A fake Wi-Fi network can look real and steal your logins or data. Here’s what an evil twin attack is and how to stay safe on public Wi-Fi.
The threat is real — but most people explain it badly
Most people hear “public Wi-Fi” and jump straight to panic. That is sloppy. The better explanation is this: public Wi-Fi is not automatically malicious, and because most websites now use encryption, using public Wi-Fi is usually safer than it used to be. But a fake hotspot is still dangerous because attackers can copy a venue’s Wi-Fi name, lure you onto their network, push fake sign-in pages, and steal credentials or intercept weakly protected traffic.
A familiar Wi-Fi name proves almost nothing.
What an evil twin attack actually is
An evil twin is a fraudulent wireless access point that pretends to be a legitimate Wi-Fi network. The attacker copies or spoofs a real hotspot’s name so your phone or laptop thinks it is joining the café, hotel, airport, or office network you expected. Australian guidance is blunt on this point: hotspot names are not unique and can be reused by anyone, including criminals. Canada’s Cyber Centre also warns that rogue access points are common in public Wi-Fi environments and can impersonate trusted networks.
That is what makes the attack effective. It does not need a flashy exploit. It exploits trust, habit, and convenience. If your device auto-connects, or if you assume the network name is enough proof, you are already closer to the attacker than you think.
How the attack works
The basic playbook is simple:
- The attacker creates a hotspot that imitates a real one in the area, such as an airport, hotel, café, or airline Wi-Fi service.
- You connect to it directly, or your device reconnects automatically because it recognizes the saved network name.
- The fake network sends you to a bogus captive portal or login page and asks for an email, social login, or other credentials. In the AFP case, investigators alleged those details were saved to the attacker’s devices.
- From there, the attacker may intercept unencrypted traffic, redirect you to malicious websites, inject malicious proxies, or capture sensitive information that is not otherwise protected.
What attackers can do — and what they often cannot
Here is the nuance most articles miss. An evil twin does not automatically mean an attacker can read every single thing you do online. The FTC says most websites now use encryption, and that widespread encryption means connecting through public Wi-Fi is usually safe in ordinary browsing. On a legitimate HTTPS site, your traffic is generally encrypted between your device and that site.
But that does not make fake hotspots harmless. An attacker can still steal credentials if you type them into a fake portal or fake website. The FTC also warns that scammers can create fake websites and encrypt them, so the lock icon alone does not prove the site is trustworthy. That is why an evil twin is still effective even in an HTTPS-heavy internet.
So the blunt version is this:
- Can steal: credentials entered into fake captive portals, fake websites, or malicious sign-in pages.
- Can expose: unencrypted traffic and some sensitive activity on poorly protected services.
- Can manipulate: traffic in some cases by redirecting you or inserting malicious intermediaries.
- Usually cannot: simply read all traffic from a legitimate HTTPS session in plain text.
A real case, not a theory
This is not hypothetical. In June 2024, the Australian Federal Police charged a man they said created “evil twin” free Wi-Fi networks that mimicked legitimate services to capture personal data. The AFP said victims were redirected to fake sign-in pages and that investigators found dozens of personal credentials and fraudulent Wi-Fi pages on seized devices. In November 2025, the AFP said the same man was sentenced to seven years and four months’ imprisonment after the investigation that began when airline staff spotted a suspicious Wi-Fi network during a domestic flight.
That case matters because it shows exactly how these attacks work in the real world: familiar network name, fake login page, stolen credentials, real damage.
Signs something is wrong
A fake hotspot is designed to look normal, so there is no perfect visual test. Still, these warning signs matter:
- You are asked to sign in with an email or social account on a page you did not expect.
- The hotspot name matches the venue loosely, but you never verified it with staff or signage. Hotspot names are not unique.
- Your browser throws certificate or security warnings on sites you normally trust. Australian guidance says to stop, disconnect, and forget the network if that happens.
- The network is open when you expected a password-protected service, or there are multiple similarly named hotspots competing for attention.
How to secure yourself
1) Use your mobile hotspot or cellular data when it matters
This is the cleanest fix. The UK NCSC says the simplest precaution is to avoid unknown hotspots and use your mobile connection instead. The NSA likewise advises avoiding public Wi-Fi when possible and using a corporate or personal hotspot with strong authentication and encryption. Australian guidance also says that if you are unsure, wait and use a trusted mobile or home connection instead.
2) Verify the exact network before you connect
Do not trust the network name on sight. Check signage or ask staff for the exact hotspot name. That single habit cuts through the entire scam because the attack depends on you treating a familiar name as proof.
3) Turn off auto-join and forget the network when you are done
Auto-connect is convenient for you and useful for attackers. Australian guidance specifically recommends disabling auto-join or auto-connect for public hotspots and forgetting the network after use so your device does not reconnect later without you noticing.
4) Prefer password-protected Wi-Fi over open networks
Open public Wi-Fi is weaker by design. The NSA warns that data sent over open public Wi-Fi is vulnerable to theft or manipulation, and Australian guidance says to prefer hotspots that require a password where possible. A password does not make a network magically safe, but open networks are a worse bet.
5) Use HTTPS — but do not worship the padlock
Look for https and the lock icon, because encrypted connections help protect your data in transit. But do not stop thinking once you see the padlock. The FTC warns that scammers can encrypt fake websites too. HTTPS helps; it does not verify the site’s honesty for you.
6) Use a reputable VPN if you use public Wi-Fi often
A VPN adds another layer by encrypting traffic between your device and the VPN service, which helps on hostile or untrusted networks. Australian guidance calls it an extra layer of protection on public hotspots, and the NCSC says VPNs encrypt data before it is sent across the internet. But a VPN is not magic: it does not stop you from typing your password into a fake portal, and it does not make a scam website legitimate.
7) Disable file sharing and keep your device updated
Australia’s cyber guidance says to switch off file sharing on public Wi-Fi so criminals cannot potentially access your files or place malicious files on your device. The FTC also recommends keeping your operating system, browser, phone, and security software updated. Attackers love old software and exposed sharing features.
8) Turn on multi-factor authentication everywhere you can
If your password is stolen, MFA can still stop or slow the account takeover. The FTC explicitly recommends strong passwords and two-factor authentication, and this is one of the few defenses that still helps after a credential theft attempt succeeds.
What actually helps most
- Best option: personal hotspot or mobile data for anything sensitive.
- Best habit: verify the hotspot with staff, then disable auto-join.
- Best technical layer: HTTPS plus a reputable VPN on public Wi-Fi.
- Best damage control: MFA and updated devices.
If you run a business, school, or managed network
Shared passwords are weak. Canada’s Cyber Centre warns that spoofed corporate Wi-Fi and poor certificate validation can open the door to credential theft, and it recommends enterprise approaches over simple pre-shared keys for organizations. For higher-assurance deployments, NSA guidance specifies WPA3-Enterprise with mutual authentication using EAP-TLS and device certificates. In plain English: serious organizations should not rely on “one Wi-Fi password for everyone” and hope for the best.
Bottom line
An evil twin attack is not a magic hack. It is a fake hotspot that wins because people trust a familiar Wi-Fi name too quickly. That is the whole game.
The fix is simple and practical: use your own hotspot when you can, verify public networks before you join them, disable auto-connect, use HTTPS, add a reputable VPN, keep file sharing off, and turn on MFA. Do that, and you cut the risk hard.