Photo by Markus Spiske on Unsplash

I sat at my favorite coffee shop last Tuesday morning, nursing a flat white and checking my bank account on their WiFi. Within 45 minutes, someone had attempted to access my PayPal. Within three days, I discovered unauthorized charges on a credit card I hadn't used in two years. The worst part? I'm not even close to being alone in this.

The False Sense of Security

Coffee shop WiFi feels safe because it's in a public place. There are people around. Surely someone would notice if something sketchy was happening, right? Wrong. Dead wrong.

When you connect to an unsecured network—and let's be honest, most coffee shop networks are unsecured despite claims otherwise—you're essentially broadcasting everything you do to anyone within range with basic hacking knowledge. Your passwords, emails, banking credentials, literally everything. A 2023 Norton LifeLock study found that 73% of people admit to using public WiFi for sensitive activities like online banking, yet only 29% use a VPN. That gap isn't just a statistic; it's a giant neon sign for cybercriminals.

What really gets me is how normalized this has become. The coffee shop has a cute sign saying "Free WiFi!" like they're doing you a favor. And technically, they are offering free internet. But they're not offering security. They're offering an open highway for data theft, and most customers have no idea how exposed they really are.

The "Evil Twin" Network Trap

Here's a technique that keeps me up at night: the evil twin network. A hacker sets up a fake WiFi hotspot with a name almost identical to the real one. "CoffeeShopWiFi" versus "CoffeeShop_WiFi." They both appear on your device's list. You connect to the wrong one thinking it's legitimate. Now the hacker has direct access to everything on your device—your messages, your photos, your login credentials.

I actually watched this happen to someone sitting next to me. A young woman was filling out a job application, and I could see over her shoulder that she'd connected to a suspicious network. I mentioned it to her, and she switched networks immediately. She was furious—not at me, but at the fact that the coffee shop hadn't done more to prevent this vulnerability. "Why don't they have a secure password or something?" she asked. Valid question.

The answer is usually laziness or cost-cutting. Setting up a properly secured network requires actual technical expertise and ongoing maintenance. Many small coffee shops simply flip on a basic router and call it a day. They're betting you won't get hacked. Sometimes that bet pays off. Sometimes it doesn't.

What Actually Happened to My Accounts

Let me walk you through my specific nightmare because it's probably going to resonate with someone reading this. After that coffee shop visit, I started noticing weird stuff. Small charges appeared—$3.99 here, $2.49 there—on an old credit card. These were intentionally small amounts because hackers know people often don't notice or report small unauthorized charges. It's a technique called "carding" or testing stolen payment information.

Then came the PayPal incident. Someone tried logging into my account from an IP address in Lithuania. The attempt was blocked because I have two-factor authentication enabled, but the fact that someone even had my email and password was chilling. My password is 16 characters with mixed case, numbers, and symbols. I'd used it nowhere except that one coffee shop visit where I'd accessed my email.

The actual recovery process took weeks. Freezing credit cards, disputing charges, changing passwords everywhere, monitoring my credit report. And I'm tech-savvy. I understand cybersecurity. Most people don't. Most people just shrug and figure "oh well, the bank will handle it." Some banks do. Some don't.

The Coffee Shop Industry's Lack of Accountability

When I complained to the coffee shop manager about the security vulnerability, he basically shrugged. "There's nothing we can do," he said. "WiFi is just offered as-is." He didn't apologize, didn't offer solutions, didn't even seem particularly concerned that his free service had potentially exposed me to identity theft.

This is the real complaint here: there's zero accountability. Coffee shops offer free WiFi as a loss leader to get you in the door. They make money on the coffee, not the internet. So they have zero incentive to invest in security. The liability issue is murky at best. You're using their service for free, so there's an implicit understanding that you're assuming risk. Legally, it's basically impossible to sue a coffee shop because their free WiFi led to your data being compromised.

Meanwhile, chain coffee shops like Starbucks actually offer secured networks to customers, and they still use simple passwords displayed on the receipts. Progress, but barely. And independent shops? Most of them are still operating like it's 2005.

What You Should Actually Be Doing

This is where I sound like every tech advice article ever, but it's important: use a VPN. Not sometimes. Every time. Even if you "just" checking your email. Even if you "only" browsing news sites. Treat public WiFi like unfiltered tap water in a foreign country—assume it's compromised and protect yourself accordingly.

Beyond that, disable auto-connect on your devices, use two-factor authentication everywhere, avoid accessing financial accounts on public networks, and consider using mobile hotspots from your phone instead when possible. It uses your cellular data, but at least you're not broadcasting your information to everyone in a five-mile radius.

But here's what really bothers me: none of this should be necessary. We've normalized a system where coffee shops serve you a cup of coffee and a side of data vulnerability. If you want to read more about how companies knowingly make things unnecessarily difficult and risky for customers, check out The Subscription Silence: Why Companies Make It Intentionally Harder to Cancel Than to Sign Up—it's the same energy, different industry.

The coffee shop WiFi scam isn't some elaborate conspiracy. It's just what happens when convenience and profit incentives override basic security measures. And until customers start demanding better, or regulations start enforcing standards, that's probably not going to change.