Skip to main content

Blog/Online Security ABCDigital Life/

What is an evil twin attack?

Lukas Grigas

Cybersecurity Content Writer

Evil twin attack

Contents:

What is an evil twin attack?

An evil twin attack is a quiet Wi-Fi scam that plays out in places where connecting feels routine: airports, hotels, cafes, conference halls. An attacker sets up a wireless network that copies the name of a legitimate one, counting on the fact that phones and laptops have no reliable way to verify who actually operates it. When a device connects, the attacker may intercept browsing activity or redirect the user to a convincing login page designed to collect passwords. Nothing appears broken, and the internet continues to work, which is why many victims never realize what happened until cybercriminals access their accounts later. This article explains how evil twin attacks work, why they are difficult to notice, and how ordinary users can reduce the risk.

How does an evil twin attack work?

Evil twin attacks succeed because Wi-Fi prioritizes ease of access over identity verification. Devices are built to connect quickly, remember familiar network names, and rejoin them automatically. Attackers exploit those features in a predictable sequence.

Setting the trap

The attacker begins an evil twin attack by choosing a location where free Wi-Fi is expected and heavily used. Airports and hotels are especially attractive for evil twin access points because travelers are transient and have no reference point for which network name is legitimate. A cafe or conference venue works for the same reason — people assume the Wi-Fi network is legitimate and move on.

The attacker creates a wireless evil twin access point and assigns it a plausible name. In many cases, the name is copied exactly from a real network. At this stage, no one has been targeted yet. The setup is passive. The attacker waits for devices to connect on their own to the evil twin network.

Luring the victim

To increase the odds of success, attackers make their evil twin network more visible than the real one. They may boost signal strength so it appears at the top of a device’s Wi-Fi list. In some cases, they briefly disrupt the real network, causing devices to disconnect and automatically reconnect to the stronger-looking option.

From the user’s perspective, nothing unusual happens. The device reconnects, the internet works, and no alert suggests the network has changed or that they are connected to an evil twin Wi-Fi. 

The phishing portal

Once connected, many evil twin attacks present a login or an “accept terms” page. These pages are designed to look identical to legitimate captive portals used by airports, hotels, and cafes. Logos, fonts, and language are copied to avoid suspicion.

If the user enters an email address, password, or confirmation code, that information is sent directly to the attacker. This step is often the primary goal of the evil twin attack. The attacker can later reuse these credentials to access email, social media, cloud storage, or work accounts.

The man-in-the-middle attack

Even when no login page appears, the attacker still gains leverage. All internet traffic passes through the attacker's evil twin Wi-Fi network and equipment before reaching its destination. This allows the attacker to observe browsing behavior and interfere with the connection.

Modern encryption limits what attackers can read, but it does not eliminate risk. Metadata, unsecured connections, and follow-on attacks remain possible. The central problem is control. Once connected to a fake network, the user no longer decides who handles their data.

Rogue ap vs. evil twin: The difference

The terms “rogue access point” and “evil twin” are often used interchangeably, but they describe different situations.

A rogue access point is any unauthorized Wi-Fi network. It may be misconfigured, accidental, or simply unmanaged. A rogue network is not necessarily malicious.

An evil twin, by contrast, is created deliberately to deceive. Its defining feature is imitation. The attacker wants the network to look legitimate so users connect without questioning it. This distinction matters because an evil twin attack is built around social trust rather than technical exploitation.

How to defend yourself against an evil twin attack

The weakness exploited by evil twin attacks is automatic trust. Devices automatically connect to familiar networks, and users rarely check if they are legitimate. Defense against evil twin attacks focuses on challenging that misplaced trust and reducing the damage if a mistake occurs.

  • Always use a virtual private network (VPN) on public Wi-Fi. A VPN encrypts internet traffic before it leaves the device. If a user connects to a fake network, the attacker cannot read or alter the data passing through it. A VPN does not prevent fake login pages from appearing, but it limits what an attacker can observe or manipulate after the connection is made.

  • Disable auto-connect and auto-join. Many devices reconnect to previously used networks without prompting the user. Attackers rely on this behavior. Turning auto-connect off forces a manual choice each time and reduces the chance of silent reconnection to a fake network.

  • Verify the network name. When you need to connect to public Wi-Fi, ask staff for the exact network name. Be cautious if multiple networks appear with similar names or unusually strong signals. Familiar labels are easy to copy.

  • Stick to HTTPS and use two-factor authentication. HTTPS protects website connections, and two-factor authentication adds a second barrier if a password is stolen. Together, they reduce the value of captured credentials, even if an attacker obtains them.

  • Use your own hotspot for sensitive tasks. Banking, shopping, and work email are safer over cellular data. A personal hotspot removes public Wi-Fi from the equation entirely.

What to do if you connect to an evil twin Wi-Fi

If you suspect you have connected to a fake network, speed matters. The goal is to cut off access and secure accounts before stolen information is used.

  • Disconnect from Wi-Fi immediately. Remove the network from your saved list so the device does not reconnect later. Switch to a trusted connection, such as cellular data or a known secure network.

  • Change passwords. Start with your email account. Email controls password resets for most other services. Then update credentials for financial, work, and social accounts. Using unique passwords for each service prevents a single exposure from spreading.

  • Run a security scan. Scan your device and install pending system updates to ensure complete security. While most evil twin attacks focus on interception, some attempt to deliver malicious files or configuration changes.

  • Review account activity. Check for unfamiliar logins or changes. Early detection can prevent long-term damage.

Bottom line

An evil twin attack works because Wi-Fi networks are easy to imitate and difficult for devices to authenticate. The attack does not require hacking software or exploiting flaws. It relies on normal behavior in public spaces and the assumption that a familiar network name can be trusted.

Reducing risk means limiting automatic trust and reducing the usefulness of stolen information. Strong, unique passwords are central to that strategy. A password manager like NordPass helps by generating and storing unique passwords, identifying weak or reused credentials, and making it easier to secure accounts quickly if something goes wrong.