Real Public Wi-Fi Sign vs Evil-Twin Hotspot Attack
How to tell a legitimate venue Wi-Fi network from a rogue hotspot set up by an attacker to intercept your internet traffic and capture sensitive data.
Last reviewed: 1 June 2026
An evil-twin attack involves setting up a Wi-Fi network with the same or very similar name as a legitimate venue hotspot. When your device connects, all your internet traffic passes through the attacker's equipment, enabling credential theft, session hijacking, and data interception. The network looks and behaves exactly like a real Wi-Fi connection.
Side-by-side comparison
| Legitimate venue Wi-Fi network | Evil-twin rogue hotspot | |
|---|---|---|
| Network name (SSID) | Venue publishes the exact SSID on a sign, receipt, or by asking staff — typically includes the venue brand name | Evil-twin SSID may be identical or slightly different (e.g., 'CafeWifi' vs 'Cafe_Wifi'); attacker can operate multiple variants |
| Authentication method | Either open (no password) but redirects to an official captive portal, or uses a shared password displayed at the venue | May require no password at all, or uses a captive portal that harvests email addresses and other personal data |
| Signal strength | Venue router is fixed; signal is reasonable but not unusually strong | Attacker may position equipment near your device, producing an unusually strong signal that devices prefer automatically |
| HTTPS behaviour | On legitimate pages you visit, your browser's padlock and HTTPS function normally | Evil-twin can perform SSL stripping, downgrading secure connections to HTTP and capturing credentials in plaintext |
| Device auto-connect | Devices remember legitimate networks; auto-connect to saved networks is benign on trusted home/office networks | Auto-connect to public networks is dangerous — device may silently join an evil-twin matching a previously trusted SSID |
Common red flags
- Multiple networks with similar names appear when you scan for the venue Wi-Fi
- Unusually strong Wi-Fi signal in a large venue with no access point visible nearby
- Captive portal requesting personal details beyond a simple email address
- Secure (HTTPS) websites your browser previously trusted now show certificate warnings
- Your browser is redirected unexpectedly to login prompts on sites that do not normally require them
Verification steps
- Always confirm the exact Wi-Fi name and password with venue staff before connecting
- Use a VPN when connecting to any public Wi-Fi so your traffic is encrypted end-to-end
- Disable auto-connect for public Wi-Fi networks in your device settings
What not to do
- Do not connect to a public Wi-Fi network without verifying the exact name with staff
- Do not access banking, email, or other sensitive accounts on public Wi-Fi without a VPN
- Do not ignore certificate warnings in your browser on public networks — disconnect immediately
A safe response
Disconnect from the suspicious network immediately. Change passwords for any accounts you accessed while connected, starting with email and banking. Enable two-factor authentication if not already active. If banking credentials may have been exposed, contact your bank's fraud team.
Frequently asked questions
Does using HTTPS protect me on a rogue Wi-Fi network?
HTTPS provides significant protection but is not absolute. Evil-twin attacks can attempt SSL stripping to downgrade connections. A VPN provides a stronger layer of protection as all traffic is encrypted before it leaves your device.
Is it safe to use public Wi-Fi for anything at all?
Low-sensitivity browsing (news, maps) carries lower risk, especially if you are using a VPN. Avoid logging into banking, email, or any account where a stolen session could cause serious harm, even with a VPN, if you are concerned about the network's legitimacy.