Evil Twin Wi-Fi Scams on Public Networks
How attackers set up fake Wi-Fi hotspots with names identical to legitimate public networks to intercept traffic and steal credentials from connected devices.
Part of: Evil Twin Wi-Fi Scams
Last reviewed: 8 June 2026
An evil twin attack creates a rogue Wi-Fi access point that broadcasts the same name (SSID) as a legitimate public network in the same location. A traveller connecting to what appears to be the airport or hotel Wi-Fi may actually be connecting to an attacker's device, channelling all their internet traffic through an interceptor.
Modern Wi-Fi infrastructure makes this attack simpler than it sounds. A laptop or a compact travel router is all an attacker needs to set up a convincing evil twin. Victims log in to their email, banking apps, or corporate networks over a connection they believe is legitimate, unaware that their credentials and session tokens may be visible to the attacker.
How this scam works on public wifi
In a busy location — airport terminal, hotel lobby, conference centre — an attacker sets up a hotspot with the same SSID as the venue's legitimate network. Devices that automatically reconnect to known networks, or users who manually select the network by name, connect to the rogue hotspot instead. The attacker provides real internet access through the evil twin to avoid detection, while silently logging credentials typed into login pages.
HTTPS encrypts individual page content but the attacker can still observe which sites are visited, capture unencrypted traffic, or attempt SSL-stripping attacks on sites that allow HTTP fallback. Session cookies captured over the evil twin can be replayed to hijack authenticated sessions.
Common red flags
- Two networks appear with the same or very similar names in the same location
- Network connection appears but your device shows a certificate warning on a familiar website
- You are prompted to re-enter login details on services where you are normally auto-logged in
- Network does not use a captive portal consistent with the venue's normal sign-on process
- Your device connects to a different network than usual despite being in the same location
How to protect yourself
- Use a reputable VPN on all public Wi-Fi to encrypt all traffic regardless of the network's legitimacy
- Disable automatic connection to open networks on your device
- Verify the exact network name with venue staff before connecting
- Avoid accessing banking, email, or corporate systems on public Wi-Fi without a VPN
- Prefer a mobile data connection over public Wi-Fi for sensitive activities when abroad
How to report it
- Report a suspected evil twin to venue security so the legitimate network can be reinforced
- Report to your national cybercrime authority (IC3 in the US, Action Fraud in the UK)
- If credentials were captured, change passwords immediately and enable multi-factor authentication
Frequently asked questions
Does HTTPS protect me on an evil twin network?
HTTPS encrypts the content of your connection to a specific site, but an evil twin operator can still see which sites you visit, attempt SSL-stripping on sites that permit HTTP, and capture session cookies. A VPN provides a stronger layer of protection.