Why You Should Think Twice Before Connecting to Your Hotel’s Wi-Fi on Your Next Vacation

As you soak in the sun, hackers are lurking in the shadows, preying on unsuspecting tourists who connect to the hotel Wi-Fi. Here's how to avoid becoming their next victim.

Nothing beats reclining in a luxurious hotel room on the first night of a much-anticipated vacation, ready to connect your devices to the free Wi-Fi and start blissfully scrolling through your favorite apps and websites. Truth be told, it’s a ritual that most of us engage in without a second thought. While we all know the dangers of public Wi-Fi, what could be safer than the cozy confines of a reputable hotel Wi-Fi connection? But is hotel Wi-Fi safe?

Unfortunately, the chilling reality is this: Your data, your personal information and even your hard-earned money could be at risk every time you connect to hotel Wi-Fi. And with thousands of guests using Wi-Fi connections in hotels at any given moment, getting hacked while on vacation is no longer just a remote possibility—it’s an unsettling smartphone security threat on the rise. So before your next getaway, read up on the alarming risks of using hotel Wi-Fi, as well as the online security tips and steps you need to take to protect yourself from hidden danger.

Get Reader’s Digest’s Read Up newsletter for more tech, humor, cleaning, travel and fun facts all week long.

Is hotel Wi-Fi safe?

Hotel Wi-Fi networks, often left unsecured or protected by outdated security measures, provide a fertile ground for cybercriminals. Once these criminals gain access to an unprotected hotel Wi-Fi router, they can intercept data from any other device on the network, allowing them to spy on your online activities, steal your passwords and personal information, and even manipulate your devices—all without your knowledge.

To understand how this works, think of the connection between a Wi-Fi router and a device as a two-way bridge, where malware can travel in either direction. “Sophisticated malware from an infected device can spread to the Wi-Fi router and infect other devices connected to the network,” says Adrianus Warmenhoven, a cybersecurity expert at NordVPN. “It can also stay in the router and collect data from any other device in the network or change router settings and redirect users to malicious websites.”

But what if hotel networks offer advanced speeds or require passwords? Is hotel Wi-Fi safe then? Not always, says Gregg Smith, CEO at MISI, a cybersecurity nonprofit. In fact, hotels themselves can view basic information—like your device’s info and the time of your connection—when you connect to their Wi-Fi network.

“Readers need to understand that they are vulnerable to the many threats that exist in the wild,” Smith says, and take preventive online security measures to make sure your next vacation doesn’t become a nightmare.

What are the risks of connecting to your hotel’s Wi-Fi?

In an era when the world is more connected than ever, the conveniences of hotel Wi-Fi are irresistible. But beneath the illusion of comfort and security, experts say that your trusted hotel Wi-Fi network could leave you vulnerable to online scams and other cybersecurity threats. Here are the risks of connecting to hotel Wi-Fi and how to stay safe.

The risk: Unprotected connections

One of the most common ways cybercriminals can use hotel Wi-Fi to steal guests’ information is by taking advantage of unprotected connections, according to Warmenhoven. When they find a hotel Wi-Fi network that lacks the proper security features, they can connect to the network and install spyware, which infects all other devices connected to that Wi-Fi. From there, hackers can launch what’s called a “session takeover,” where they hijack your web browsing session and access everything on the device, including passwords and sensitive documents, according to Smith.

How to stay safe: To protect your devices when connecting to hotel Wi-Fi, Warmenhoven suggests using firewalls or other tools that can fight off malware or hijackers, like NordVPN’s Threat Protection software. Smith also recommends checking to see that the websites you visit have “https” in their URLs to ensure that you’re using a secure connection when browsing online.

The risk: Data breaches

In another common cyberattack, a hacker sends a hotel employee a phishing email or creates a phony hotel login page that looks convincing enough for the employee to enter their login credentials. Once the hacker has the employee’s info, they can use it to log in to the hotel’s system and steal sensitive data, as well as access the Wi-Fi network and snoop on guests’ online activity.

In fact, this is exactly how attackers hacked into Marriott’s guest database in 2020 and 2022. In those attacks, cybercriminals were able to access data, including guests’ credit card information and other confidential details about both guests and employees.

How to stay safe: Is hotel Wi-Fi safe enough to access a bank account? The answer, unfortunately, is no. Avoid sharing sensitive information or logging in to critical accounts, such as your bank account, when using hotel Wi-Fi. Instead, limit your web browsing to simple, safe activities like searching Google or checking social media. No matter how safe a hotel’s Wi-Fi appears to be, malware acts quietly and invisibly to steal your data, so you never know if the network has been compromised until it’s too late.

The risk: Evil twin hot spots

Think twice before connecting to any old Wi-Fi network with the name “Hotel Wi-Fi”—it could be a so-called evil twin. This fake, unprotected Wi-Fi hot spot is created by hackers to trick you into connecting so they can watch your web browsing and steal your credentials when you log in to important accounts. Evil twin hot spots typically have a generic, unsuspicious name, such as “Guest Wi-Fi” or “Free Hotel Wi-Fi,” rather than the name of the hotel itself, Warmenhoven says.

How to stay safe: When you check in to the hotel, Warmenhoven recommends asking the person at the reception desk to give the exact name and password for the provided Wi-Fi. He also advises using a VPN service on your devices, which will encrypt your data as you browse the web and block third parties from intercepting your online activity.

The risk: Cyberstalking

Believe it or not, the smart TV in your hotel room can become a gateway for cybercriminals, according to Warmenhoven. Thanks to the TV’s established connection to the hotel Wi-Fi, hackers who gain access to the network can weasel their way into the smart TV too.

“Depending on the aim of intruders, a hacked smart TV could be used for a number of cybercrimes—from cyberstalking travelers with built-in microphones or cameras to stealing personal credentials used to log in to apps on the smart TV and selling them on the dark web,” Warmenhoven says. Even if hackers just have access to a hotel’s Wi-Fi network, they can still collect the browsing history on your devices and use it to stalk or threaten you.

How to stay safe: If you have a smart TV in your hotel room, Warmenhoven suggests keeping it unplugged from power sources when it’s not being used. You should also cover the TV’s webcam and avoid logging in with personal credentials to mitigate your risk of getting hacked, he says.

The risk: Automatic connections

When you stay at a hotel, your devices are constantly surrounded by dozens of public and insecure internet connections. These random Wi-Fi networks may seem harmless, but don’t forget that your devices could automatically join any network that you’ve used before without you even realizing it. Although the automatic connection feature comes in handy for connecting to Wi-Fi in an office or a friend’s house, it poses a significant risk when it comes to joining free public Wi-Fi. The network may have been compromised since your last connection, or worse, a hacker could have swapped it with an evil twin.

How to stay safe: Disabling the automatic connection feature is one solution to protect your device, according to Warmenhoven. On most devices, you can head to your Wi-Fi or network settings and toggle off auto-join options. The second is to install security apps, such as firewalls or VPNs, so that even if the device connects to a compromised Wi-Fi network, it can fight off cybercriminals and hackers who try to access it, he says.

The risk: Spoofing attacks

Is hotel Wi-Fi safe from spoofing? Unfortunately, no. Spoofing attacks via hotel Wi-Fi networks look very similar to data breaches, except the targets are guests instead of employees. In this case, you may select a pop-up ad that appears to be the hotel’s Wi-Fi (it may even have a legitimate-sounding name like “Hilton Free Guest Wi-Fi”) and get redirected to a phony hotel Wi-Fi login page controlled by the hacker.

Entering personal information, such as your email address, phone number and credit card details, on this site will send the info directly to the hacker. And you might be surprised by what a hacker can do with just an email address. They can use it for a wide range of nefarious schemes, including identity theft.

How to stay safe: Before logging in to the hotel Wi-Fi, make sure you confirm the network’s name with the front desk. Keep in mind that you should never have to enter sensitive information like your social security number to access the internet at a hotel. If you are asked to submit financial details to pay for the Wi-Fi, speak to the front desk first.

What to do if you’re hacked while on vacation

Let’s say your device is running slower than usual, you’re getting unusual pop-ups and ads, your applications are crashing or behaving suspiciously, your security software is disabled or your files are missing or modified. Bad news: These could be signs that your device has been hacked. If you notice any of these red flags while on vacation, Warmenhoven and Smith recommend taking the following steps:

  1. Disconnect your device from the hotel’s internet to close the gate to further malware.
  2. Notify the hotel that its network might be compromised.
  3. Change your passwords and enable multifactor authentication on important accounts, such as your email, social media and financial accounts.
  4. Freeze your credit cards and bank accounts, and continue monitoring them for suspicious activity.
  5. Run anti-malware software to detect any malicious applications and processes.
  6. Wipe your device’s memory by performing a factory reset.
  7. Contact a cybersecurity expert, who will have technical expertise to help you ensure the malware doesn’t spread further.

About the experts

  • Adrianus Warmenhoven is a cybersecurity expert at NordVPN. He has worked with the National Forensics Institute on cybercrime and taught at universities on security, performance and scaling. And he was one of the first web hosters in Europe, setting up ISPs in the early ’90s.
  • Gregg Smith is the CEO of MISI, a cybersecurity nonprofit. He has more than 20 years of security and technology experience, including serving as CEO and in board positions for multiple cybersecurity and technology companies.

Brooke Nelson
Brooke Nelson is a tech and consumer products writer covering the latest in digital trends, product reviews, security and privacy, and other news and features for RD.com.