What is piggybacking in cybersecurity?

What is piggybacking? Piggybacking isn’t just one kind of attack. It’s a term that covers several methods hackers use to hijack sessions, take over accounts, and steal data. In this guide, we’ll explain the three main forms of piggybacking: public Wi-Fi piggybacking, network piggybacking, and account piggybacking.

Protecting yourself against these threats is a vital cybersecurity skill. We’ll show you how to use a VPN to stop session piggybacking on public Wi-Fi, and how to secure your home network to prevent unauthorized access.

You’ll also learn how to safeguard your online accounts with strong passwords and two-factor authentication (2FA). This will ensure you stay protected from phishing-based and brute-force account piggybacking.

Keep reading to learn about piggybacking in all its forms. We’ll arm you with the right privacy tools to stop cybercriminals from digitally snooping on you. By the end, you’ll know how to prevent the theft of personally identifiable information (PII), which is often exploited to commit fraud and identity theft.

What is piggybacking on public Wi-Fi?

One of the most significant forms of piggybacking can happen when you connect to public Wi-Fi. This type of session piggybacking occurs when hackers join the same public Wi-Fi as you. If the hotspot lacks proper security, uses old hardware, or runs outdated firmware, it could allow hackers to piggyback on your session.

In fact, unless you use a VPN, even a secure Wi-Fi network, such as your home network, can expose you to privacy risks. Did you know that the owner of a Wi-Fi network can potentially monitor your entire web history?

As the bill payer and administrator of the local Wi-Fi network, the network owner has the legal right and technical ability to monitor all traffic. This lets them protect the network against cybersecurity threats and improper use.

However, it also means that the network owner, whether a public hotspot like at a hotel, workplace Wi-Fi, or a home network provided by a parent, landlord, or partner, could be tracking all the domains you visit.

Protect yourself with a VPN

Whether you want to stop local networks from spying on your activities or prevent session piggybacking by hackers on public Wi-Fi, you must protect your data with strong encryption.

The best solution is to use a Virtual Private Network (VPN). A VPN is an online privacy tool that encrypts your data before it leaves your device. This ensures that nobody can piggyback on your browsing sessions, monitor your web visits, or steal unprotected plaintext data.

Here’s how a VPN can help with piggybacking:

1. It stops the Wi-Fi provider from monitoring your activity. Whether you are at home, at work, or using public Wi-Fi, the network owner can use traffic-analysis tools to track what you do online. This tracking cannot steal your credentials, but it can reveal the top-level domains you visit. While not piggybacking in the strict sense, this kind of monitoring still causes severe privacy invasions.
2. It protects you from insecure public Wi-Fi setups.  If the network uses weak passwords, outdated encryption, or misconfigured hardware, a VPN keeps your data safe. VPN encryption ensures that nobody on the local network can view your traffic. They see only scrambled, unreadable data, which means they cannot track you, reroute you, or launch MITM or downgrade attacks.
3. It reduces the dangers of Evil Twins. A VPN also limits the risk of joining a fake hotspot. Even if you connect to an Evil Twin, your data remains protected by strong encryption. The hacker can see that you are online but cannot read or modify your traffic. However, a VPN does not make Evil Twins completely safe. Attackers could still probe for open ports or inject malicious pop-ups. For this reason, you should still avoid suspicious Wi-Fi networks whenever possible.

Evil-twin hotspots and how attackers set them up

In some cases, joining a public Wi-Fi could expose you to a fake network designed to mimic a legitimate hotspot. Imagine you are at Toronto Airport and open your Wi-Fi settings to join the free Wi-Fi.

The top option is “Toronto Airport Free Wi-Fi,” so you click it without thinking and join the network. What you failed to notice is that just below it sits another called “Toronto Pearson Public Wi-Fi,” which is the real airport network.

Unfortunately, in the rush, you have joined a fake hotspot that a hacker set up to mimic the local free Wi-Fi. This type of network is named to resemble the free hotspot you expect to find in that location. That is why it is called an Evil Twin.

You might run into an evil twin at Starbucks, in a mall, at a hotel, or in any other public place where free Wi-Fi is available.

The evil twin network lacks proper security. Because it belongs to a hacker, they can piggyback on your sessions to sniff metadata and intercept traffic. They can also force your browser to use unsecured HTTP versions of websites instead of HTTPS.

This rerouting allows the hacker to track your web visits and potentially steal credentials using a Man-in-the-Middle (MITM) attack. As a result, they could gain a foothold in your device or one of your accounts.

How to set up a VPN to block piggybacking: Step-by-step

Using a VPN to protect yourself on public Wi-Fi is easier than you might think. However, it is critical that you choose a reliable VPN with strong encryption settings and solid privacy features.

How to set up a VPN to protect against Wi-Fi piggybacking:

1. Choose a reliable VPN. We recommend NordVPN because it is fast, highly secure, and fully audited. Alternatively, Surfshark is an impressive budget VPN that has everything you need to use Wi-Fi securely against tracking, piggybacking, and Evil Twin attacks. Want an even better deal? Total VPN is bundled for free with TotalAV antivirus, so you can get public Wi-Fi protection with your antivirus subscription.
2. Sign up for the VPN. You can get the VPN for the lowest possible cost by following our links. We have agreed on a special discount for our readers. This gives you access to a fully tested VPN that protects you against piggybacking on any network.
3. Install the VPN app. Our recommended VPNs for public Wi-Fi safety have apps for Android, iOS, Windows, and macOS. This means you can install and use the VPN on any smartphone, tablet, or laptop, giving you security on the go, regardless of which gadget you happen to own.
4. Launch the app and sign in. Once you have signed up for a secure VPN and downloaded the application, you are ready to begin. Simply launch the VPN app and log in using the credentials you set up during sign-up.
5. Enable core protections. To ensure watertight protection when using public Wi-Fi, we recommend enabling the VPN kill switch and DNS leak protection in the app settings. (If DNS leak protection is optional, note that many VPNs have it enabled by default, so you mainly need to check the kill switch.) A VPN kill switch blocks your internet if the VPN connection drops, which ensures you don’t accidentally expose data to the network.
6. Choose a secure protocol. We recommend using WireGuard or OpenVPN, as these are the most secure protocols for protecting your data against hackers on public Wi-Fi.
7. Set auto-connect on unknown Wi-Fi. Some top VPNs offer auto-connect for public Wi-Fi. This feature forces the VPN to connect automatically whenever you join an untrusted hotspot. It prevents you from accidentally exposing your data when you’re out and about using public hotspots.
8. Connect to the VPN. As soon as you connect to public Wi-Fi, it’s important to connect to the VPN. Choose a nearby server, as this will give you better speeds and keep the internet behaving as it would in your local region.
9. Verify the tunnel is active. Your VPN app should show that it’s connected, and on mobile devices, you will see a small lock symbol at the top of your screen. This means the VPN is active. Want to confirm that the VPN is working properly? You can run an IP leak test to confirm that your traffic is fully protected.

That’s it! You can now use public Wi-Fi with added protection against piggybacking, cyberattacks, and tracking. Just remember to always stay connected to your VPN when using public Wi-Fi or any network that isn’t yours. Don’t stop the VPN until you leave the hotspot and no longer need protection.

Tips and tricks for staying secure on public Wi-Fi

Besides always using a VPN, it’s important to practice good operational security whenever you connect to public Wi-Fi.

The way you use the network can either keep you safe or expose you to unnecessary risks. A VPN is a great first step, but it should always be combined with smart, everyday security habits.

To help you out, we’ve listed the most important safety practices below:

• Keep your operating system up to date. An outdated version of Android, Windows, iOS, or macOS can expose you to vulnerabilities, so it’s vital to always keep your system current.
• Check that all your apps are up to date. Old apps can contain zero-day vulnerabilities that hackers exploit to access your device. Always make sure you trust the apps you install and that you’re using the latest version.
• Ensure you’re using the latest version of your VPN. If you forget to update your VPN, it might use outdated protocols or settings that could weaken your protection.
• Enable your firewall. It is critical that you always use a firewall to protect your device against unwanted access. Check that your firewall is turned on and set up securely for public networks.
• Use an antivirus with real-time protection. A VPN encrypts your data, but it cannot stop you from being infected with malware. Always use a VPN alongside reliable malware protection to prevent infections that could allow hackers to take over your device or sessions.
• Monitor for HTTPS in your browser. When browsing on public Wi-Fi, always check that you’re visiting the website you intended. Hackers can use MITM or SSL-stripping (downgrade) attacks to reroute your data or mimic legitimate sites. Watching for the padlock symbol in your URL bar helps ensure your session is protected with TLS encryption.
• Ensure good browser hygiene. Stick to secure browsers like Firefox or Chrome and enable settings such as “Always use secure connections.” This blocks HTTP sites and keeps your browsing sessions protected by HTTPS.
• Enable Two-Factor Authentication (2FA) for all your accounts. Even if a hacker steals your credentials, they can’t piggyback into your accounts without your second authentication method.
• Forget networks you don’t use. Devices can automatically reconnect to previously used public Wi-Fi networks, exposing you to tracking or fake hotspots. Review your Wi-Fi settings regularly and forget any networks you no longer need.
• Disable automatic Wi-Fi connection. Setting your device to manual connections only will prevent you from accidentally connecting to unsecured networks on the fly. This helps you avoid Evil Twin hotspots and drive-by attacks.
• Avoid logging into sensitive accounts on public Wi-Fi. When you use public Wi-Fi, stick to non-sensitive tasks such as streaming or browsing. Wait until you are on a secure private network (like home broadband) before logging in to banking, shopping, or other high-risk accounts.

What is piggybacking in networking?

In networking, piggybacking refers to gaining unauthorized access to a Wi-Fi network. This can happen in several ways, such as exploiting access to the router’s administration panel, connecting to a Wi-Fi network without a password, or using hacking techniques like KRACK attacks, Wi-Fi deauthentication attacks, or WPA handshake capture attacks.

This can occur if the Wi-Fi is insecure (no password protection) or if a hacker has stolen the credentials for your network. Most often, piggybacking occurs on public Wi-Fi networks without security. These networks are set up without a password to make it easier for customers to connect. However, it also means that someone outside the public space, such as a hacker, could connect to the network and start probing for vulnerabilities in the router or in user-connected devices.

Ultimately, there are many ways a hacker might piggyback into a network. For example, they could sneak into an office, a home, or a public hotspot and connect to Wi-Fi directly. They might also trick someone on the premises into revealing the password. Alternatively, they could use social engineering or phishing to intercept or steal the credentials needed to access a network or account.

How to protect your Wi-Fi network against piggybacking

It is vital that you secure your home Wi-Fi network to prevent anyone on the street from accessing it. If someone logs into your Wi-Fi, they could probe for vulnerabilities, gain access to your devices, attach them to a botnet, or launch other cyberattacks or malware infections.

• Disconnect unauthorized devices from your network.  Log in to your router and remove any devices you don’t recognize. Many routers also let you block unknown users.
• Change your Wi-Fi password immediately.  Use a strong, unique password that’s difficult to guess. Changing it forces all devices to reconnect and cuts off piggybackers.
• Change the password to login to your router’s admin panel. Replace the default admin password with a strong, unique one. Default credentials are easy for hackers to guess or find online.
• Enable WPA3 encryption and disable WPS. Configure your router to use WPA3, the most secure Wi-Fi encryption standard. Turn off WPS (WiFi Protected Setup) to close an easy entry point for hackers.
• Rename your network (SSID). Give your Wi-Fi a unique name that doesn’t reveal personal information. Renaming the SSID breaks auto-connect on unauthorized devices and makes your network harder to identify.
• Monitor connected devices. Check your router or network dashboard regularly to see which devices are connected. Remove any you don’t recognize and block them from reconnecting.
• Disable SSID broadcasting. Hiding your Wi-Fi network name adds an extra layer of privacy. It won’t stop determined attackers, but it helps prevent casual users from connecting.
• Set up a guest network. Create a separate guest Wi-Fi network that’s isolated from your main one. Use a strong password and update it regularly to protect your personal devices and data. This ensures guests don’t have access to the password for your primary Wi-Fi network, which segregates devices and helps prevent lateral attacks.
• Keep your software and firmware updated. Always update your router, firewall, and connected devices. Firmware updates patch vulnerabilities that hackers could exploit to piggyback on your home network.

What is account piggypacking?

Account piggybacking occurs when a hacker successfully steals your login credentials. A hacker can achieve this in a number of ways:

• Infecting you with malware to engage in data theft and steal your password.
• Infecting you with a Remote Access Trojan to take over your device and use apps and services as if they were you.
• Phishing for your credentials to log in to your accounts.
• Brute forcing your password, which is only possible if you use a weak password and forget to set up 2FA.
• Hacking your password from a service provider during a cyberattack.
  Gaining access to your password due to poor online platform security or accidental leaks.
• Exploiting password reuse. If you use the same password across multiple accounts, you could suffer a credential-stuffing attack. You become vulnerable if your credentials have already been leaked or hacked from another service. Attackers run automated bots that try leaked email and password pairs across hundreds of sites, which is why it’s critical to use unique passwords for every account you own.
• Purchasing your credentials or passwords on the dark web.
• Support impersonation. Hackers may trick you into providing your credentials by pretending to work for the service in question. Never provide your password or 2FA codes to anyone.
• Browser autofill and saved passwords. If someone gains physical access to your unlocked device, they could steal your passwords or use any services that were left logged in.
• Compromised recovery channels. If someone has gained unauthorized access to your email account, they could perform a password reset to take control of one of your accounts.
• OAuth / third-party app abuse. Some apps use a technology called OAuth to let you log in quickly using another service, such as Google, Facebook, or Apple. While this is convenient, it can also be risky if the third-party app requests excessive permissions. In some cases, these permissions allow the app to act on your behalf, such as accessing your contacts, email, or cloud storage. Hackers may exploit these permissions to log in to your accounts. These types of attacks become a greater risk if you root or jailbreak your device or install apps from untrusted sources.

How to protect your email account against piggybacking

One of the most dangerous forms of piggybacking happens when a hacker gains access to your email account. This is extremely risky because it allows the hacker to reset passwords for any service linked to that email address.

Tips and tricks to protect your email account against piggybacking:

• Use strong, unique passwords. Never reuse passwords across multiple accounts, and ensure that they are more than 15 characters long (using a mix of numbers, upper and lower case letters, and symbols).
• Turn on two-factor authentication (2FA). This adds a second layer of protection. Even if someone steals your password, they can’t log in without your code or device.
• Use a password manager to store and generate strong passwords automatically.
• Check your active sessions. Most providers let you see where your account is signed in. Check regularly and log out of any devices you don’t recognize.
• Watch for phishing emails. Never click suspicious links or download attachments from unknown senders.

Sticking to these simple OpSec habits will help prevent most common methods of email piggybacking.

Protecting emails for businesses and domain owners

This article is primarily aimed at helping consumers protect against email account takeovers. However, to cover all bases, we’ve included some useful information for businesses too.

If you manage your own company domain or business email, it’s vital to secure your email infrastructure to prevent spoofing and impersonation. This is where advanced protocols such as DMARC, SPF (Sender Policy Framework), DKIM, BIMI, MTA-STS, and TLS-RPT come in. These protocols authenticate outgoing emails and verify that they genuinely originate from your domain.

Together, they help protect your company’s domain from abuse and ensure that attackers can’t forge or impersonate your business emails. Network administrators configure these protections within the domain’s DNS records, rather than inside regular email apps like Gmail or Outlook.

Tools such as DMARC Generators, DMARC Reporting, and platforms like PowerDMARC make setup easier. Still, your network administrator or IT security officer must understand how to implement and maintain these email authentication protocols correctly. Always ensure your IT team is properly trained to secure the company’s mail infrastructure.

Piggybacking FAQs