It starts innocuously enough.

You are sitting in a café in Lekki, waiting for a meeting that has not started, scrolling through your phone. The person at the next table leans over. Their data is finished, and they just need to send one email. Five minutes maximum.

“Can you share your hotspot?”

You say yes. Because you are Nigerian. Because saying no to that request in that tone, with that face, in that public space, requires a specific kind of social hardness most people have not developed. Because it is just a hotspot. It is just the internet. What could go wrong?

More than you want to know. Here are six things that could go wrong.

1. They Can Read Everything Moving Through Your Network

When you share your mobile hotspot, you are not handing someone internet access. You are creating a private network and giving a stranger a seat inside it.

Every device connected to your hotspot exists on the same local network as your phone, and in networking, a shared network is a shared conversation where everything said can potentially be heard by everyone present.

Hotspots that transmit data in plain text make it vulnerable to cybercriminals with the right tools. Hackers on the same network can intercept your online activities, including banking information, login credentials, and personal messages.

Your banking app is refreshing in the background. The login token your email client just sent. The session cookie keeps you logged into your work portal. None of these announce themselves.

They travel across the network in packets that a person with a laptop and freely available software can read like a newspaper, from the next table, while you are still sipping your coffee.

2. They Can Hijack Your Banking Session Without Touching Your Phone

This is the one that should make you put your phone down and think.

When you log into your bank, a session is created between your device and the bank’s server. That session has an ID, a long string of characters that tells the bank you are the authorised user. Session hijacking works in real time, capturing live network sessions to take over authenticated connections.

If someone on your network captures that session ID, they can present it to the bank’s server as if they are you. The bank cannot tell the difference. The bank sends them your account information. You are sitting three feet away, completely unaware, still sharing your hotspot.

No passwords stolen. No OTPs intercepted. Just a session ID harvested off a shared network while you minded your own business.

3. They Can Install Malware That Stays After They Leave

Unlike session hijacking which ends when you close the app, malware is a permanent installation. Hackers can install malware straight onto a hotspot network which then spreads to connected devices through software vulnerabilities, malicious ads, or pop-ups that install once clicked. Most likely you will not even notice the malicious software.

The stranger disconnects. They leave the café. You go home and connect to your home Wi-Fi. The malware stays. It sits quietly on your phone, watching, collecting, and sending. Your keystrokes. Your banking app activity. Your saved passwords. All of it travelling silently to someone who asked you for five minutes of internet access and left with considerably more.

4. They Can See the Files You Are Sharing Without Knowing It

Most Nigerians have never checked whether file sharing is enabled on their phones. Keeping file sharing enabled could expose your folders to anyone on the same network, potentially allowing hackers to access your private information without your consent.

Think about what lives in your phone’s shared folders. Screenshots of account statements sent via WhatsApp. A photo of your ATM card taken during an online transaction. Your NIN document. Your BVN confirmation message. Voice notes from your accountant.

The password your IT person sent that you never changed. Every one of those files is potentially visible to another device on the same network when file sharing is on. You did not know it was on. You probably still do not.

5. They Can Use Your Connection for Illegal Activity

This is the angle nobody discusses because it is not about what they take from you. It is about what they do using you.

Your service provider logs your browsing history and all activity associated with your connection. When someone uses your hotspot, their internet activity registers as yours.

If they download illegal content, conduct a cyberattack, or access platforms flagged by Nigerian regulatory agencies, that activity traces back to your SIM card, your number, your identity. You shared the connection. The law does not care about the social awkwardness that made you do it.

6. The Request Itself Is Sometimes the Attack

Creating a fake Wi-Fi network is surprisingly easy for cybercriminals, and they often position themselves near genuine connections to lure unsuspecting victims. The exhausted office worker narrative is easy to perform and the urgency is easy to manufacture.

In Nigeria specifically, the social mechanics of the hotspot request do most of the attacker’s work before a single packet has been sniffed. Refusing feels stingy. The request is framed as access to a utility not access to your life.

The danger is invisible. The social cost of saying no is immediate. The loss is abstract until it lands in your account at 2am and you wake up to an alert that makes no sense.

The person asking is not always who they present themselves as. Sometimes the whole interaction, the finished data, the urgent email, the apologetic smile, is a social engineering script rehearsed specifically for cultures where community obligation makes refusal feel like a moral failure.

What You Should Actually Do

Set a password on your hotspot that you do not share casually. Always confirm you are connecting to a trusted access point and password-protect anything you share. Turn off file sharing on your device. Check it now if you have not checked it recently. If you must share with someone you know, disconnect them the moment they are done and change the hotspot password immediately after.

And the most important thing, the one that no technical setting can replicate: get comfortable saying no. Not because you are stingy. Not because you do not want to help. But because your phone is not a utility.

It is a financial institution, an identity document, a private filing cabinet, and a direct line into every account, app, and credential attached to your name. The person at the next table has no legitimate claim to any of it.

Their data finished. That is their problem. You have enough of your own.