The Short Version
An attacker creates a Wi-Fi network with a familiar name, such as Hotel Guest WiFi or Cafe_Free_WiFi. Your device or your eyes choose it because it looks legitimate. Once connected, the attacker can observe traffic metadata, present fake login pages, interfere with DNS, and try to push you toward insecure sites or downloads.
Modern HTTPS makes evil twin attacks less devastating than they were years ago, but they are still useful for phishing, captive portal tricks, device tracking, and attacks against apps or sites with weak transport security.
How an Evil Twin Attack Works
- The attacker sets up a portable access point with a convincing network name.
- The signal is placed near the real venue or made stronger than the legitimate Wi-Fi.
- Users connect manually, or devices auto-join a remembered open network name.
- The fake network forwards traffic to the internet so everything appears normal.
- The attacker watches metadata or presents a captive portal that asks for credentials.
What an Attacker Can See
| Traffic Type | What the Attacker May See | What Protects You |
|---|---|---|
| HTTPS websites | Domain, timing, data volume | Valid HTTPS, HSTS, browser warnings |
| HTTP websites | Full page content and form data | Avoid HTTP; use HTTPS-only mode |
| DNS lookups | Domains requested | Encrypted DNS or VPN |
| Captive portal input | Anything typed into fake forms | Verify the network and portal |
The Captive Portal Trick
The most human part of the attack is the fake portal. A page appears saying you must log in with Google, enter your room number, confirm a credit card, install a certificate, or download a "Wi-Fi helper." That is where people get caught. A legitimate public Wi-Fi portal should not ask for your email password, banking details, or a security certificate install.
How to Protect Yourself on Public Wi-Fi
- Ask the venue for the exact network name, including spaces and punctuation.
- Disable auto-join for open networks you no longer use.
- Use your phone hotspot for banking, admin panels, and sensitive work.
- Use a trusted VPN before sending sensitive traffic on public Wi-Fi.
- Do not ignore browser certificate warnings.
- Do not install certificates, profiles, or apps just to use cafe or hotel Wi-Fi.
Home Networks Can Have Evil Twins Too
At home, an evil twin is less common but still possible. A nearby attacker could broadcast your same SSID and try to lure devices during a disconnect. WPA2/WPA3 with a strong password makes this harder because the fake network must know the correct credentials to behave like the real one. Open guest networks are easier to imitate.
Signs Something Is Off
Watch for repeated captive portal prompts, certificate warnings, a network name that is slightly different from the posted one, unusually slow performance, or login pages asking for credentials they should not need. None of these proves an evil twin, but they are enough reason to disconnect and use cellular data.
Frequently Asked Questions
Can HTTPS protect me from an evil twin attack?
HTTPS protects the content of properly secured websites, but an evil twin can still see metadata such as domains, timing, and connection patterns. It can also trick users with fake captive portals or downgrade attempts against poorly configured sites.
Is a VPN useful on fake Wi-Fi?
Yes, if you connect to the VPN before doing sensitive activity. A VPN encrypts traffic between your device and the VPN server, limiting what the fake access point can inspect.
How do I know if public Wi-Fi is fake?
You often cannot know for sure from the name alone. Confirm the exact network name with the venue, avoid lookalike names, disable auto-join, and be suspicious of captive portals asking for passwords, payment cards, or social logins.