piggybacking in cybersecurity

Piggybacking is when an unauthorized person takes advantage of a legitimate user’s existing access privileges to gain access to a computer system, network, internet session, or online account. It poses a risk to anyone who uses the internet.

Piggybacking falls into three main categories:

  • Wi-Fi piggybacking: someone connects to your wireless network or intercepts your traffic on a public Wi-Fi network.
  • Session piggybacking: someone hijacks your browsing session to monitor activity or steal data.
  • Account piggybacking: someone uses stolen login credentials to access your email, banking, or social media accounts.

If you use public Wi-Fi, share a home network, or store passwords online, understanding piggybacking helps you reduce the risk of identity theft, fraud, and privacy breaches.

Quick answer: How to protect yourself from piggybacking

If you only remember five things, make them these:

  1. Use a reputable VPN when connecting to public Wi-Fi.
  2. Turn on two-factor authentication (2FA) for all important accounts.
  3. Use unique passwords (store these in a password manager for convenience).
  4. Keep your devices and router updated.
  5. Learn how to check for unfamiliar devices and login sessions.

These steps prevent the most common forms of piggybacking.

Piggybacking on public Wi-Fi

The most common use of the term “piggybacking” refers to attacks on public Wi-Fi networks. When you connect to Wi-Fi in an airport, hotel, café, or shopping center, other people on the same network may attempt to:

  • Monitor the websites you visit
  • Redirect you to fake login pages
  • Capture unencrypted data
  • Exploit vulnerabilities in your device

Modern websites use HTTPS, which greatly reduces this risk, but public Wi-Fi can still expose you to phishing, malicious redirects, and fake hotspots.

Example: Fake airport Wi-Fi

Let’s say you arrive at the airport with plenty of time to spare. You open your laptop and see two networks:

Airport_Free_WiFi
Airport Public Wi-Fi

One is legitimate, while the other is a fake hotspot controlled by an attacker. If you connect to the rogue network, the attacker may:

  • Monitor DNS requests
  • Inject malicious pages
  • Prompt you to install software
  • Capture credentials entered into phishing sites

This is known as an evil twin attack. I’ve identified fake hotspots in hotels, train stations, and convention centers, so they’re a real threat.

Even using the legitimate versions of public Wi-Fi networks isn’t without risk. What many people don’t realize is that the network owner (the person paying the bills) has the legal right and the technical ability to monitor all traffic. This means they could potentially track all the domains you visit.

How a VPN helps

A Virtual Private Network encrypts traffic between your device and the VPN provider’s server.

This prevents local network operators and nearby attackers from easily inspecting your internet activity.

A VPN is especially useful on:

  • Airport Wi-Fi
  • Hotel networks
  • Coffee shop hotspots
  • Shared accommodation Wi-Fi
  • Workplace guest networks

What a VPN does well

  • Encrypts traffic in transit
  • Hides DNS requests from the local network
  • Reduces the risk of traffic interception
  • Protects privacy from network administrators

How to set up a VPN to protect against Wi-Fi piggybacking

  • Choose a reliable VPN. I’d recommend NordVPN because it’s fast, secure, and fully audited. Surfshark and Total VPN are good options for those on a budget.
  • Sign up for the VPN.
  • Install the VPN app.
  • Launch the app and sign in.
  • Enable core protections. A VPN kill switch blocks your internet if the VPN connection drops, which ensures you don’t accidentally expose data to the network. Although it can get a little annoying when you’re at home, it’s vital to enable the kill switch when you’re out and about.
  • Choose a secure protocol. Most consumer VPNs use WireGuard by default, but it’s worth double-checking that you’re not getting lumped with L2TP or PPTP.
  • Set auto-connect on unknown Wi-Fi. This option is only available from the better-quality providers.
  • Connect to the VPN.
  • Verify the tunnel is active. The easiest way to do this is by checking that your IP address has changed.

Safe public Wi-Fi checklist

When I use public Wi-Fi. I automatically do the following:

  • Confirm the correct network name with staff.
  • Enable a VPN for public Wi-Fi before browsing.
  • Ensure websites use HTTPS (most do).
  • Disable automatic Wi-Fi connections.
  • Avoid banking or other sensitive tasks if possible.
  • Keep a firewall enabled.
  • Install any updates promptly.

These steps significantly reduce exposure to Wi-Fi-based piggybacking.

Piggybacking in networking

In networking, piggybacking means using someone else’s wireless network without permission.

Examples include:

  • Connecting to a neighbor’s Wi-Fi
  • Guessing a weak password
  • Exploiting router vulnerabilities
  • Using default administrator credentials
  • Unauthorized users may consume bandwidth, access shared devices, or attempt attacks against computers on the network.

Risks of unauthorized Wi-Fi access

If someone gains access to your home network, they may:

  • Slow your internet connection
  • Scan devices for vulnerabilities
  • Attempt malware infections
  • Access poorly secured shared folders
  • Hide criminal activity behind your IP address

How to secure your home Wi-Fi

To prevent network piggybacking and secure your home Wi-Fi:

  • Use WPA3 encryption (or WPA2 if WPA3 is unavailable)
  • Change the default router administrator password
  • Disable WPS
  • Install router firmware updates
  • Create a separate guest network
  • Review connected devices periodically

These measures make unauthorized access far more difficult.

Account piggybacking

Account piggybacking occurs when an attacker gains access to one of your online accounts.

Common methods include:

Once attackers control an account, they may read emails, reset passwords, steal personal data, or commit fraud.

Why email accounts are high-value targets

Your email account is often the key to all your other accounts. If an attacker accesses your email, they can:

  • Reset passwords
  • Read verification codes
  • Search for financial information
  • Impersonate you

For this reason, email security should be a top priority.

How to protect your accounts

Use the following best practices:

  • Strong Passwords: Create unique passwords of at least 14–16 characters.
  • Password Manager: Use a password manager to generate and store credentials securely.
  • Two-Factor Authentication: Enable 2FA using an authenticator app or hardware security key.
  • Session Monitoring: Review active sessions and sign out of unfamiliar devices.
  • Phishing Awareness: Check senders and links carefully before entering credentials.
  • Recovery Security: Protect your recovery email and phone number.

Related terms

The following attacks are distinct but often discussed alongside piggybacking:

  • Shoulder Surfing: Someone watches you enter passwords or PINs in public.
  • Tailgating: An unauthorized person follows someone into a secure building.
  • Session Hijacking: An attacker steals session cookies to impersonate you online.

Piggybacking summary

Piggybacking is a broad term for unauthorized access to networks, sessions, and accounts.

For most people, the biggest risks come from:

  • Public Wi-Fi
  • Weak home network security
  • Reused passwords
  • Unprotected email accounts

By using a VPN, enabling 2FA, securing your router, and practicing good password hygiene, you can prevent the vast majority of piggybacking attacks and use the internet with greater confidence.