Evil Twin Attack
A rogue Wi-Fi access point that mimics a legitimate network, tricking users into connecting so their traffic can be intercepted.
Also known as: rogue access point, honeypot Wi-Fi, fake hotspot
Last reviewed: 10 June 2026
In an evil twin attack, an attacker sets up a Wi-Fi hotspot with the same name (SSID) and often a stronger signal than a legitimate nearby network — such as a coffee-shop or airport Wi-Fi. Devices configured to auto-reconnect to known networks may connect automatically; other users connect deliberately, believing it is the legitimate hotspot.
Once connected, all unencrypted traffic passes through the attacker's device. Even encrypted traffic may be intercepted if the attacker serves a captive portal that tricks victims into accepting a fraudulent SSL certificate, or if the attacker performs SSL stripping.
Disable auto-connect for public Wi-Fi networks, verify hotspot details with venue staff before connecting, and use a VPN to encrypt all traffic when using public networks. Ensure your device does not automatically trust captive-portal certificates.
Examples
- A fraudster sets up a hotspot named 'CafeFreewifi' next to a coffee shop's legitimate 'CafeFreeWiFi'; users who connect have their browsing monitored.
- An evil twin at an airport captures credentials from business travellers checking work email.