How the Attack Works
Evil twin Wi-Fi attacks create a fake wireless network that mimics a legitimate public hotspot. When you connect, the attacker controls your internet traffic and can serve fake login pages, intercept data, and harvest credentials. ScamVerify™ tracks 60,758 ThreatFox IOCs and 74,032 URLhaus malicious domains, many of which are deployed through public Wi-Fi attack infrastructure.
The attack is effective because it exploits a fundamental trust assumption: when your phone or laptop connects to "Starbucks WiFi" or "Airport Free WiFi," you assume the network is operated by that business. Evil twin attacks abuse this assumption with inexpensive hardware and minimal technical skill.
The Evil Twin Attack, Step by Step
Step 1: Setting Up the Fake Network
The attacker uses a laptop or portable router to broadcast a Wi-Fi network with the same name (SSID) as a legitimate hotspot. In a coffee shop with a network called "CoffeeShop_WiFi," the attacker creates an identical network. Many attackers use a stronger signal to ensure their fake network appears first in the device's network list.
Equipment costs are minimal:
| Equipment | Cost | Purpose |
|---|---|---|
| Wi-Fi adapter with AP mode | $30-50 | Broadcast fake network |
| Laptop running Linux | Existing device | Control panel and logging |
| Portable battery pack | $20-40 | Mobile operation |
| Software (hostapd, dnsmasq) | Free, open source | Network and DNS management |
Total investment: under $100. The attack can be run from a backpack.
Step 2: The Captive Portal
When victims connect to the evil twin network, their browser is redirected to a captive portal, the login page that appears before granting internet access. This page is controlled entirely by the attacker.
Common captive portal disguises include:
- "Accept Terms and Conditions" pages that ask for an email address and password
- "Sign in with Google/Facebook" buttons that redirect to cloned login pages
- "Enter your room number" for hotel Wi-Fi that also requests payment card details
- "Free 30-minute access" pages that require registration with personal information
Step 3: Credential Harvesting
Every piece of information entered on the captive portal goes directly to the attacker. If the portal mimics a Google login page, the attacker captures the victim's Google credentials. If it requests payment card information for "premium access," the attacker has the card number.
This is a form of credential harvesting, the same technique used by phishing websites but delivered through a controlled network rather than a phishing link.
Step 4: Traffic Interception
Beyond the initial captive portal, the attacker can monitor and manipulate all unencrypted traffic passing through their network. This includes:
- HTTP websites visited (though HTTPS sites are encrypted end-to-end)
- DNS queries revealing which websites the victim visits
- Unencrypted app traffic from mobile apps that do not use TLS
- Session tokens from insecure websites that can be replayed to hijack accounts
Where Evil Twin Attacks Happen
Public locations with free Wi-Fi are the primary targets because they attract high volumes of users who expect to see an open network:
| Location | Why It Is Targeted |
|---|---|
| Coffee shops | Long sessions, users log into multiple accounts |
| Airports | High volume, travelers check email and banking |
| Hotels | Room number prompt creates plausible login page |
| Libraries | Users access sensitive accounts on public computers |
| Conference centers | Professionals connect to corporate email |
| Shopping malls | Shoppers check banking apps and make purchases |
Airports are especially attractive because travelers are often distracted, in a hurry, and more likely to connect to the first network that appears without verifying it.
Why Your Phone Connects Automatically
Most smartphones and laptops are configured to automatically connect to previously used networks. If you once connected to a network called "Free_Airport_WiFi," your device will automatically connect to any network with that name in the future, including an evil twin.
This auto-connect behavior means an attacker can set up a network using common SSIDs ("attwifi," "xfinitywifi," "Free_WiFi") and passively collect connections from devices that have previously used networks with those names.
How to Protect Yourself
1. Use a VPN
A Virtual Private Network encrypts all traffic between your device and the VPN server, making it unreadable to the evil twin operator. Even if the attacker controls the network, they see only encrypted traffic. Use a reputable paid VPN service (NordVPN, ExpressVPN, Mullvad) rather than free VPN apps that may have their own privacy issues.
2. Verify the Network Name
Ask a staff member for the exact Wi-Fi network name and password before connecting. If a coffee shop's official network is "CoffeeShop_Guest" and you also see "CoffeeShop_WiFi" and "CoffeeShop_FreeWifi," the extras may be evil twins.
3. Disable Auto-Connect
Turn off automatic Wi-Fi connections in your device settings. On iPhone: Settings > Wi-Fi > Ask to Join Networks. On Android: Settings > Network > Wi-Fi > Wi-Fi Preferences > turn off "Connect to open networks."
4. Never Enter Credentials on Captive Portals
If a public Wi-Fi login page asks for your Google, Facebook, or email credentials, close it. Legitimate captive portals ask for acceptance of terms or a simple access code, not third-party login credentials.
5. Check URLs Before Logging In
If you must access sensitive sites on public Wi-Fi, type the URL directly. Never click links, and verify the URL matches exactly. Run unfamiliar URLs through the ScamVerify website checker to check against known threat databases.
6. Use Cellular Data for Sensitive Activities
For banking, email, and any site requiring credentials, switch to cellular data instead of public Wi-Fi. Cellular connections are encrypted and far more difficult to intercept than Wi-Fi.
Check any URL now
Paste a URL to scan it against 74,000+ threat domains and real-time intelligence.
Signs You Are on an Evil Twin Network
| Warning Sign | What It Means |
|---|---|
| Multiple networks with similar names | One may be an evil twin |
| Unusually strong signal for a public network | Attacker may be nearby with boosted signal |
| Captive portal asks for third-party login | Legitimate portals do not require Google/Facebook sign-in |
| SSL warnings when visiting HTTPS sites | Network may be attempting to intercept encrypted traffic |
| Slower than expected speeds | Traffic may be routed through attacker's equipment |
What to Do If You Connected to a Suspicious Network
- Disconnect immediately and forget the network in your device settings
- Change passwords for any accounts you accessed while connected
- Enable two-factor authentication on all sensitive accounts
- Check account activity for unauthorized logins or transactions
- Monitor credit card statements if you entered payment information
FAQ
Can HTTPS protect me on an evil twin network?
Partially. HTTPS encrypts the data between your browser and the website, so the attacker cannot read the content of your communications with HTTPS sites. However, the attacker can still see which websites you visit (via DNS queries), and the captive portal itself runs before you reach any HTTPS site. A VPN provides more complete protection.
Can evil twin attacks affect my home Wi-Fi?
It is theoretically possible but extremely unlikely. An attacker would need to be physically close to your home and broadcast a network with your exact SSID and a stronger signal. Home networks protected with WPA3 or WPA2 passwords are not vulnerable to this specific attack because the attacker cannot replicate your password.
How common are evil twin attacks?
Exact statistics are difficult to determine because many victims never realize they were attacked. Security researchers regularly demonstrate evil twin attacks at conferences and in audits, and the low cost of equipment makes them accessible to anyone. Assume any public Wi-Fi network could potentially be compromised.
Is using my phone as a hotspot safer?
Yes. Your phone's cellular connection and personal hotspot are significantly safer than public Wi-Fi. The connection is encrypted by your carrier, and the hotspot password is controlled by you. When security matters, tethering through your phone is one of the best options available.
