The hotel lobby WiFi feels harmless enough. So does the one at the airport gate, or the coffee shop where the traveler stops to plan tomorrow’s itinerary. A network name pops up, a password is handed over at check in, and within seconds the connection is live. Nobody thinks twice about it anymore.
That casual habit is exactly what cybercriminals are counting on.
Public WiFi has quietly become one of the most dangerous parts of modern travel, and the people most likely to fall victim are not careless teenagers fumbling with their first smartphone. They are seasoned travelers: confident, experienced, and comfortable enough with technology to assume they already know the risks. That confidence is precisely what makes them a target.
A Stranger Could Be Sitting Between You and Your Bank
Imagine standing in a hotel lobby, logging into a bank account to check on a wire transfer, while a stranger across the room quietly watches every keystroke travel through the air. That is essentially what happens during what security researchers call a man in the middle attack. A hacker positions themselves between a traveler’s device and the internet connection it’s trying to reach, intercepting and sometimes even altering the data as it passes through.
It does not require a criminal mastermind or expensive equipment. Ethical hackers use a small, easily purchased device called a WiFi Pineapple to test network security, and that same device allows even a novice criminal to pull off the same attack. It can be bought online for less than the cost of a nice dinner.
The truly unsettling part is how convincing the trap looks. Criminals routinely set up fake networks with names almost identical to the real one, something like “Hotel_Guest_WiFi” instead of “HotelGuestWiFi.” A distracted traveler, jet lagged and eager to check email after a long flight, connects to the wrong one without a second glance. In hotels especially, these decoy “honeypot” networks are often loaded with malware designed to extract information the moment a device connects.
That Password at Check-In Means Almost Nothing
There is a dangerous assumption that comfortable hotels and resorts seem to encourage without ever saying it outright: if the network requires a password, it must be secure.
It is not.
The password handed over at check-in is typically the same one given to every guest for weeks or even months at a time. It keeps strangers in the parking lot from connecting. It does nothing to stop the person sitting two tables away in the breakfast room who checked in three days earlier and kept the password written on a card in their wallet. A password for network access does not equal encryption, and encryption is the only thing that actually protects what a traveler is sending and receiving.
This matters enormously for the kind of traveler who handles real financial business from the road. Checking a brokerage account, approving a wire transfer, reviewing a property closing document while sitting at a beach resort: all of it can happen on a network that offers no real protection at all.
The Numbers Are Worse Than Most Travelers Realize
This is not a fringe problem affecting a handful of unlucky people.
Roughly one in four travelers using public WiFi abroad has been hacked, and four in ten have had their personal information compromised through a public network. Despite that, the overwhelming majority, nearly eighty percent, still connect without using any kind of protective software at all.
The hospitality industry itself has become an increasingly attractive target. Cyberattacks against hotels and similar businesses rose sharply in recent years, with guest WiFi networks identified as one of the most common points of entry. The very network a hotel proudly advertises as a guest amenity can be the weakest point in its entire security setup.
What makes a stolen login so dangerous is not the inconvenience of changing a password. A single breach can cascade into fraudulent charges, drained bank accounts, loans taken out in someone else’s name, and in the worst cases, stolen private photos or documents used for blackmail. For a traveler managing a business remotely, the exposure goes even further. A breach while traveling for work can expose confidential company information, leading to serious professional and legal consequences long after the trip is over.
Why a Relaxed, Experienced Traveler Is Actually More At Risk
It seems backwards, but it is true. The traveler who has crossed a dozen borders and worked through a hundred hotel check-ins is often less cautious than someone visiting an unfamiliar country for the first time.
Cybercriminals understand that most people are in a hurry, that travelers are simply looking for connectivity, and that everyone has grown used to clicking through prompts without reading them carefully. Experience breeds exactly that kind of automatic behavior. The traveler who has done this a hundred times stops reading the network name carefully. They stop pausing before tapping “accept” on a permissions prompt. That pattern is not a flaw of carelessness, it happens because people are simply busy, distracted by travel itself.
A relaxing afternoon at a vineyard or a market stall is precisely the moment when guard comes down and a quick check of email feels completely routine.
What Actually Works When the WiFi Looks Tempting
There is good news buried in all of this. The fix does not require giving up connectivity altogether, and it does not require becoming a cybersecurity expert overnight.
A handful of habits make an enormous difference. Before connecting to anything in a hotel, restaurant, or transit hub, it is worth simply asking a staff member to confirm the exact network name out loud. Most organizations are happy to provide this, and it takes only a moment to rule out a convincing fake.
Banking, brokerage logins, and anything involving a password worth protecting should be saved for later, ideally on a private connection. Doing any kind of banking, shopping, or payment activity is best reserved for a home network, no matter how many precautions are taken on a public one.
A reputable VPN remains the single most effective tool available. It encrypts traffic before it ever leaves the device, turning a public connection into something far closer to a private one.
For travelers who want to sidestep the entire problem, increasingly affordable options now exist. Mobile data is considered safer than public WiFi by default, since cellular networks require authentication and encrypt traffic between a device and the carrier, and there’s no public network name for a criminal to copy or spoof in the first place. Travel eSIMs have made this far more practical than it once was, offering a private cellular connection in most destinations without hunting for a local SIM card or relying on a hotel’s questionable network entirely.
The trip will not be ruined by leaving the WiFi alone for an afternoon. A drained bank account or a stolen identity, on the other hand, can cast a shadow over months that follow long after the suitcase has been unpacked.
Amanda O’Brien is the creator and editor of The Boutique Adventurer. She has visited 80 countries and is a member of the British Guild of Travel Writers as well as the IFTWTA. She is passionate about wine had has just completed Level 3 of the WSET. Born in Australia, she lives in London.