Evil Twin Wi-Fi Scams

An evil twin Wi-Fi attack involves setting up a fake wireless access point that imitates the name and appearance of a legitimate network — in a café, hotel, airport, library, or any location where people commonly connect to public Wi-Fi. When you connect to the fake network instead of the real one, the attacker sits between your device and the internet, able to monitor your traffic, intercept unencrypted data, inject fraudulent pages into your browsing sessions, and harvest credentials.

The attack is named 'evil twin' because the rogue network is a near-identical copy of the legitimate one. It may have the same network name (SSID), and can be configured to broadcast a stronger signal than the genuine network, making devices automatically prefer it. From the user's perspective, they are simply connecting to the café's or hotel's Wi-Fi as usual.

Once you are connected to an evil twin, several things can happen. If you visit a website that uses unencrypted HTTP, the attacker can read everything you send and receive. If you log into a site, the attacker may see your credentials in transit. More sophisticated variants serve you a convincing captive portal page — the 'accept terms and conditions' screen common on legitimate public networks — that actually harvests a username and password rather than just accepting your email address. The attacker can also inject malicious content into pages you load, redirecting links, adding fake login forms to legitimate-looking pages, or triggering malware downloads.

The rise of HTTPS encryption has reduced some risks — most major sites now encrypt traffic in transit — but evil twin attacks remain relevant because many people still visit unencrypted sites, because SSL stripping techniques can sometimes downgrade HTTPS connections in permissive network environments, and because credential-harvesting captive portals remain effective regardless of HTTPS.

The attacker uses a laptop, smartphone, or a dedicated device to broadcast a wireless network with the same name as a legitimate nearby network. They may position themselves in the same venue — a coffee shop, an airport terminal, a hotel lobby — and configure the rogue access point to emit a signal stronger than the genuine router. Many devices are configured to connect automatically to known network names, or will show both networks to the user, who typically chooses whichever appears first or has the strongest signal.

Once you are connected to the rogue network, all traffic flows through the attacker's device before reaching the internet. Traffic that is unencrypted is immediately readable. For HTTPS traffic, a sophisticated attacker may attempt an SSL stripping attack — downgrading the connection from encrypted HTTPS to unencrypted HTTP — which succeeds if the site's configuration permits it or if the user does not notice the missing padlock indicator.

A common and highly effective technique is the fake captive portal. Most people expect to see a terms-and-conditions page on a public network. The attacker serves one that looks authentic and asks for your email address and a password. If they specifically design it to mimic a hotel or venue's own portal — or a Google, Microsoft, or social login option — the harvested credentials may be usable on real services.

In some variants, the rogue network blocks access to the real network while appearing to function normally, meaning you may not notice anything is wrong as you continue to browse.

The attack exploits two powerful habits: the routine of connecting to public Wi-Fi without scrutiny, and the acceptance of captive portal screens as a normal part of the connection process. People rarely examine the network name closely before connecting, and even more rarely question a login prompt on a public network. The familiarity of the experience — connect, accept terms, browse — provides cover for the malicious version of that same sequence.

A traveller connects to an airport Wi-Fi network named identically to the real airport network, which was the second option in their list but had a stronger signal. A captive portal page appears asking them to sign in with an email address and create a guest password. They enter their main email address and a password they use for several accounts. They browse normally for an hour. Days later, their email account and several linked services show unauthorised access from overseas. The attacker harvested their credentials from the fake captive portal and used the password across multiple services.

Connect to [network name] for free Wi-Fi. Sign in below to continue.

Welcome to [venue] Wi-Fi. Please sign in with your Google or email account to access the internet.

Your connection requires a security certificate. Click Allow to continue browsing on this network.

Free high-speed Wi-Fi — tap to connect to [network name].

Before connecting to any public network, check the official name directly with the venue — look at a menu card, a sign at the front desk, or ask staff. If two networks appear with similar or identical names, ask staff which is theirs.

After connecting, look at the URL of any page you are asked to log into. A legitimate captive portal does not require your email service or social media password — these are over-asking and should be treated with suspicion.

Look for the padlock icon in your browser before entering any sensitive information. On a connection using SSL stripping, the padlock may be missing. If you expect to see HTTPS and the connection shows as HTTP or shows a certificate warning, disconnect and avoid that network.

Use a reputable VPN when connecting to public Wi-Fi. A VPN encrypts all traffic before it leaves your device, making the contents unreadable even to a network sitting in the middle of your connection.