What is an evil twin attack?

Tips & tricks
5 mins
Evil twin Wi-Fi

One of the first things you probably do after landing in a new country is to connect to the airport’s Wi-Fi; it is a quick and easy way to get back online after a long flight. In scenarios like this, the prevalence of public Wi-Fi is a blessing. However, this widespread use of public Wi-Fi also allows malicious persons an opportunity to attack.

Evil twin attacks happen when you connect to a fake Wi-Fi network that imitates a legitimate network. Attackers can steal everything from your network traffic, login credentials, and other sensitive information while you’re connected to this evil twin network. These networks are nearly impossible to identify because they are indistinguishable, sharing the same Service Set Identifier (SSID) name and potentially the same media access control (MAC) address.

How do evil twin attacks work?

Evil twin attacks aim to trick users into connecting to malicious Wi-Fi networks masquerading as legitimate ones. Hackers pull this off by:

  • Choosing a location with public Wi-Fi. Hackers choose busy locations with free Wi-Fi, like airports and cafes. These locations typically have multiple access points with the same name, making it easy for the evil twin network to go undetected.
  • Setting up a Wi-Fi access point. The hacker creates a new hotspot using the same SSID name as the legitimate network. A Wi-Fi Pineapple—a type of router used by hackers to intercept data—might also come into play.
  • Creating a fake captive portal page. Before you sign in to a public Wi-Fi network, you’re typically asked to submit some data on a log-in page known as a captive portal. Hackers replicate this page to trick users into disclosing login credentials or other sensitive information.
  • Encouraging victims to connect to evil twin Wi-Fi. Hackers set up the evil twin access point close to potential victims, creating a stronger signal. This encourages victims to connect to the evil twin network over the weaker, legitimate network.
  • Collecting the victim’s data. When a victim connects to an evil twin network, the hacker can monitor their online behavior. The hacker can collect their login credentials if the victim logs into any of their online accounts, such as social media or banking apps, which gives the hacker access to these apps.

Example of an evil twin attack

Let’s use the airport scenario from the start of this article. You are eager to get back online after a long flight, and on the many screens littered around the terminal, you see the airport’s Wi-Fi SSID name and password. On your phone, you see multiple Wi-Fi networks with the same name and choose to connect to the strongest one despite the “Unsecure” label, and you assume the network is legitimate since the password works without issue.

Unbeknownst to you, you have just connected to an evil twin network. Using the readily available Wi-Fi details displayed around the airport, hackers have replicated the legitimate network by creating a hotspot with the same SSID name and password. To achieve a strong signal and cover more range within the airport, the hackers employ a Wi-Fi Pineapple and intentionally set their access point closer to the arrival halls.

Through the malicious Wi-Fi network, the attacker might now be able to see everything you do and type, including information like your bank account number and passwords.

Read more: Is hotel Wi-Fi safe?

How to detect an evil twin Wi-Fi network

Evil twin Wi-Fi networks are intentionally hard to spot, and most of our devices cannot distinguish between a legitimate network and a fake one. However, there are some best practices you can employ to protect yourself.

  • Pay attention to Wi-Fi names. If a Wi-Fi network’s name contains apparent typos and errors, it is best to treat it as a sign of a fake network. 
  • Heed device alerts. If your device warns you that a network is “Unsecure,” think twice before connecting to it.
  • Be suspicious of duplicate networks. If you’re in a new location with multiple identical networks and unsure of their legitimacy, you’re probably better off not connecting to any of them.

How to prevent an evil twin attack

You can avoid falling for an evil twin attack by taking these precautions:

  • Avoid Wi-Fi networks marked as “Unsecure.” These networks lack basic security features, and data sent over them has no protection or encryption. Evil twin networks usually have this designation.
  • Use your own hotspot. If you have mobile data on one device, connect to it as a personal hotspot instead of public Wi-Fi. You can set up your personal hotspot from the settings of your mobile phone, but be mindful of the mobile data consumption to avoid extra charges.
  • Disable Wi-Fi autosave. If you’ve previously connected to a malicious network, autosaving Wi-Fi will reconnect you to the network the next time you’re in range, putting you at risk of another attack. Set your device to ask for permission before connecting to any network.
  • Use a VPN. This is the easiest way to stay safe on public Wi-Fi. A VPN sends all your online traffic through an encrypted tunnel, so even if someone intercepts your activity, they won’t be able to see any of it.
  • Only browse HTTPS sites. If you must use public Wi-Fi, ensure you’re browsing HTTPS sites, which have end-to-end encryption and prevent hackers from seeing your web page activity. These sites are more secure than regular HTTP sites and are indicated by a padlock symbol next to the URL. 
  • Avoid logging into private accounts on public Wi-Fi. Hackers can access login information of your private accounts if you’re connected to an evil twin network. Stay signed out and avoid logging in while on public Wi-Fi to protect your personal information.
  • Set up two-factor authentication for your accounts. If a hacker gains access to your account username and password, they still won’t be able to easily access it if you have two-factor authentication set up.

How can a VPN defeat evil twin attacks?

A VPN app is the easiest way to safeguard you from evil twin attacks. VPNs channel your traffic through an encrypted tunnel that is established between you and the VPN server. The VPN tunnel shields your internet traffic, keeping all the data you send and receive safe from prying eyes.

When you use a VPN, your IP address is hidden, and your traffic is mixed with that of other users, making it hard for third parties to identify you. Only the VPN server can decrypt the data transmitted along the encrypted VPN tunnel, so even if a hacker manages to intercept your traffic, they will not be able to read or exploit it.

Since hackers use evil twin attacks intending to observe your internet activity and steal sensitive information, a VPN renders these attacks useless by making your data indecipherable.

FAQ: About evil twin attacks

What is an evil twin attack?
Do hackers use a Wi-Fi Pineapple to initiate an evil twin attack?
What is a poke-the-bear attack?
What is Wi-Fi sniffing?
Does a VPN protect against sniffing?
Phone protected by ExpressVPN.
Protect your privacy with the best VPN

30-day money-back guarantee

A phone with a padlock.
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
Sentient AI scouring the internet for photos of Paddington bear photoshopped into other movies and shows.