I’ve been working remotely for over 25 years. I’ve filed tax returns from hotel lobbies, joined client calls from airport lounges, and written articles in more European cafes than I can count. I thought I knew what I was doing.
Then my Facebook got hacked.
I still don’t know exactly how it happened. I am normally very careful about connecting to the airport WiFi, but as it was my local hub it may have connected automatically. I didn’t know what had happened until much later, so I don’t recall much, other than that I was doing what I always do — checking messages, managing groups, scrolling through notifications, killing time in the lounge before a flight.
Then I spent a long day travelling, and offline. By the time I realised, hours and hours later, they’d locked me out and were already using my account. Whatever they did with it promptly got my account blocked and suspended, which was almost a relief, when I had no idea what they were doing with it in my name.
It was more than unsettling. As regular readers will know, I operate more than 10 different groups for Remote Work Europe, including our flagship group for Spain, and I pay for a Meta Verified account. But guess what? When you’re locked out of your account, you can’t contact Meta!
It took weeks, the involvement of the local Guardia Civil, and the assistance of a Meta security engineer who finally got tagged and responded to my pleas for help on LinkedIn. I could write that story one day, (legally it is still going on), but this is not that story!
The learning is the story. I didn’t lose money or client data, I lost access to my social media, which for most people wouldn’t have any business implications at all — but it was the kind of wake-up call that makes you reassess everything. If they could get into Facebook, what else were they close to? My email? My banking? The client systems I access through the same browser?
I was actually quite embarrassed too. In addition to writing about distributed leadership and remote teams, I cut my teeth as a tech journalist, a collaboration specialist, I even wrote about blockchain and network ledgers, and for years wrote a column for mature expats about how to do things online. I saw myself as the kind of person other people asked me for advice, about how to stay digitally safe. I had 2FA on - but the reset alerts were being sent to a phone number I had never owned.
That airport WiFi moment changed how I approach digital security entirely, and I started by removing all the unknown connections I had accessed over the years, that sat quietly in my settings — (here’s how to do that on your Mac, by the way).
This isn’t theoretical — it’s happening at airports right now
If you think airport WiFi hacking sounds like something from a thriller film, consider what happened in Australia in 2024. A 44-year-old man set up fake WiFi networks at Perth, Melbourne, and Adelaide airports — and on domestic flights — using a portable wireless device that cost under $500. Passengers who connected were redirected to convincing login pages that harvested their email and social media credentials.
He was sentenced to over seven years in prison. But the damage was already done for every traveller who connected.
This is what security researchers call an “evil twin” attack — a fake WiFi hotspot that looks identical to the legitimate one. When you see “Airport_Free_WiFi” in the list, how do you know which one is real? You don’t. And HTTPS encryption — the padlock in your browser — doesn’t protect you if you’ve already connected to an attacker’s network and entered your credentials on their fake portal.
It’s not just airports. In 2024, free WiFi at 19 major UK railway stations operated by Network Rail was compromised. The UAE has recorded over 12,000 WiFi network breaches since the beginning of 2025 alone. A 2024 study found that 68% of public WiFi users have faced at least one cybersecurity risk.
For remote workers, this is no edge case, more like our everyday working environment.
Why remote workers are uniquely exposed
If you work from an office, your company’s IT team handles network security. There’s a firewall, a managed VPN, endpoint protection, and someone whose job it is to worry about this so you don’t have to.
When you work from a cafe in Barcelona, a coworking space in Lisbon, or an airport lounge in Amsterdam, you are the IT department. And most of us are not doing a great job of it.
Here’s what makes remote workers — especially freelancers and digital nomads — particularly vulnerable:
- We connect to dozens of networks a month. Home WiFi, coworking spaces, cafes, hotels, airports, trains. Each one is an attack surface.
- We handle sensitive data on those networks. Client documents, invoicing platforms, tax portals, banking. If you’re a freelancer in the EU, you likely have GDPR obligations for how you handle client data — and connecting to unsecured public WiFi while accessing personal data could technically put you in breach.
- We reuse passwords. Not all of us, but enough. One compromised credential on a cafe WiFi network can cascade across every platform that shares that password.
- We often lack employer-provided security. No corporate VPN, no managed devices, no IT helpdesk. We’re on our own.
The cafe-hopping, airport-working lifestyle that makes remote work appealing is also the lifestyle that creates the most security exposure.
What I changed — and what I’d recommend
After getting hacked, I rebuilt my digital security from the ground up. Not with enterprise-grade complexity — I’m a solo operator, not a corporation — but with tools that actually work for the way remote workers live and work.
A VPN that’s always on
The single most important change I made was installing NordVPN and making it non-negotiable. Before I connect to any network, on any device, that isn’t my home WiFi, the VPN goes on. No exceptions.
What a VPN does is straightforward — it encrypts your internet connection so that anyone on the same network can’t see what you’re doing. Even if you’ve accidentally connected to an evil twin hotspot, your traffic is encrypted. They can see you’re connected, but they can’t intercept your logins, read your emails, or capture your passwords.
I chose NordVPN for a few practical reasons:
- Speed. Some VPNs noticeably slow your connection. NordVPN doesn’t — I can run video calls and upload files without issues.
- Server coverage. With servers across Europe and beyond, I can connect from wherever I’m working. This matters when you’re moving between countries.
- Simplicity. It takes two seconds to connect. If a security tool creates friction, you stop using it. NordVPN connects automatically when I join a new network.
- Kill switch. If the VPN connection drops, it cuts your internet rather than leaving you exposed. This is the feature that matters most when you’re on unreliable cafe WiFi.
I have it on my laptop, my phone, and my tablet. Every device that touches a public network.
A password manager that actually works
The second change was finally, properly committing to a password manager. I’d dabbled before — most of us have — but after the hack, I went through every account I own and gave each one a unique, generated password.
NordPass syncs across all my devices and auto-fills credentials without fuss. The practical reality for remote workers is this: you have dozens of platform logins. Freelance marketplaces, invoicing tools, tax filing portals, client project management systems, banking, social media, email. If even two of those share a password, you have a cascading vulnerability. And if you have any passwords that are remotely memorable or pronounceable, based on real words, then they aren’t strong enough.
NordPass generates a random, strong password for each one and stores them in an encrypted vault. You only need to remember one master password. If one platform is breached — and they are breached, regularly — your other accounts aren’t affected.
It also flags when passwords appear in known data breaches and prompts all users to change them. For freelancers juggling multiple client systems, this kind of automated hygiene is genuinely valuable.
Skip the WiFi entirely when you can
One thing I’ve started doing more is tethering to my mobile data instead of connecting to public WiFi at all. Your mobile connection is encrypted by default and far harder to intercept than any WiFi network. And mobile data gets cheaper all the time.
Nord Security also offer Saily, an eSIM service — which is useful if you’re crossing borders frequently and want reliable mobile data without swapping physical SIM cards or paying roaming charges. If you’re in an airport and the choice is between free WiFi and your own mobile data, choose your own data every time.
Two-factor authentication on everything
This one costs nothing. Enable 2FA on every platform that offers it — email, banking, social media, freelance platforms, cloud storage. Even if someone captures your password, they can’t get in without the second factor.
Use an authenticator app rather than SMS, since SIM-swapping attacks can intercept text messages. Most password managers, including NordPass, can handle your 2FA codes as well.
The GDPR dimension most freelancers ignore
If you’re a freelancer or contractor working with EU clients or handling EU personal data — which includes names, email addresses, and almost anything you’d find in a CRM — you have GDPR obligations. These include taking “appropriate technical measures” to protect that data.
What counts as appropriate? The regulation doesn’t specify, but connecting to an unsecured public WiFi network while accessing client personal data is difficult to defend if something goes wrong. A VPN is the minimum reasonable measure.
Avoiding fines is one incentive — the maximum GDPR penalty is 4% of annual turnover. But beyond that, it’s about professionalism. Your clients trust you with their data. If you wouldn’t leave a printed client list on a cafe table, you shouldn’t transmit their data over an unencrypted network either.
The remote worker’s security checklist
Here’s the minimum setup every remote worker, freelancer, and digital nomad should have in place:
| Security measure | What it protects | Cost |
|---|---|---|
| VPN (e.g. NordVPN) | Encrypts all internet traffic on public networks | A few euros/month |
| Password manager (e.g. NordPass) | Unique passwords per platform, breach monitoring | A few euros/month |
| Two-factor authentication | Blocks access even if password is stolen | Free |
| Mobile data tethering / eSIM | Avoids public WiFi entirely when possible | Varies |
| Device encryption | Protects data if laptop is stolen | Free (built into OS) |
| Screen privacy filter | Prevents visual eavesdropping in public | One-off purchase |
None of this is expensive. None of it is complicated. And all of it would have prevented what happened to me at that airport.
Frequently asked questions
Do I really need a VPN if I only use HTTPS websites?
Yes. HTTPS encrypts the connection between your browser and the website, but it doesn’t prevent an attacker from seeing which sites you visit, intercepting DNS queries, or redirecting you to a convincing fake login page. A VPN adds an encryption layer over your entire connection.
Is it legal to use a VPN while working abroad?
In virtually all European countries, yes. VPNs are legal and widely used by businesses and individuals. Some employers may require you to use one. A handful of countries outside Europe restrict VPN use, so check local laws if you’re working from further afield.
Will a VPN slow down my internet?
Modern VPNs like NordVPN cause minimal speed loss — typically less than 10%. You’re unlikely to notice any difference during normal work tasks, including video calls.
What should I do if I think I’ve been hacked on public WiFi?
Disconnect immediately. Change passwords for any accounts you accessed during that session — starting with email and banking. Enable 2FA if you haven’t already. Check for unfamiliar login sessions in your key accounts. If client data may have been exposed, you may have GDPR notification obligations.
Can my employer see what I’m doing if I use a personal VPN?
A personal VPN encrypts traffic between your device and the VPN server. If you’re on a company device with monitoring software, that software may still log activity locally. A personal VPN on your own device keeps your browsing private from the network operator — including your employer’s network.
It doesn’t have to happen to you first
I write this from experience, and I wish I’d taken it more seriously before the incident rather than after. The tools exist. They’re affordable, easy to use, and designed for exactly the way we work.
If you’re reading this from a cafe, a coworking space, or an airport lounge — and you’re not connected through a VPN — you’re trusting every other person on that network with your data. Most of the time, that trust is fine. But it only takes one time for it not to be.
NordVPN and NordPass are the tools I use personally, every day, on every device. They’re what I recommend to every remote worker I talk to. Not because they’re the only options — but because they work, they’re fast, and they’ve never given me a reason to look for alternatives.
The best time to sort your digital security was before you needed it. The second best time is now.
Full transparency: the links in this article are affiliate links. If you sign up through them, Remote Work Europe earns a commission at no extra cost to you. We only recommend tools we actually use — and in this case, tools that exist because I learned the hard way why they matter.
Sources:
- Australian Federal Police, “Man sentenced for evil twin WiFi attacks at airports,” November 2024
- Network Rail UK railway station WiFi compromise, 2024
- Cloudwards, “Dangers of Public WiFi in 2026”
- GDPR.eu, “Data Protection and Remote Work”
- GlassWire, “Public WiFi Hidden Threats 2025”
- CNBC, “It’s time to take warnings about using airport public WiFi seriously,” 2024
