Fake Wi-Fi Captive Portal Scam
Fraudsters set up rogue Wi-Fi hotspots with legitimate-looking login pages to harvest credentials, card details, or install malware on connecting devices.
Last reviewed: 1 June 2026
What this scam is
A fake Wi-Fi captive portal scam involves a fraudster creating a rogue wireless access point that mimics a genuine public Wi-Fi network — typically in hotels, airports, coffee shops, or transport hubs. When a device connects, it is redirected to a convincing login or payment page before being granted internet access.
The fake portal collects whatever information it requests: an email address and password (which the victim may reuse elsewhere), a credit card number for a fictional access fee, or social media login credentials. Some portals serve the victim functional internet access after credential harvesting to delay detection.
More sophisticated variants use the connected session to perform man-in-the-middle attacks: intercepting unencrypted traffic, injecting malicious scripts into web pages, or redirecting to fake bank login pages. The attack requires only modest technical knowledge and inexpensive hardware.
How it works
The attacker uses a portable wireless router or laptop configured as an access point to broadcast an SSID that matches or closely resembles the legitimate venue network. Common examples include 'Hotel_Guest_Free' where the real network is 'Hotel_Guest', or an entirely unlabelled open network in a location where free Wi-Fi is expected.
When the victim connects and opens a browser, they are redirected to a splash page resembling the genuine venue's portal — complete with logos and styling copied from the real site. The page may ask for email and password, social media single sign-on, or a small card payment for faster speed.
Once credentials are entered, the attacker captures them and may redirect the victim to the real network or maintain the connection to continue intercepting traffic. Card details are harvested for fraud. Email or social passwords are tested against common services immediately.
Why this scam works
Connecting to Wi-Fi portals that ask for login details is a familiar, normalised experience. Hotels, airports, and coffee shops all use captive portals routinely. The act of entering credentials or accepting terms to gain internet access does not trigger the same alarm response as a cold email or unsolicited phone call.
The attack exploits the gap between what people expect (a routine portal) and the reality (a harvesting page). When someone is travelling, tired, or trying to get online quickly, the cognitive load of scrutinising a portal design is low.
Common red flags
- The Wi-Fi network name is similar but not identical to the expected venue network
- The portal asks for a password you use elsewhere — email, social media, or work credentials
- The portal requests a card payment for access where you expected free Wi-Fi
- The page design is slightly off — wrong fonts, outdated logo, or mismatched branding
- The HTTPS padlock is absent or shows a certificate warning on the portal page
- You cannot find the network listed on the venue's official Wi-Fi information
- The portal URL is an IP address rather than the venue's domain
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
[Hotel name] Guest Wi-Fi Portal. Please sign in with your email and password to access the network.
Welcome to [Airport] Free Wi-Fi. For unlimited browsing, sign in with your Facebook or Google account.
[Cafe name] Wi-Fi. A small access fee of [amount] gives you all-day high-speed access. Enter card details below.
Your connection is limited. To continue, verify your identity by logging in with your email address.
Common variations
- Evil twin attack — exact copy of legitimate SSID with stronger signal
- Conference network impersonation targeting business attendees
- Hotel floor-specific network mimicking the genuine in-room Wi-Fi name
- Transport hub rogue hotspot targeting commuters
How to verify before you act
Ask venue staff for the exact Wi-Fi network name and URL of their portal before connecting. Legitimate portals rarely ask for your existing email password or social media credentials — they ask only for a voucher code, room number, or email address for verification. Never enter a password you use elsewhere into a Wi-Fi portal. Use a VPN on any public network to encrypt your traffic even if you connect to a rogue access point.
Payment methods used
- Credit or debit card entered on portal page
- No payment required — credential-only harvest
Who is usually targeted
- Travellers and tourists
- Business travellers with sensitive information
- People using hotel or airport Wi-Fi frequently
- Anyone who reuses passwords across services
What to do immediately
- Disconnect from the network immediately
- Change the password for any account credentials entered on the portal page
- Contact your card issuer if you entered payment details to block and replace the card
- Enable two-factor authentication on affected accounts
- Report the rogue network to the venue so they can warn other guests
- Run a security scan on your device if you believe traffic may have been intercepted
How to prevent it
- Verify the exact Wi-Fi network name with venue staff before connecting
- Use a VPN on all public Wi-Fi networks without exception
- Never enter existing account passwords into a Wi-Fi captive portal
- Use mobile data instead of public Wi-Fi for sensitive transactions
- Enable two-factor authentication on all important accounts as a backstop against credential theft
- Keep auto-connect to open networks disabled on your devices
Evidence to preserve
- Screenshot of the portal page and its URL
- The SSID (network name) of the rogue access point
- Any confirmation or receipt the portal provided
- Your device's Wi-Fi connection logs if accessible
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Is it safe to use any public Wi-Fi?
Public Wi-Fi carries inherent risks. The safest approach is to use a reputable VPN on all public networks, which encrypts your traffic even if you connect to a rogue access point. For banking or sensitive work, prefer mobile data or a personal hotspot.
How can I tell a real hotel portal from a fake one?
Ask hotel staff for the exact network name and what the portal page looks like. Genuine hotel portals typically ask only for a room number or booking reference — not for an external account password. The URL should show the hotel's own domain, not an IP address.