Why this matters
The good news: the classic man-in-the-middle problem on public Wi-Fi has been significantly reduced by the near-universal adoption of HTTPS. In 2026, over 95% of web traffic is encrypted — anyone intercepting coffee-shop Wi-Fi traffic mostly sees encrypted data.
The bad news: three other problems have worsened.
Evil twin attacks (fake Wi-Fi networks with a trustworthy name like 'Airport Free WiFi') are trivial to set up and route all traffic through the attacker. DNS hijacking allows attackers on public Wi-Fi to redirect DNS queries — even with HTTPS. Unencrypted legacy protocols (some VoIP apps, old email clients, IoT devices) still transmit in plaintext.
The risk is no longer 'Wi-Fi is fundamentally dangerous' but 'specific attack vectors are specifically targeting public Wi-Fi users'.
How to do it right
Personal hotspot as first choice
For business work: always prefer the personal hotspot on your company phone. The hotspot is your own network — no third party has access to your connection.
Enable VPN on public Wi-Fi
When you must use public Wi-Fi: VPN first, then work. VPN protects not only against traffic sniffing but also against DNS hijacking attacks.
Verify Wi-Fi name before connecting
Ask a staff member for the official Wi-Fi name and password — do not simply connect to the strongest signal. Evil twin networks often have nearly identical names ('Hotel_Wifi_Free' vs 'HotelWifi').
No sensitive actions without VPN
Banking access, company login, email password entry — never without VPN on public Wi-Fi. HTTPS alone does not protect against all the attacks described above.
Disable automatic Wi-Fi connection
Disable 'auto-connect' for known networks or enable 'randomise MAC address' in your Wi-Fi settings. Prevents passive tracking through Wi-Fi probe requests.
Tools we recommend
- Personal hotspot (iOS/Android) — simplest solution; no app required; connection to the company network remains over the mobile network
- Cloudflare WARP — free VPN alternative with DNS-over-HTTPS; not suitable for all enterprise requirements (no split tunnelling), but good for personal devices
- WireGuard — fast, modern VPN protocol; many enterprise VPN solutions use WireGuard as their underlying technology
- HTTPS Everywhere is now default since 2023 — the browser extension is no longer needed; all modern browsers enforce HTTPS automatically where available
If you only remember one thing
Personal hotspot beats everything. Anyone working mobile with a company phone should consistently avoid public Wi-Fi for work devices.
Create a clear company policy
Define in your IT security policy: 'Business work on public Wi-Fi only with VPN or via personal hotspot.' A written rule creates clarity and protects you legally in case of incidents.