fi, a VPN can encrypt more of the traffic leaving your device and reduce what the local network can see or interfere with, including DNS requests if the VPN handles DNS properly.

For Australians working from cafes, hotels or airports, the practical approach is simple: use a trusted paid VPN, enable the kill switch if available, and turn on auto-connect for untrusted networks. Avoid random free VPNs, especially ones you found through an ad. If the business model is unclear, you may just be moving your trust from the cafe router to a company with even fewer reasons to behave well.

Also check your browser’s secure DNS settings. Chrome, Edge, Firefox and Safari have improved this area over time, but the exact behaviour depends on your device, network and configuration. You do not need to obsess over it. Just understand that public Wi-Fi privacy is not only about the padlock in your browser.

Doing sensitive work on hotel networks without extra care

Hotel Wi-Fi deserves its own category because it combines several bad ingredients: lots of transient users, shared passwords, weak support, captive portals, and routers that may be managed by third-party providers. It is not automatically dangerous, but it is rarely a network you should treat like home.

Banking on hotel Wi-Fi is generally safe if you use the official app or website, HTTPS is intact, and you do not ignore security warnings. Australian banks invest heavily in app security, device checks and fraud controls. The bigger risk is user error: clicking a fake portal, searching for the bank and tapping an ad, reusing passwords, or responding to a scam SMS while distracted.

For banking, tax, payroll, client files or anything work-sensitive, use your phone’s mobile data if you can. If you must use hotel Wi-Fi, connect to a reputable VPN first, open the bank’s app directly, and do not proceed if your browser or app warns about certificates or a connection problem. Those warnings are not decorative.

If you are travelling for work, ask your employer what is allowed. Many organisations have rules about VPNs, managed devices, cloud access and public networks. Follow those rules. The point is not to improvise heroically from a hotel desk at midnight.

Leaving sharing features switched on

Public Wi-Fi risk is not only about the network. Your own device may be advertising more than you realise.

On a laptop, check file sharing, printer sharing, network discovery and public folder settings. Windows should treat cafe and airport Wi-Fi as a public network, not a private one. On macOS, review Sharing settings and disable services you do not need. If you are not intentionally sharing files, your sharing settings should be boring.

AirDrop is another one to check. On Apple devices, set AirDrop to “Contacts Only” or turn it off when you are in public. The same goes for nearby sharing features on Android and Windows. These tools are useful, but they are designed for convenience. Convenience becomes less charming when your phone is discoverable in a crowded terminal.

Bluetooth is worth a quick look too. You do not need to disable it forever, but avoid leaving devices in pairing mode in public. Pairing mode is for connecting devices you trust, not for broadcasting an invitation to everyone waiting near Gate 23.

A practical cafe checklist for Australians

If you work from cafes, libraries, airports or coworking spaces, use this quick routine:

  • Confirm the network name with staff or official signage before joining.
  • Avoid duplicate or vague hotspots such as “Free WiFi” with no venue name.
  • Do not install certificates, profiles or apps just to access public Wi-Fi.
  • Use mobile data or tethering for banking, tax, payroll and sensitive client work.
  • Use a reputable VPN on networks you do not control, especially when travelling.
  • Never reuse important passwords on hotspot portals or venue accounts.
  • Forget public networks after you are done with them.
  • Turn off file sharing and open discovery before working in public.
  • Keep your device updated so browser, Wi-Fi and app security fixes are installed.
  • Leave if the network behaves strangely, especially if you see certificate warnings or repeated redirects.

Use public Wi-Fi, but do not trust it

Public Wi-Fi is a tool, not a trusted environment. Use it for browsing, email, maps, messaging and routine work. Be more careful with banking, identity documents, business systems and anything that would ruin your week if exposed.

The modern rule is straightforward: verify the network, distrust weird login pages, protect your DNS and traffic where practical, shut down unnecessary sharing, and clean up saved networks afterwards. Public Wi-Fi is much safer than it used to be. It is still not your lounge room.