Evil Twin Attack: What It is and How to Detect It?

Abeerah Hashim  - Security Expert
Last updated: November 10, 2023
Read time: 8 minutes

Evil twin attacks are relatively cheap and practical tools for hackers. They are hard to detect and very destructive when they succeed. So it's essential to be aware and proactive to stay safe.


Public wifi hotspots can be very dangerous because they set up the stage for hackers to perform evil twin attacks. This kind of attack can be highly harmful to the victims. But you can remain safe by being aware of these threats, adopting proactive safety measures, and, above all, adopting a VPN.

Taking advantage of the ubiquitous wifi hotspots you find when you’re shopping, traveling, or just going out for a cup of coffee is perfectly natural. It’s practical and convenient, which is the point of such technology. However, public wifi hotspots are probably the riskiest digital environment you can find. Evil twin attacks are one of the factors that make them so dangerous, so it’s a good idea to learn what they are and how you can protect yourself.

Evil twin attacks: What are they?

Imagine that a hacker in a public wifi network sets up a wifi fake access point that mimics an authentic one near it. That’s an evil twin attack. As the users connect to the phony node, all their traffic goes through a computer in the hacker’s hands, so he becomes privy to everything the user does online.

Hackers don’t need many resources to develop an evil twin. Even a smartphone will do the trick as long as it has the right software in it. Evil twin attacks are most frequent in public wifi hotspots.

The mechanics of an evil twin attack

So let’s initiate you in the arcane arts of evil twin attacks. Here is how they work:

Finding the right spot

The attacker starts by finding a good place to set up the shop. This would be a busy place, popular, and with known public wifi access. So airports, hotels, libraries, and coffee houses fit the bill. Even better, from the hacker’s point of view, these places often offer multiple nodes with the same name, making the evil twin’s existence even harder to detect.

Setting up the wifi access point

The next step is to have a look at the local traffic to notice the names of the legitimate networks or their Service Set Identifier (SSID). Then you set up another access point using the exact name of one of the surrounding SSIDs. This new node can be a smartphone, a laptop, a tablet, or a portable router. The hacker also has the option to use a wifi pineapple to increase its range. Any device that connects to the evil twin can’t tell the difference.

Encouraging users to use the evil twin

If the hacker moves closer to a given user in the environment, the evil twin’s signal will be much stronger for that user. So naturally, that’s an incentive to connect, and many devices are configured to pick the most vital signals by default.

Setting up a fake portal

Most public wifi services will take you to a portal in which you need to provide some credentials before you can go ahead and surf the web or do anything else online. Unfortunately, hackers will mimic this portal to have the users provide them with login credentials and other data.

Stealing the data

If you connect to one of these fake spots, the hacker becomes your ISP. Then, the attack moves to the next step, known as “Man in the middle.” Finally, the hacker monitors all your traffic. So if you log in to your Facebook account, the hacker will have the means to retrieve your login and password.

What makes evil twin attacks so dangerous?

Evil twin attack

Evil twin attacks are exceedingly dangerous because they take everything away to a third party when they succeed. Login credentials to all types of websites (from social networks to banking accounts) and financial information (if the victim performed any economic operation while online with the evil twin). On top of that, the hacker has an open field for installing any malware he wants into your device.

Worst of all, this attack leaves no forensic evidence, so victims will likely notice something only when it’s too late.

An example

Somebody goes to their favorite coffee house. It’s nice, within walking distance, and it has wifi. So he gets there, orders his favorite hot drink, sits down, and connects to the internet via wifi. He comes to this establishment often, he’s used this wifi node hundreds of times without problems, so there’s nothing to be afraid of.

But this time, something is different. Your “friendly” neighborhood hacker liked this place for today, and it’s “working” there. But, unfortunately, he has an evil twin running using the same SSID name as the coffee shop’s usual wifi access point. Moreover, he’s seated next to our hypothetical friend, so the evil twin’s signal is stronger than the real one. So the unavoidable happens: the unsuspecting victim’s device connects to the evil twin.

Our friend performs a money transfer to a friend’s account while he’s online. Unfortunately, he is not using a VPN, which would have saved him from the evil twin’s owner’s prying eyes. So the hacker has the victim’s banking credentials. And the victim is none the wiser until, days later, he notices that some unrecognized transactions have happened in his account.

The difference between evil twins and rogue access

Evil twins are not rogue access points. So there are similarities, but there are also two key differences:

  • A rogue access point is an unwanted access point that grants access to a network from the outside. Its purpose is not in data gathering but in network intrusion.
  • An evil twin is a replica of a legitimate access point. Its purpose is not to break into a network.

So you could consider evil twins as types of rogue access points, but they’re still different things.

So you fell for the evil twin attack. What now?

If you are suffering from financial loss due to an evil twin attack, the first thing to do is to ask your bank or credit card company for help immediately.

Change the passwords in all your accounts.

If things are bad enough, consider asking your local law enforcement to get involved.

Protecting your devices from evil twins

Evil twin attacks are quiet, subtle, and effective. But there’s still plenty for you to do to protect yourself.

Stay away from unsafe wifi access points

If you have to use a wifi service while you’re out and about, avoid those marked as “unsecured.” Evil twins are almost always in this category.

Use your own wifi

You will remain safe from hackers if you always use your personal wifi network. You will always be in a reliable network. It’s much harder for hackers to con you into an evil twin of your own hotspot. Remember to have a password to protect your access point.

Pay attention to warnings

Pay attention if your device warns about suspicious things happening while connecting to a network. Yes, these warnings can be annoying, but they are there to protect you. So stop ignoring them and, if they happen, be extra careful.

Turn your auto-connect feature off

If your auto-connect is on, it will connect you automatically to any network you’ve previously been in when it’s in rage. This is not what you want when you’re in public. And it’s an even worse idea if you unknowingly consider that you could have been an evil twin in the past. So disable your auto-connect whenever you’re not home, and make sure you authorize any connection by hand.

Use public wifi prudently

Personal or financial transactions on public wifi are terrible unless you have a VPN you can trust implicitly. Even if you’re not in an evil twin spot, if the wifi is unprotected, your data is not encrypted, and a third party can still sniff it.

Adopt multi-factor authentication

Using more than two steps to log into any system takes away some of the convenience of digital services. Still, if you’re on a public wifi network, you must prioritize security above all else.

Stick to HTTPS webs

HTTPS websites have end-to-end encryption, protecting you from hackers and third parties.

Use a VPN

A VPN will encrypt all of your traffic, so even if you fall into the hands of an evil twin, the owner will never figure out what you’re doing online.

Apart from having a WiFi VPN, other security measures can also help you. One of them is to get a security suite online on your device (like Kaspersky Internet Security).

For corporations

Organizations also can help in the fight against evil twin attacks by taking these measures:

  • Use a Personal Security Key (PSI) to secure every access point. Ensure that every employee has the key.
  • Install a Wireless Intrusion Prevention System (WISP) to keep away intruders using unsecured access points.
  • Ensure that everybody in the organization knows the correct SSID name of your legitimate access points.
  • Keep an eye on your local wifi traffic. Always look for other nodes that are mimicking your SSIDs.


Hackers are getting more sophisticated every day. They keep developing new tools for mischief, and the old ones keep improving. Evil twins are but one of many tricks and resources they can deploy. It’s subtle, quiet, hard to detect, and devastating when it works.

However, if you are aware of your security online, keeping safe from evil twins is not so different from keeping yourself safe in general. Always remain mindful of the resources you are using, and be prudent about what you do while you’re online in public.

Last but not least, get a VPN. It’s the best line of defense against evil twin attacks, and it’s also effective against almost every online security threat out there.

Share this article

About the Author

Abeerah Hashim

Abeerah Hashim

Security Expert
166 Posts

Abeerah is a passionate technology blogger and cybersecurity enthusiast. She yearns to know everything about the latest technology developments. Specifically, she’s crazy about the three C’s; computing, cybersecurity, and communication. When she is not writing, she’s reading about the tech world.

More from Abeerah Hashim


No comments.