Real Public Wi-Fi vs Evil Twin Network
How to tell a legitimate public Wi-Fi hotspot from a rogue evil twin network set up to intercept your data.
Last reviewed: 1 June 2026
An evil twin attack involves setting up a Wi-Fi hotspot with a name identical or very similar to a legitimate network — in a coffee shop, airport, or hotel. When you connect, your traffic passes through the attacker's device, allowing them to capture credentials, session cookies, and sensitive data. Because the name looks right and the internet often works normally, most users have no idea they are connected to a rogue network. The defences are straightforward: verify the correct network name before connecting, avoid sensitive activities on public Wi-Fi, and use a VPN to encrypt your traffic wherever you are.
Side-by-side comparison
| Real public Wi-Fi | Evil twin network | |
|---|---|---|
| Name verification | Network name confirmed by a staff member or official signage | Name is identical or very close to the expected network — no way to verify without asking |
| Login page | Captive portal consistent with the venue's branding | Generic or blank login page, or no page but full internet access |
| HTTPS everywhere | HTTPS connections work normally; no certificate warnings | Certificate errors on HTTPS sites; or attacker may perform SSL stripping |
| Speed and stability | Consistent with a managed venue network | May be unusually fast (no throttling) to attract connections |
| Data requests | May ask for email on a branded portal; nothing sensitive | May prompt for login credentials, card details, or app installs |
| Discovery | Appears in available networks alongside other visible networks | May appear with a stronger signal than the real network |
Common red flags
- Network name identical to the venue's but not confirmed by staff
- Certificate errors when visiting HTTPS websites
- Login portal asking for email address, password, or card details
- Being prompted to install an app or accept a certificate to connect
- Two networks with very similar names visible at the same time
- Network has a significantly stronger signal than expected for the venue size
Verification steps
- Ask a member of staff for the exact Wi-Fi name and password before connecting
- Use a VPN on all public Wi-Fi connections to encrypt your traffic
- Avoid logging in to sensitive accounts — banking, email, work systems — on public Wi-Fi
- Watch for browser certificate warnings and do not click through them
- Forget the network after use so your device doesn't auto-reconnect in future
What not to do
- Don't connect to any public Wi-Fi network without verifying the name with venue staff
- Don't log in to banking or email on public Wi-Fi without a VPN
- Don't click through certificate warnings to reach a site
- Don't install any app or accept any certificate prompt to gain Wi-Fi access
A safe response
Disconnect immediately if you notice certificate errors or unusual prompts. Change passwords for any accounts accessed during the session from a trusted network. Use mobile data for sensitive tasks when a trusted network is unavailable.
Frequently asked questions
Does HTTPS protect me on an evil twin network?
HTTPS encrypts traffic between your device and the destination server, which limits what an attacker can read. However, some attacks strip HTTPS or use certificate errors to intercept connections. A VPN adds an additional layer of protection by encrypting traffic before it leaves your device.
Is airport or hotel Wi-Fi safer than coffee-shop Wi-Fi?
Managed venue networks vary in their security. The risk of evil twin networks exists in any high-traffic public environment. Verifying the network name and using a VPN applies equally in all of them.
How would I know if my data was intercepted?
You often wouldn't notice immediately. Signs can include unexpected login alerts, unfamiliar activity in accounts, or receiving phishing messages that reference information only usable if intercepted. Monitor account activity after using public Wi-Fi.