Public Wi-Fi at Airports and Hotels Exposes Travelers to Real Account Theft. Here Is What the Risk Actually Looks Like.

The Setup Is Boringly Familiar

You land, find the hotel Wi-Fi password on a card at the front desk, and connect without thinking twice. You check email, log into Netflix, maybe glance at your bank app. That sequence, repeated by millions of travelers every day, is exactly what cybercriminals count on.

Fox News technology correspondent Kurt "CyberGuy" Knutsson outlined the core problem: travelers connecting to public networks are routinely targeted through airport USB charging ports, rogue Wi-Fi hotspots, and phishing texts crafted to look like airline or hotel communications.

The Three Attack Vectors That Actually Work

Evil twin hotspots are the most effective and the hardest to spot. An attacker sets up a Wi-Fi network named "Marriott_Guest" or "Airport_Free_WiFi" a few feet from the real one. Your device connects automatically if you have connected to a similarly named network before. Everything you send — login credentials, session cookies, credit card numbers — flows through the attacker's hardware before it reaches the internet.

USB juice jacking involves compromised public charging ports, most commonly found in airports and hotel lobbies. Plugging in a phone via USB gives the port hardware potential access to the device's data layer, not just power.

Phishing texts are the third vector. Attackers who know travelers are in transit — often inferrable from public social media posts — send texts impersonating airlines with fake rebooking links, or hotels asking for credit card "re-verification." The texts are designed to hit when a traveler is stressed and moving fast.

The Strongest Counterargument, Stated Fairly

Skeptics of VPN-first cybersecurity advice point out that most major websites now use HTTPS encryption by default, which means a passive eavesdropper on public Wi-Fi cannot easily read the content of your traffic the way they could in 2010. TLS 1.3, the current standard, is widely deployed. From that view, the "public Wi-Fi is dangerous" narrative is partly outdated fearmongering that sells VPN subscriptions rather than addressing real current risk.

That concern is not baseless. HTTPS does protect the content of most web communications in transit. But it does not protect against evil twin attacks that intercept traffic before the TLS handshake completes, it does not protect against session cookie theft through other means, and it does not protect you when an app communicates over an unencrypted channel that you have no visibility into. The risk has evolved, not disappeared.

What Actually Protects You

A Virtual Private Network, or VPN, encrypts your device's traffic before it leaves your phone or laptop, rendering a rogue hotspot's interception useless. Knutsson, appearing on Fox & Friends, recommended activating a VPN before connecting to any public network, treating the VPN as the first step rather than an afterthought.

As Knutsson's reporting notes, when you log into a service, your device gets a small file called a session token that keeps you signed in. If an attacker tricks you onto a fake network or pushes you toward a fake login page, that token or login can become a target — turning a quick hotel Wi-Fi session into someone hijacking an account, locking you out, racking up charges, or selling your access.

The Number Worth Knowing

Six in ten identity crimes now begin with new account fraud, according to figures cited by Knutsson. New account fraud means an attacker uses your stolen credentials or personal data to open accounts in your name, not just drain your existing ones. That is harder to catch and takes longer to untangle.

The unresolved question for travelers is practical. Most free VPNs log user data and have compromised privacy records of their own, meaning the cure can introduce a different problem. Choosing a paid VPN with a verified no-logs policy — one that has been independently audited, not just claimed by the company's own marketing — is the specific step that separates meaningful protection from security theater.