January 28, 2026 10 min read Cybersecurity

Evil Twin WiFi Attacks: How Hackers Steal Data on Public Networks

In 2024, a man was charged with running fake WiFi networks at airports and on commercial flights, stealing dozens of credentials from unsuspecting passengers. Here's how evil twin attacks work, why your traveling employees are at risk, and what your business can do to stay protected.

Security Advisory

In late 2024, CISA, France's CERT-FR, and U.K. cyber authorities issued an unusually strict warning: completely disable WiFi on smartphones whenever it's not actively required. This advisory comes amid a sharp rise in man-in-the-middle attacks linked to fake wireless networks [1].

Your employees connect to public WiFi every day. At airports, hotels, coffee shops, and conferences, they're checking email, accessing cloud applications, and handling sensitive business data. What most don't realize is that the network they just connected to might not be what it appears to be.

Evil twin attacks are a form of wireless network attack where hackers create fraudulent WiFi access points that impersonate legitimate networks. When users connect, attackers can intercept all their traffic, capture login credentials, and even inject malicious content into web pages. According to CISA, this attack works because "an adversary uses a broadcast signal stronger than the one generated by the legitimate access point; then, unsuspecting users connect using the stronger signal" [2].

This isn't a theoretical threat. In June 2024, Australian Federal Police charged a 42-year-old man with running evil twin networks at multiple airports and on domestic flights, harvesting credentials from dozens of victims [3].

1 in 5
Business travelers will experience a man-in-the-middle attack while using public WiFi, according to security research [4]

What Is an Evil Twin Attack?

An evil twin attack is classified under MITRE's Common Attack Pattern Enumeration and Classification (CAPEC) as CAPEC-615 [5]. In this attack, adversaries set up WiFi equipment that mimics a legitimate network. Because the attacker controls the access point, they can monitor all traffic and position themselves for man-in-the-middle (MITM) attacks on every connected device.

NIST defines a man-in-the-middle attack as "a form of active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association" [6]. When combined with an evil twin access point, this gives attackers complete visibility into your employees' network activity.

Why "Evil Twin"?

The name comes from the fact that the malicious network is an identical "twin" of a legitimate one. Same network name (SSID), similar signal strength, and often positioned close to the real access point. Users have no easy way to tell them apart.

How the Attack Works

Evil twin attacks follow a predictable pattern that exploits user trust and the way devices automatically connect to known networks.

The Evil Twin Attack Chain:

  1. Setup: The attacker deploys a portable wireless access device configured to broadcast the same network name as a legitimate hotspot (e.g., "Airport_Free_WiFi" or "Starbucks_Guest").
  2. Signal Boost: The attacker positions their device to broadcast a stronger signal than the legitimate network, causing devices to preferentially connect to the malicious access point.
  3. Captive Portal: Users are presented with a fake login page that mimics the legitimate network's portal, requesting email addresses, social media logins, or other credentials.
  4. Credential Harvesting: Login details entered on the fake portal are captured and stored by the attacker for later exploitation.
  5. Traffic Interception: Even after "authentication," all traffic flows through the attacker's device, enabling real-time capture of unencrypted data, session cookies, and additional credentials.

Real-World Case Study: Airport Evil Twin Attack

Australian Federal Police Case (2024)

In April 2024, the Australian Federal Police launched an investigation after an airline reported a suspicious WiFi network detected on a domestic flight. The investigation revealed a coordinated attack spanning multiple locations [3].

According to the AFP, the accused used "a portable wireless access device to create 'evil twin' free WiFi networks" at Perth, Melbourne, and Adelaide airports, as well as on domestic flights and at locations connected to his previous employment [3].

The attack was elegant in its simplicity. When passengers connected to what they believed was the airline's legitimate in-flight WiFi, they were redirected to a fraudulent login page that requested email or social media credentials. Those credentials were then saved to the attacker's device.

AFP analysis of the seized devices revealed dozens of personal credentials belonging to other people. With these email and password combinations, the attacker could potentially access victims' communications, stored media, banking information, and any other accounts using the same credentials.

The man faced nine charges including unauthorized electronic communication impairment, possession of data to commit serious offences, unauthorized data access, and dishonestly obtaining financial information, with maximum penalties ranging from 2 to 10 years per charge [3].

Why Businesses Should Be Concerned

The business implications of evil twin attacks extend far beyond individual credential theft. When employees connect to malicious networks, they potentially expose:

  • Corporate email credentials that provide access to sensitive communications and contacts
  • Cloud service tokens for Microsoft 365, Google Workspace, and other business applications
  • VPN credentials that could grant attackers direct access to your internal network
  • Customer and client data accessed while connected to the compromised network
  • Financial information if employees access banking or accounting systems
$4.88M
Average cost of a data breach in 2024, a 10% increase from the previous year according to IBM [7]

A Kaspersky Lab survey found that three in ten senior business managers have experienced cybercrime while traveling, with 82% connecting to free public WiFi at airports, hotels, and cafes that are mostly unsecured [4]. For businesses with traveling employees, this represents a significant and often overlooked attack surface.

Compliance Implications

For businesses subject to regulatory requirements, evil twin attacks can trigger serious compliance concerns:

  • HIPAA: Healthcare organizations must protect patient data in transit. Credentials stolen via evil twin attacks could lead to unauthorized PHI access.
  • PCI-DSS: Payment card data transmitted over compromised networks may violate data protection requirements.
  • CMMC: Defense contractors must implement controls for protecting CUI, including network security for mobile devices.
  • State Privacy Laws: Colorado, California, and other states have data breach notification requirements that could be triggered by credential compromise.

How to Protect Your Business

Defending against evil twin attacks requires a combination of technical controls, policy enforcement, and user awareness. NIST SP 800-153 recommends deploying Wireless Intrusion Detection and Prevention Systems (WIDPS) that can "detect impersonation and man-in-the-middle attacks" by identifying when devices attempt to spoof the identity of legitimate access points [8].

1. Implement Always-On VPN for Mobile Devices

Require all company devices to connect through a corporate VPN before accessing business resources. This encrypts traffic even if the underlying network is compromised, preventing attackers from reading intercepted data.

VPN Implementation Checklist:

  • Deploy enterprise VPN client on all company laptops and mobile devices
  • Configure VPN to connect automatically when not on trusted networks
  • Implement split tunneling policies that route all business traffic through VPN
  • Monitor for devices connecting without VPN protection

2. Disable Auto-Connect Features

CISA recommends disabling automatic WiFi connections on all devices [2]. Modern smartphones and laptops will automatically connect to networks with familiar names, making them easy targets for evil twin attacks.

iPhone Users: Control Center Isn't Enough

According to CERT-FR, disabling WiFi from the iPhone Control Center does not fully turn it off. The WiFi radio remains active and may automatically connect to nearby networks. To fully disable WiFi, you must turn it off via the Settings app [1].

3. Enforce Multi-Factor Authentication (MFA)

Even if attackers capture credentials through an evil twin attack, MFA provides a critical second layer of defense. NIST advises enabling two-factor authentication for all critical accounts to add "an additional step for anyone trying to access" protected resources [9].

4. Deploy Endpoint Detection and Response (EDR)

Modern EDR solutions can detect suspicious network behavior, including connections to untrusted access points and man-in-the-middle attempts. NIST SP 800-124 specifically addresses mobile device security, recommending continuous monitoring of devices that "primarily use non-enterprise networks for internet access" [10].

5. Establish Clear Travel Security Policies

Create and communicate policies that address:

  • Approved methods for connecting to public WiFi (VPN required)
  • Prohibition on entering credentials into WiFi captive portals
  • Requirements to verify network authenticity before connecting
  • Incident reporting procedures if employees suspect compromise

6. Consider Cellular Over WiFi

For highly sensitive work, cellular connections provide better security than public WiFi. Consider providing mobile hotspots or cellular-enabled devices for employees who regularly handle sensitive data while traveling.

Is Your Mobile Workforce Protected?

Take our free IT Security Assessment to evaluate your organization's defenses against evil twin attacks and other mobile threats.

Get Your Free Assessment

What to Do If You Suspect Compromise

If an employee believes they may have connected to an evil twin network, take these steps immediately:

  1. Disconnect from the network immediately and disable WiFi completely via device settings
  2. Do not log into any accounts on the potentially compromised device until it has been assessed
  3. Report the incident to IT so they can investigate and take appropriate action
  4. Change passwords from a known-clean device, prioritizing email, cloud services, and any accounts accessed while connected
  5. Review account activity for signs of unauthorized access, including login locations and recent activity
  6. Enable MFA on any accounts that don't already have it enabled

For confirmed compromises, NIST recommends a full security assessment of the affected device and potentially wiping and restoring from a known-clean backup [10].

Key Takeaways

Action Items for IT Leaders:

  • Implement mandatory VPN for all remote and traveling employees
  • Configure devices to require manual WiFi connection (disable auto-connect)
  • Deploy MFA across all business-critical applications
  • Update security awareness training to cover evil twin attacks
  • Consider WIDPS for monitoring corporate wireless networks
  • Establish clear policies for public WiFi use during business travel
  • Evaluate cellular alternatives for high-risk travel scenarios

Protect Your Business from Wireless Threats

Evil twin attacks represent a growing threat to businesses with mobile and traveling workforces. As the 2024 Australian airport case demonstrates, these attacks are being actively deployed in real-world environments, targeting business travelers and everyday users alike.

At LocalEdgeIT, we help Denver businesses implement comprehensive security strategies that protect employees wherever they work. Our managed security services include endpoint protection, VPN deployment, security awareness training, and 24/7 monitoring to defend against both traditional and emerging threats.

Ready to strengthen your wireless security? Take our free IT Security Assessment to identify vulnerabilities in your current security posture, or contact us to discuss your organization's specific needs.

Sources & Additional Resources

  1. Completely Turn Off Wi-Fi: Cyber Agencies Issue Strict Warning - The420.in, 2024
    https://the420.in/turn-off-wifi-cyber-warning-iphone-android-evil-twin-attacks/
    Coverage of joint advisory from CISA, CERT-FR, and UK cyber authorities.
  2. Securing Wireless Networks - CISA (Cybersecurity & Infrastructure Security Agency)
    https://www.cisa.gov/news-events/news/securing-wireless-networks
    Official CISA guidance on wireless network security and evil twin attack prevention.
  3. Man Charged Over Creation of Evil Twin Free WiFi Networks - Australian Federal Police, June 2024
    https://www.afp.gov.au/news-centre/media-release/man-charged-over-creation-evil-twin-free-wifi-networks-access-personal
    Official AFP press release detailing the airport evil twin attack case.
  4. Risks of Using Public Wi-Fi Networks for Businesses - NordLayer, 2024
    https://nordlayer.com/blog/public-wifi-risks/
    Business-focused analysis of public WiFi security risks and statistics.
  5. CAPEC-615: Evil Twin Wi-Fi Attack - MITRE Corporation
    https://capec.mitre.org/data/definitions/615.html
    Official MITRE CAPEC entry defining the evil twin attack pattern.
  6. Man-in-the-Middle Attack Definition - NIST Computer Security Resource Center
    https://csrc.nist.gov/glossary/term/man_in_the_middle_attack
    Official NIST definition and description of MITM attacks.
  7. Cost of a Data Breach Report 2024 - IBM Security
    https://www.ibm.com/security/data-breach
    Annual IBM report on data breach costs and trends.
  8. Guidelines for Securing Wireless Local Area Networks (WLANs) - NIST SP 800-153
    https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf
    NIST guidelines for enterprise wireless security including WIDPS deployment.
  9. Secure Your Wireless Network with NIST Guidelines - GRC Documents
    https://grc-docs.com/blogs/nist/secure-your-wireless-network-like-a-pro-with-nist-guidelines
    Summary of NIST wireless security recommendations.
  10. Guidelines for Managing the Security of Mobile Devices - NIST SP 800-124
    https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final
    NIST guidelines for mobile device security in enterprise environments.

Related Articles

Small Business Cybersecurity Guide 2025

7 critical security measures every Denver small business needs to protect against cyber threats.

Ransomware Protection: What Denver Businesses Need to Know

How to protect your business from the #1 cyber threat facing small businesses.

AI Chatbots Are Being Weaponized to Spread Malware

Hackers exploit ChatGPT and Grok to install malware. Learn how to protect your team.