Real Public Wi-Fi Sign vs Evil-Twin Hotspot Attack
How to tell a legitimate venue Wi-Fi network from a rogue hotspot set up by an attacker to intercept your internet traffic and capture sensitive data.
Last reviewed: 1 June 2026
Most public Wi-Fi is exactly what it appears to be. Cafes, hotels, airports and trains run networks for their customers, and connecting to one is not reckless. An evil-twin attack works by putting a second network alongside the real one, with the same or nearly the same name, run from equipment sitting quietly in a bag nearby. There is nothing to notice: you pick the familiar name from the list, the page loads, and everything behaves normally while your traffic passes through someone else's hardware. Your phone may even join automatically because it remembers the name from a previous visit. The practical distinction is not what you see on screen but what you do before connecting: confirm the exact network name with staff, and keep a VPN running.
Side-by-side comparison
| Legitimate venue Wi-Fi network | Evil-twin rogue hotspot | |
|---|---|---|
| Network name (SSID) | Venue publishes the exact SSID on a sign, receipt, or by asking staff — typically includes the venue brand name | Evil-twin SSID may be identical or slightly different (e.g., 'CafeWifi' vs 'Cafe_Wifi'); attacker can operate multiple variants |
| Authentication method | Either open (no password) but redirects to an official captive portal, or uses a shared password displayed at the venue | May require no password at all, or uses a captive portal that harvests email addresses and other personal data |
| Signal strength | Venue router is fixed; signal is reasonable but not unusually strong | Attacker may position equipment near your device, producing an unusually strong signal that devices prefer automatically |
| HTTPS behaviour | On legitimate pages you visit, your browser's padlock and HTTPS function normally | Evil-twin can perform SSL stripping, downgrading secure connections to HTTP and capturing credentials in plaintext |
| Device auto-connect | Devices remember legitimate networks; auto-connect to saved networks is benign on trusted home/office networks | Auto-connect to public networks is dangerous — device may silently join an evil-twin matching a previously trusted SSID |
Common red flags
- Multiple networks with similar names appear when you scan for the venue Wi-Fi
- Unusually strong Wi-Fi signal in a large venue with no access point visible nearby
- Captive portal requesting personal details beyond a simple email address
- Secure (HTTPS) websites your browser previously trusted now show certificate warnings
- Your browser is redirected unexpectedly to login prompts on sites that do not normally require them
Verification steps
- Always confirm the exact Wi-Fi name and password with venue staff before connecting
- Use a VPN when connecting to any public Wi-Fi so your traffic is encrypted end-to-end
- Disable auto-connect for public Wi-Fi networks in your device settings
What not to do
- Do not connect to a public Wi-Fi network without verifying the exact name with staff
- Do not access banking, email, or other sensitive accounts on public Wi-Fi without a VPN
- Do not ignore certificate warnings in your browser on public networks — disconnect immediately
A safe response
If something feels wrong, a certificate warning, an unexpected login prompt, or two networks with nearly the same name, disconnect first and ask questions afterwards. Turn Wi-Fi off, use mobile data, and check the correct network name with a member of staff before rejoining. Never click through a certificate warning to reach a site. If you logged into anything sensitive while connected, change those passwords from a trusted connection, starting with your email account because it controls the others, and turn on two-factor authentication. If banking details may have been exposed, call the number on the back of your card and ask the fraud team to review recent activity.
Frequently asked questions
Should I turn off automatic connection to networks I have used before?
Yes, for public networks. Your device remembers the name, not the specific router, so it will join anything broadcasting that name, including a copy set up by someone else. Removing saved public networks and switching off auto-join means you choose deliberately each time. Keep auto-connect for home and work networks, which are protected by a password your device also checks. It is worth reviewing the saved network list on your phone occasionally and deleting hotel and cafe entries you no longer need.
Does using HTTPS protect me on a rogue Wi-Fi network?
HTTPS provides significant protection but is not absolute. Evil-twin attacks can attempt SSL stripping to downgrade connections. A VPN provides a stronger layer of protection as all traffic is encrypted before it leaves your device.
Is it safe to use public Wi-Fi for anything at all?
Low-sensitivity browsing (news, maps) carries lower risk, especially if you are using a VPN. Avoid logging into banking, email, or any account where a stolen session could cause serious harm, even with a VPN, if you are concerned about the network's legitimacy.