+1 (877) 634-6847
Customer Support
Cybersecurity Glossary

What Is Evil Twin Phishing?

Evil twin phishing is a wireless attack where a fake Wi-Fi network or login portal imitates a legitimate one. The attacker wants users to connect, enter credentials, expose traffic, or follow instructions that appear to come from the network provider.

Learn More
Glossary Index Phishing & Social Engineering
Short definition

Evil twin phishing uses a lookalike Wi-Fi network or captive portal to trick users into trusting the wrong connection. Once connected, the target may be shown fake login pages, malicious prompts, or traffic interception that can expose business data.

At a glance: The network name may look familiar, but the connection is controlled by the attacker. The risk starts when a user treats the fake network as safe.

Evil Twin Phishing Meaning

An evil twin attack copies the appearance of a trusted wireless network. The fake network may use the same or similar name as a hotel, airport, conference, coffee shop, company guest network, or public hotspot. A user scanning for Wi-Fi may not notice the difference.

After the user connects, the attacker may present a captive portal that asks for an email address, password, voucher code, room number, employee login, or payment details. The page may look like normal Wi-Fi onboarding, which makes the request feel less suspicious.

Some evil twin setups also attempt to observe traffic, redirect the browser, or push the user toward malicious downloads. Encrypted sites and modern browser protections reduce some risks, but the attacker can still abuse trust in the network and the portal experience.

For businesses, evil twin phishing is especially relevant for traveling employees, remote workers, field teams, events, and anyone who handles work from public locations. The attack blends technical setup with social engineering because it relies on users recognizing a name and assuming it is safe.

How Evil Twin Phishing Works

An evil twin attack uses a fake network identity to make the target choose the attacker-controlled connection.

  1. The attacker creates a lookalike network. The network name may copy a real venue, business, event, or guest Wi-Fi label.
  2. The target connects. A user sees a familiar name and joins the network, sometimes because the fake signal appears stronger or more convenient.
  3. A portal or prompt appears. The user may be asked to log in, accept terms, update software, enter a code, or provide contact information.
  4. Credentials or data are captured. A fake portal can collect passwords, email addresses, payment details, or other information.
  5. The attacker uses the access. Stolen credentials, intercepted sessions, or downloaded malware can lead to account compromise or further phishing.

Common Evil Twin Phishing Examples

Evil twin phishing often appears in places where users expect convenient Wi-Fi.

  • Conference network copy: A fake network uses an event name and asks attendees to log in with business email credentials.
  • Hotel guest Wi-Fi clone: A lookalike hotspot asks for room details, credit card information, or a loyalty account login.
  • Airport hotspot lure: A traveler connects to a familiar-sounding network and sees a fake portal requesting an email login.
  • Company guest network impersonation: An attacker near an office creates a network that resembles the organization's guest Wi-Fi.
  • Fake update prompt: After connecting, the user is told to install a browser, VPN, or security update before browsing.

Why Evil Twin Phishing Matters

A familiar Wi-Fi name can create trust before the user has any proof of who controls the network. If the network name looks right and the login page appears normal, the connection may not be questioned.

The risk is higher when employees travel or work outside managed environments. A fake network can become the first step toward credential theft, malware installation, account takeover, or exposure of business activity.

These attacks also blur the line between physical and digital risk. The attacker may not need to send an email at all. They only need to be near enough to present a convincing network at the right moment.

How to Reduce Evil Twin Phishing Risk

Safer connection habits start before the user joins the network or enters anything into a portal.

  • Verify network names. Check official signage, venue instructions, or internal guidance before joining a public or guest network.
  • Avoid unexpected credential prompts. Do not enter company credentials into a Wi-Fi portal unless the process is approved and expected.
  • Disable auto-join. Devices should not automatically connect to open networks just because a name looks familiar.
  • Use protected access paths. Follow company guidance for VPN, managed devices, hotspot use, and access to sensitive systems while traveling.
  • Report suspicious networks. Employees at events or offices should report lookalike networks, unexpected portals, or prompts to install software.

What to Do After Connecting to a Suspicious Network

If a user connected to a questionable Wi-Fi network or entered information into a portal, the goal is to limit account and device exposure.

  1. Disconnect immediately. Leave the network, forget it from the device, and avoid reconnecting until the network is verified.
  2. Report the network details. Share the location, network name, portal screenshots, and any credentials or information entered.
  3. Reset exposed credentials. If a password was entered, reset it from a trusted connection and review MFA prompts and recent sign-ins.
  4. Check the device. If software was installed or warnings appeared, IT should inspect the device before it reconnects to sensitive systems.

Related Evil Twin Phishing Terms

Evil twin phishing connects wireless risk with broader phishing behavior.

  • Quishing shows how attackers hide unsafe destinations behind familiar scan-and-login moments.
  • Tech Support Scams covers fake prompts and support flows that push users into unsafe actions.

Evil Twin Phishing Takeaway

Evil twin phishing works because familiar network names create quick trust. A user may connect before thinking about who controls the hotspot or portal.

The safer approach is to treat public Wi-Fi as untrusted until verified. Network convenience should never override approved access paths, credential caution, and clear reporting.

Navigation
Back to Glossary View Category

Share This Page

Send this glossary page to a teammate, client, or employee who needs a quick explanation.

Email Facebook LinkedIn
FAQ

Questions Teams Ask About Evil Twin Phishing

Quick answers about fake Wi-Fi networks, captive portals, and safer connection habits for business users.

What is evil twin phishing?

Evil twin phishing is an attack where a fake Wi-Fi network or captive portal imitates a legitimate network to steal credentials, intercept traffic, or direct users to malicious pages.

Where do evil twin attacks usually happen?

They often happen in places where people expect public Wi-Fi, such as airports, hotels, conferences, coffee shops, shared offices, and event venues.

Can evil twin phishing affect remote workers?

Yes. Remote and traveling employees may connect from public networks and can be exposed if they trust a fake network name or login portal.

How can users avoid evil twin phishing?

Users should verify network names, avoid entering credentials into unexpected Wi-Fi portals, use VPN where required, disable auto-join, and report suspicious networks.