Public Wi-Fi has never been the safest, but evil twin attacks have made it even less secure. Unfortunately, these attacks are difficult to spot because the evil twin networks look like exact replicates of the network they mimic.
The real problem is it’s hard to combat something you can’t detect and most people connect without verifying a wireless connection is safe. Never fear! We’ve compiled everything you need to know about evil twin attacks, including how to detect one, protect your devices, and what to do if you become a victim.
Table of Contents
What is an evil twin attack?
How does an evil twin attack work?
Real-world examples of evil twin attacks: Famous Cases
How to detect an evil twin Wi-Fi network
What to do if you fall victim to an evil twin attack
How to protect your device from evil twin attacks
Advanced cybersecurity: How AI detects fake Wi-Fi networks
How evil twin attacks compare to other cyber threats
FAQ
What is an evil twin attack?
An evil twin attack occurs when a perpetrator creates a fake Wi-Fi access point (AP) to intercept users’ internet traffic and steal their sensitive personal or financial information.
Most attackers set up evil twin APs in areas that offer public Wi-Fi access. Evil twin APs often use mobile hotspot connections to mimic legitimate wireless access points. Since the evil twin AP uses the same configurations and settings as the target network, it’s often difficult to spot one if you aren’t looking.
Attackers are often nearby, allowing their devices to discover the target AP information. Once they have the information they need, attackers can then create a fake Wi-Fi AP that mimics the legitimate target AP. These connections often have a slightly stronger signal, making them more attractive to users.
How does an evil twin attack work?
An evil twin attack usually follows specific steps, the first of which is to find and copy the target network’s configuration details and other relevant information. Next, the attacker creates a clone of the legitimate AP, it often appears identical but has slightly faster connection speeds.
The attacker can then wait for you to connect to the network, or use de-authentication methods to overwhelm the network causing a disconnect. This may prompt your device to connect to the nearest, fastest Wi-Fi connection, usually the evil twin if one exists. Either way, once connected, they collect your data and steal any usable information.
How attackers exploit public Wi-Fi networks
Evil twin attacks are difficult to detect with certainty unless you have technical knowledge. They negatively impact businesses and individuals but are only successful due to human error. Whether the error is a company with inadequate Wi-Fi security and monitoring or a user connecting to the fastest AP without device protection installed, it’s still some form of human negligence.
Public Wi-Fi networks are more susceptible to evil twin attacks than corporate networks, which generally fall prey to the internal creation of rogue APs. Examples of public Wi-Fi networks that unwittingly host evil twin APs are:
- Airports and airlines
- Hotels and inns
- Coffee shops and restaurants
- Conference, trade show, and concert venues
- Public transport hubs and depots (e.g., subway, bus, train)
Common tools attackers use for evil twin attacks
Enumeration tools
Attackers use enumeration tools to actively scan and gather information about the network, this can include the following:
- Hostnames, usernames, and group names
- IP addresses and routing data
- Any active open ports
- Domain Name System (DNS) & Simple Network Management Protocol (SNMP)
- Software version and any subsequent updates
- Network operating system
- Network configurations
- Potential vulnerabilities in network infrastructure
De-authentication attacks
A de-authentication attack is a type of Direct Denial of Service (DDoS) attack used to disable a network temporarily. It does this by sending fraudulent requests that interrupt communication between your device and routers. Sending the requests en masse congests the network, causing your Wi-Fi connection to drop.
Once disconnected you may connect to the evil twin AP as the signal appears slightly stronger. De-authentication attacks are primarily used in creating rogue APs, however, as they require more work than most standard attackers need to steal data over a public Wi-Fi network.
Cloning software
Cloning tools mimic the appearance, structure, and other details of a Wi-Fi network to make it virtually impossible for you to distinguish them from legitimate network APs. While cloning can be done manually, most attackers use cloning tools because it’s more efficient and convenient. Tools can parse and clone the target network’s AP faster than most manual methods. Attackers can also use preconfigured AP templates from a third-party file-sharing site to save time setting up shop.
Spoofing tools
Wi-Fi networks rarely verify Media Access Control (MAC) addresses or validate incoming frames, so spoofing tools are a popular option for evil twin attacks. Spoofing can be used to mimic a legitimate MAC address. Since most Wi-Fi networks (especially public ones) have inadequate or no monitoring policies in place, an evil twin AP likely won’t be spotted until it’s too late.
Real-world examples of evil twin attacks: Famous Cases
US Interior Department Hacked (2020)
A team of auditors from the Interior Office of the Inspector General’s IT group ethically hacked the US Interior Department’s internal systems via an agency Wi-Fi AP. Unfortunately, it didn’t even take much, the auditors were able to infiltrate the internal systems by executing an evil twin attack using cheap tech software.
They noted the department’s Wi-Fi network wasn’t properly secured and didn’t require advanced user authentication measures, or perform regular network security scans to help detect and prevent attacks. The main issues were centered around the office of the Chief Information Officer (OCIO) and included:
- A lack of adequate/frequent testing of network security
- Incomplete inventory of all wireless networks and APs
- Publishing contradictory, inadequate, and outdated guidelines
The Interior’s OCIO has since accepted all recommendations made by the Office of the IG’s IT team, and has made efforts to tighten the security of the Interior’s Wi-Fi network and APs.
Australian Airline Passengers Victim of Data Theft (2024)
Australian airline employees on a domestic flight to Perth discovered a suspicious Wi-Fi AP. After landing the airline discovered a 42-year-old male carrying a mobile access device, smartphone, and laptop in his luggage. The man used the tech to set up an evil twin AP with a strong signal that many passengers connected to.
It had a strange feature that should have been a red flag, passengers were required to log into the network using their email or social media credentials. Once they did, the attacker logged the information and stole passenger data.
After a thorough investigation, Australian authorities discovered additional evil twin attacks in Adelaide and Melbourne. This prompted the Australian Cybercrimes Detective Inspector to urge passengers and citizens to install a reputable VPN on their devices to encrypt online traffic and secure their devices when using public Wi-Fi.
The inspector also urged citizens to never log in to any network that requests their email or social media credentials to access. Additionally, they should consider disabling Wi-Fi on mobile in public places to prevent your device from automatically connecting to a potentially harmful AP like an evil twin.
How to detect an evil twin Wi-Fi network
The sudden appearance of a new and faster AP point after a disconnect, especially one with the same name as your original AP, is a huge red flag of an evil twin network. But what if you’re already connected, and how can you identify suspicious networks in the future? Don’t worry, we’ve got you covered.
Signs you might be connected to a fake Wi-Fi network
- Unencrypted connections – Networks that don’t use encryption are a breeding ground for MitM attacks like evil twins. Most legitimate Wi-Fi networks use WPA2 or WPA3 protocols to increase security, if the AP you use doesn’t it may be a fake.
- SSL certificate errors – Check the SSL certificate of your original AP connection. If you get disconnected and automatically connect to the nearest, fastest connection and it has the same name, you can check to see if the SSL certificate is the same as well. If it isn’t you could be connected to an evil twin.
- Pop-up redirects – Any unexpected pop-up prompting you to log in to an account again or download an app to connect to a network, is a red flag an AP is malicious.
- Continuous login requests – Frequent login requests or those requesting you to sign into the network via your Google or social media account are likely evil twins. Legitimate networks don’t ask for personal account information as they provide you with login credentials and rarely require you to log in more than once.
- Consistent sudden disconnects – Disconnects are often used as a way to get you to try to log in with another account, this gives the attacker even more information they can use to access accounts and steal your personal and financial data.
Tools used to identify suspicious networks | |
| 24/7 Network monitoring | Monitors the network continuously and is compatible with all network-connected tech, including software, servers, systems, and endpoint devices. Analyzes all traffic and compares it to preset rules that help sort legitimate use from malicious. |
| Rule enforcement | Determine which activity is considered intrusive and which isn’t. Systems administrators can configure the rulesets manually and manage them from a centralized location for greater flexibility and control. Network admins may also choose a provider to preconfigure and manage rule enforcement tools, but it’s more inflexible. |
| Malicious presence checkers | Detects, logs, and blocks any malicious presence on a network. If it can’t determine whether a presence or file is malicious or safe, an alert may be issued to the IT team. Until the IT team can view and clear the inquiry the presence is contained in a virtual sandbox. |
| SIEM | Security information and event management (SIEM) tools centralize, correlate, and analyze all the data on a network. The log management, data centralization, searchability, and detection and reporting of security events, make it easier to identify and contain malicious attacks. |
| EDR | Endpoint detection and response (EDR) is used to record the activities and events of all network workloads. It gives the IT security team the ability to find hidden issues and respond in real-time to mitigate damage. EDR can also be used to hunt for threats, validate reports of suspicious activity, and detect and contain suspicious entities. |
| IPDS | Intrusion prevention and detection systems (IPDS) detect and mitigate the risks of threats, and then work to prevent repeat threats. It monitors the entire network and looks for signs of malicious activity. If it detects any, it can log information about the malicious entity and block it. |
What to do if you fall victim to an evil twin attack
Steps to secure your account immediately
Step 1: Change your passwords
Reset the password to any account you accessed while connected to the evil twin AP. This mitigates the risk of the attacker changing it first and locking you out of your account. Use best password practices, including using a mix of capital and lowercase letters, numbers, and characters. Never use any easily discoverable personal information in your password or sequential numbers or letters.
Step 2: Notify your banking and credit card providers
Contact your bank and credit card providers as well as any other financial institution you logged into while connected to the evil twin. They can freeze your account to prevent theft (or further theft) and may be able to compensate you for your loss. Providers can also perform a main reset for your password, so you don’t lose access to your account even if the attacker has already changed your password.
Enable 2FA
Enabling two-factor authentication (2FA) on your devices and accounts can help prevent an attacker from accessing your account even if they get your username and password. Even an evil twin attack has a low success rate when 2FA is enabled because the attacker would need access to your phone, biometric data, or email account to bypass it. This is a good time to remind you to activate 2FA for password resets, it can save you from data theft in the future.
Reporting an evil twin attack – Who to contact
Notify your local law enforcement department, while they may not be able to do anything about the attack they can alert others that this type of threat exists in the community and provide tips on how to spot evil twin APs.
It also raises an alert that can make others more cautious and prevent potential victims from connecting to a suspicious network next time they’re out and about. If you live in the US, you can also report the incident to the Federal Communications Commission (FCC).
How to protect your device from evil twin attacks
Avoid using public networks
Unsecured hotspots and other public Wi-Fi don’t use WPA2 or WPA3 security protocols, making them a prime target for evil twin attacks. Avoid using unsecured public networks when any other network is available.
Use your mobile hotspot
One of the easiest ways to protect your device from evil twin attacks is to create and use your hotspot via your mobile device network. Just make sure you secure it with a strong password, or use the one provided, to keep your network private.
Pay attention to security warnings
If you attempt to connect to a wireless network and your device warns you it isn’t secure, don’t dismiss it. Your device has security measures in place to protect you and ignoring them could compromise your connection and personal information.
Disable Wi-Fi auto-connect
With auto-connect enabled your device will automatically connect to any previously used network, and may connect to the nearest available AP if your connection drops. This can be an issue if you accidentally connected to an evil twin in the past and it’s still active. Disabling it when you travel or aren’t at home can help you avoid evil twin networks.
Access sensitive accounts at home
If you never enter identifiable, sensitive, or financial details into sites while using public networks there’s nothing to steal – even if you unknowingly connect to an evil twin AP. Prevention is better than a cure, avoid accessing sensitive accounts on public networks altogether, and if you have to access these accounts on the go use a VPN to secure the connection.
Use 2FA for accounts
Email, banking, medical, and other sensitive accounts are more secure with 2FA enabled. It ensures a third level of security needs to be passed before you can access an account, that’s how 2FA helps protect against evil twin attacks. Unless the attacker can access your phone, biometric data, or email they won’t be able to log into your account – even with your username and password. Just make sure any email address you use for 2FA is also protected by 2FA.
Switch your browser to HTTPS only
Open your browser Settings and change your security preferences for websites to HTTPS only. This ensures that websites are secure, and HTTPS is chosen whenever it’s available.
How to change your browser to HTTPs only | |
| Chrome | Settings > Privacy & Security > Security > Always use secure connections > Warns you for insecure public & private networks |
| Firefox | Settings > Privacy & Security > HTTPS-only mode > Enable HTTPS-only mode in all windows |
| Safari | Safari 15+ automatically prioritizes HTTPS by default, no change is needed. |
Use a VPN
VPNs help you avoid evil twin attacks by rerouting your traffic through their servers, providing you with a secure connection – even over public Wi-Fi connections like hotspots. Even if the attacker intercepts your traffic it’s scrambled, so they don’t get any usable information.
The drawback is you’re still susceptible to human error. You need to connect to the VPN before accessing public Wi-Fi, so it’s best to keep it on or turn it on before leaving your house.
How to use a VPN to block an evil twin attack
Step 1: Subscribe to ExpressVPN and download our app.
Step 2: Connect to a VPN server anywhere on our network.
Step 3: Enjoy a safer internet connection – even over public Wi-Fi.
Advanced cybersecurity: How AI detects fake Wi-Fi networks
The internet is ever-evolving, so new cybersecurity measures to detect and manage threats are emerging daily. One of the latest tools used in detecting fraudulent Wi-Fi networks is artificial intelligence (AI).
Machine learning algorithms like deep learning are already being used to conduct network forensics, and programmers are working to analyze network traffic and behavior to spot patterns that precede cyber attacks like evil twins. AI speeds up monitoring, detection, and investigation without human intervention.
To do this, AI must not only effectively determine which traffic to block, but also have control of network security resources. That places much trust in AI, which has been proven to exhibit less-than-desirable behaviors. This means more research and testing must be performed before AI can be safely implemented as a stand-alone solution.
How evil twin attacks compare to other cyber threats
Evil twin vs. rogue AP
Rogue APs are unauthorized wireless connections installed on a network. Not all rogue APs are malicious, some are used for the same reasons you may use a VPN including bypassing network restrictions or improving network connectivity and reliability. The biggest difference between rogue and evil twin APs is that a rogue AP may be used for legitimate purposes, and evil twins are primarily malicious.
An evil twin attack only seeks to mimic a legitimate access point and is rarely installed on the network itself. It’s set up by attackers for the express purpose of tricking you into connecting to it. Once you connect, the attacker can monitor all your activity, intercept traffic, and log your sensitive information.
Evil twin vs. MitM attacks
Evil twin attacks are a form of Man in the Middle (MitM) attack. The difference between the two is an evil twin attack mimics the connection to gain users’ trust and get them to connect. A direct MitM attack infiltrates the network and intercepts traffic in transit without any visible indicator – like a duplicate connection with the same name.
Direct MitM attacks are also used for large-scale data collection on any network, and evil twin attacks are more popular among small-time attackers and primarily focus on public network connections.
Evil twin vs. Wi-Fi phishing attacks
The only difference between an evil twin and a Wi-Fi phishing attack is Wi-Fi phishing APs don’t always mimic another network. Both attack methods attempt to intercept traffic in transit and steal sensitive information from users using a fake AP.
FAQ: About evil twin attacks
Can a VPN protect against evil twin attacks?
A reliable VPN helps protect against evil twin attacks, but only if you connect to the VPN before you access a public network. Trustworthy services that use best-in-class encryption, like ExpressVPN, scramble all your network traffic. That way, even if it’s intercepted the attacker won’t be able to read it.
What cyber threats are similar to evil twin attacks?
Rogue APs, MitM attacks, and Wi-Fi phishing are all similar to evil twin attacks in some way. You can discover more about these attacks above and how they compare to evil twin attacks in ‘How evil twin attacks compare to other cyber threats’.
What steps does an attacker take in an evil twin attack?
First, the attacker pinpoints a network to mimic and discovers details about its configuration to create a trustworthy-looking fake AP. This can be done using a laptop, mobile devices, and network access devices.
Once the AP is created the attacker waits for someone to connect, and intercepts and logs the users’ traffic. The information is then used for malicious purposes like identity and financial theft or sold to third parties like advertisers or data brokers.
What is the difference between a rogue access point and an evil twin attack?
Rogue APs are often used for legitimate purposes like bypassing censorship and blocks on restrictive networks or increasing overall network speed and connectivity. Evil twin attacks are primarily used for malicious purposes like data theft.
What is the difference between an evil twin and a MitM attack?
An evil twin attack is a form of MitM attack, but it attempts to mimic a specific network AP while general MitM attacks directly infiltrate a network. Both are malicious and intercept data in transit and log the information.
What is the best defense against evil twin attacks?
Taking preventative measures like avoiding public networks whenever possible, setting up 2FA, and using a VPN are the best defenses against evil twin attacks. Additionally, be mindful of the networks you connect to, if you’re unsure of a Wi-Fi network use your mobile hotspot instead.
Can you secure public Wi-Fi against evil twin attacks?
Public Wi-Fi connections that use WPA2 or WPA3 security protocols provide more security against evil twin attacks, but it’s hard to secure a public network against MitM attacks. Most public Wi-Fi APs don’t verify MAC addresses, so fake APs can go a long time undetected.
What is Wi-Fi sniffing?
Essentially, Wi-Fi sniffing is just another form of MitM attack that was developed to intercept and steal sensitive information. Wi-Fi sniffing works similarly to an evil twin attack, intercepting and inspecting traffic as it travels from its origin point to its final destination.
30-day money-back guarantee
