Fake Wi-Fi Captive Portal Fraud Enabled by Phone Social Engineering
How vishing calls impersonating hotel or venue IT support direct victims to connect to rogue Wi-Fi networks and accept malicious captive portal terms.
Part of: Fake Wi-Fi Captive Portal Scam
Last reviewed: 9 June 2026
Rogue Wi-Fi captive portals — fake login pages that harvest credentials or deliver malware when connecting to a controlled network — are a technical attack that increasingly uses a social engineering phone call as its delivery mechanism. A caller posing as hotel IT support, venue Wi-Fi management, or an internet service provider instructs the victim to connect to a specific network name, which is the attacker's rogue access point.
The phone call is the component that makes this attack more effective than the purely technical version: victims who receive verbal instructions from an apparently authoritative caller are far more likely to connect to a specific network on request than to connect to a rogue network encountered passively. Trusted-seeming phone authority removes the hesitation that would otherwise prompt scrutiny.
How this scam works on phone calls
A victim receives a call during a hotel stay, conference, or airport transit claiming to be from the venue's IT team. The caller explains that the regular Wi-Fi network is experiencing issues and directs the victim to connect to an alternative network name. This network is the attacker's rogue access point. When the victim connects, a captive portal page requests login credentials — sometimes replicating the hotel or conference portal — or silently intercepts web traffic.
In more targeted attacks, the rogue network is operational and legitimate-seeming. The victim connects, the portal accepts their details, and they appear to have internet access. In the background, the portal has captured authentication credentials and session tokens from unencrypted or improperly secured web traffic.
Common red flags
- Unsolicited call from venue IT support directing you to connect to a specific alternative network
- Captive portal page asks for credentials other than a room number or booking reference
- Network name is very similar to the venue's official network but with minor differences
- Captive portal installs a browser certificate or asks you to allow a profile download
- After connecting, familiar websites behave differently or present unusual login prompts
How to protect yourself
- Use a VPN on all public Wi-Fi networks — this encrypts your traffic even if the network is rogue
- Verify any Wi-Fi network name directly with venue staff in person before connecting
- Never connect to a Wi-Fi network on the instruction of an unsolicited phone call
- Prefer mobile data over public Wi-Fi for sensitive transactions such as banking
- Do not accept certificate installations or browser profile downloads from captive portals
How to report it
- Report the incident to the venue's official management so they can warn other guests
- Report to your national cybercrime authority (Action Fraud UK, IC3 US)
- If credentials were entered, change passwords for all affected accounts immediately
Frequently asked questions
How do I verify that a Wi-Fi network at a venue is genuine?
Ask venue staff in person for the correct network name and password. Do not use a network name based on verbal instructions from a phone call. The official network name should be clearly posted at the venue or in your check-in documentation.
Does a VPN protect me on a rogue network?
A VPN encrypts your traffic before it leaves your device, meaning a rogue network cannot intercept readable data. Ensure your VPN is active before connecting to any public network and verify it is operational before browsing.