What is an evil twin attack

Nowadays, our devices are with us everywhere we go.

If we are not safely connected to our home network, we are out at the market, in the mall, or at a cafe.

While it is impossible to anticipate all of the places we will travel, one thing is certain: wherever we go, we are always looking to be "connected."

Unfortunately, just as we are trying to connect, hackers are right there beside us, trying to take advantage of our need for connectivity.

It is usually simple to connect from anywhere to an access point (AP) in order to make a deposit to our bank account or to place a grocery order.

What we often overlook is that these quick connections may put us at risk for an evil twin attack, in which case our password information, bank details, and even credit card number can fall into the hands of online predators looking to lure us with a false sense of security and a deceiving similarity to our trusted networks.

What Is An Evil Twin Attack

An evil twin attack is as serious as it sounds. In this type of attack, a site that is reputable and benign is cloned to create an "evil" version with malicious intent.

To carry out this attack, a predator creates a phony WiFi network that then serves as an access point (AP) to hack into unassuming victims' private data, activity, and passwords.

Seizing this private information can be done in one of two ways: by phishing or by spying on users' connections.

If the attacker is spying, it's considered a man-in-the-middle attack, where the cyber-spy is intercepting information between the victim and his destination - like a very dangerous game of monkey-in-the-middle.

The hacker creates a false AP that can actually have the same SSID and BSSID address as a legitimate AP, so end-users don't even see the attack coming.

In this game of money-in-the-middle, the monkey is invisible.

If the attacker - or evil twin - is creating a phishing scam, he is luring unassuming users to faux sites that he creates simply for the sake of stealing their information.

On a phishing site, users will be prompted to share personal, sensitive information, which will then fall into the hands of the hacker.

How An Evil Twin Attack Works

In the realm of cyber attack, evil twin attacks can be especially sneaky.

Often, people are so desperate for internet access that they forget about network security concerns, putting their devices and personal information in harm's way for a quick WiFi "fix."

One trap that many of us have fallen into is the captive portals screen scam.

When signing on to public WiFi access points, we are often prompted to enter our user name and/or password in order to continue to connect our device to the target network.

Hackers create an evil twin page that tricks users into sharing login details with an attacker.

Here are 4 steps that an evil twin hacker takes to carry out his attack:

1. A fraudulent WiFi Access Point is set up

The hacker plans his attack by setting up a fake access point at a place that already has an abundance of networks or hotspots - like the mall, coffee shop, airport, or library.

Have you noticed that public places like these often have multiple hotspot options with similar names?

A hacker can easily use a wi-fi pineapple, laptop, router, tablet, network adapter (on a laptop) or a wireless card to form fraudulent access points to lure victims into his trap.

He can create a hotspot using the same WiFi name (SSID/service set identifier) as a legitimate wifi hotspot, so users who are not on alert won't suspect a thing.

This is where the "evil twin" nickname begins to make sense.

Unfortunately, hackers are too smart to name their fake WiFi hotspot "hacker 01," so they create a twin of an already existing wi-fi network, making it near impossible to tell which is the legitimate access point.

Some hackers are so sly that they clone the mac address of the actual wireless network.

2. A forged captive portal is created

If you have ever connected to a WiFi network at an airport, hotel, or at most hospitals, you have probably seen a captive portal page.

This is the page that pops up when you are reconnecting to a new network in order to be approved for full access to the WiFi connection.

Because you may be in a rush to connect, you may not stop to think twice about security, or whether the captive portal you are looking at is real or fake.

If it is a fake, any info you enter will wind up in the hands of your hacker.

If there's a login name and password for the network you are trying to log into, now your hacker has these details on his twin page.

3. Victims are tricked into joining the hacker's evil twin WiFi

After the cyber-attacker has created his evil twin access point and evil portal, he now has to get his victim to connect to his wireless access point and use his connection.

Hackers lure victims to their wi-fi by making sure their signal is stronger than their competitors' signals.

They can strengthen their own signals by moving closer to their prey to ensure an auto-connect, or by booting users off of the actual network (done by launching a de-authentication attack that disrupts the connection between the victim and his current wireless access point).

When the user is disconnected from his network, he will see the option to reconnect to, what looks like, the same wi-fi network, where the attacker is waiting.

Even if the user sees that this new network is not secure, the likelihood is that he will still connect his device to the evil twin network out of convenience.

4. Login details are stolen by an Evil Twin hacker

After the victim is booted off the secure network, he is now vulnerable to attack by any twins.

If the target falls prey to the evil twin wi-fi hotspot and winds up on the evil twin captive portal page, he will then be prompted to enter the login details he entered on the legitimate portal's login page.

The hacker can then see what you are doing online, and take advantage of the fact that many people use the same, or similar logins for multiple networks and accounts.

How To Protect Yourself From An Evil Twin Attack

While this whole concept of "evil twin" hacks is scary, in this case, knowledge is power. The knowledge that these fake networks are out there can empower you to make some small, but vital changes to secure your own laptop, phone, and devices, and to protect yourself from evil twin attacks.

For companies:

Here are some simple steps to follow to help avoid evil twin attacks:

  • Secure your access points by using a PSI (Personal Security Key). Make sure that all of your employees and consumers have this key.
  • Get a wireless intrusion prevention system (WISP). This device detects and prevents wi-fi intruders who are using unsecured access points.
  • Be sure to clearly convey to your staff the name and SSID of your business's wireless network so they always have a clear, secured AP.
  • Check the AP list regularly to be sure you don't see one that is mimicking your SSID.

For regular users

Check out these best practices before signing on to any public WiFi hotspots or foreign wifi networks.

  • Make sure any WiFi hotspots you connect to are secure - even if you think you recognize them.
  • Do not ever enter any login credentials on public WiFi! If you refrain from sharing login credentials, evil twin attackers can't steal them.
  • Change your login settings to require extra authentication details. If you opt for 2-step authentication, it will make it more difficult for attackers to bypass security to access your accounts.
  • Try to visit only secure websites with HTTPs URLs. This will make it much harder for attackers to access your sensitive information.
  • Study up! Learn more about security scams so that you can learn to detect fraudulent networks.
  • Turn off the auto-connect option on your phone so that you never connect without verifying that the wi-fi networks are safe.
  • Use a VPN! A reputable VPN encrypts your data and activity, so your data, if accessed, is indecipherable.

How can VPNs defeat evil twin attacks?

When you use a reputable VPN service, like SwitchVPN, all of your traffic is routed through one of its encrypted tunnels.

This makes your activity and data indecipherable by any evil twins and safe from attacks.

If you use a VPN when connected to public WiFi networks, your user experience will be more secure, every time.


While it is sad to go through life looking over your shoulder, it is a necessary concern nowadays to anticipate that you are vulnerable to attack at all times.

When it comes to a cyberattack, evil twins are some of the sneakiest, most difficult to detect.

You can prevent yourself from falling into the trap of cyber scams by using SwitchVPN.

SwitchVPN offers a $1 3-day trial, so you can try it out for yourself to see how effective it is, risk free!