What Is an Evil Twin Attack and How to Stop It in 2026

Here's a question to keep you up at night: What if someone was sitting outside your favorite coffee shop right now, stealing passwords and credit card numbers, from everyone inside?  

You’ll have an evil twin attack, where attackers trick you into connecting to their fake Wi-Fi hotspot. But how could anyone know it was happening? 

Unfortunately, an evil twin attack is so easy to pull off (and hide) that it's frequently weaponized by attackers. Before we get into the “how,” let’s define what an evil twin attack is. 

What is an evil twin attack? 

In a nutshell, an evil twin attack is a type of man-in-the-middle attack. This is where attackers set up a fake Wi-Fi access point (AP) that looks just like the one at your library, favorite cafe, college campus, or retail store.  

If you connect to this network thinking it’s the real one, the attacker can infect your device with a keylogger or credential-stealing malware to capture any data you enter. 

Basically, the attacker sits in the “middle” between you and the internet, to intercept your communications. 

To lure you in, the attackers: 

• Make the fake hotspot have a stronger signal than the real one to trick you into connecting to it first 

• Show you a fake captive portal or “login” page that mimics the real portal’s page 

• Ask you to enter personal details when you try to connect 

Once you enter your information, the attackers can harvest everything from passwords to payment details. 

Are evil twin attacks common? 

Yes, evil twin attacks are disturbingly common. 

So common that GRU intelligence has used it as a weapon of choice to: 

• Carry out intrusion campaigns against Olympic anti-doping agencies after Russian athletes were accused of cheating in competitive events 

• Plant espionage-oriented malware on the devices of target victims at hotels 

GRU-linked operatives even tried to use evil twin access points to spy on the Wi-Fi network of the Organization for the Prohibition of Chemical Weapons (OPCW). 

The mission was foiled when Dutch agents made arrests. 

During their investigation, the Dutch managed to seize a backpack containing a Wi-Fi pineapple (a book-sized device for spoofing Wi-Fi networks), $20,000 in cash plus 20,000 EUR, train tickets for Bern, and printouts of the group's next target, the Spiez chemical testing facility in Switzerland. 

All of the GRU operatives were deported back to Moscow.  

That was in 2017. 

Fast forward to 2020, when white hat hackers decided to use the same tactics to probe Wi-Fi security at the U.S. Interior Department. 

The pen testing exercise was done entirely by the Inspector General’s IT audit team. They used low-cost hardware and open-source software, such as Raspberry Pi single board computers and Kali Linux to build their attack gear. 

Each portable test kit cost less than $200, could be controlled by a smartphone, and could fit inside backpacks and purses.  

With everything in place, the team set up on park benches outside Interior Department offices.  

And what they found was shocking. 

How does an evil twin attack work? 

The ethical hackers used the exact same tools, techniques, and practices favored by Russian intelligence agents.  

The target

The U.S. Interior Department is made up of 11 bureaus. This includes the Bureau of Indian Affairs, U.S. Geological Survey, National Park Service, and U.S. Fish & Wildlife Service.  

The white hat hackers conducted penetration testing outside 91 of 2,200 Interior Department offices.  

By exploiting wireless network vulnerabilities, they were able to hijack the Department’s Enterprise Services Network (ESN). The ESN supports communication between the bureaus and the internet. 

Reconnaissance and initial access

The team: 

• Executed an evil twin attack to obtain user credentials from two bureau networks and access their wireless services 

• Recovered five (5) sets of encrypted credentials and deciphered two (2) of them 

• Used the deciphered credentials to perform reconnaissance scans against Interior’s internal networks 

• Used credentials belonging to a bureau IT specialist to sign in the bureau’s help desk ticketing system and view the list of tickets assigned 

• Viewed sensitive information such as network architecture and system vulnerabilities 

Key findings: Security weaknesses in Interior wireless networks

Here’s what the pentesters found: 

• Offices were using pre-shared keys (shared passwords) to authenticate to wireless networks. If a pre-shared key is discovered, an attacker can easily eavesdrop on ALL clients in a wireless network. NIST SP 800-97 specifically recommends digital certificates rather than pre-shared keys for authentication. 

If the Department had followed NIST SP 800-97 recommendations, several key bureaus wouldn’t have been vulnerable to evil twin attacks. 

• The Interior Department failed to implement defense-in-depth measures such as network segmentation. This means that attackers who gained unauthorized access to one network could pivot to others without restrictions.  

In 2016, the Interior Department actually removed segmentation and monitoring devices such as firewalls and intrusion detection systems to speed up service delivery. In other words, they traded security for convenience. 

• The Department didn’t perform regular security testing of their wireless networks or monitor their networks for malicious activity, as recommended by NIST SP 800-153. 

• Bureaus and offices also didn’t maintain complete wireless network inventories. The pentesters found 26 authorized wireless networks. However, eight (8) were unaccounted for and could have been rogue access points installed by unknown parties. 

• Most damning of all, the OCIO (Office of the Chief Information Officer) published contradictory, outdated, and incomplete guidance on configuration and connection requirements for wireless access. 

Exploitation: Tactics and techniques

The security and compliance violations led to a successful breach, and this is how the team did it: 

• Step #1: The pentesters began by identifying client devices already connected to an approved wireless network. For the campaign, they dubbed the network DOI WLAN. 

• Step #2: Next, they configured an evil twin AP with the exact same name (DOI WLAN), gave it a stronger signal, and began advertising its availability to any clients within range.  

• Step #3: The pentesters then “sped” up the attack by signaling clients to disconnect from the approved wireless network and connect to the evil twin network.  

• Step #4: After disconnecting, the clients couldn’t distinguish between the legitimate and fake APs and automatically connected to the one with the stronger signal. 

• Step #5: Once the clients connected to the evil twin, the pentesters were able to harvest five sets of encoded credentials and easily decrypt 40% of them due to weak passwords. 

Lessons learned and recommendations

Interior officials learned that poor cyber risk management practices significantly contributed to the breach. 

The results of the test were so damning that: 

• One bureau shut down its entire enterprise-wide wireless infrastructure for three (3) weeks to deploy protection measures 

• Another office enforced a security policy requiring employees to launch a VPN before accessing department resources 

Among key recommendations, the pentesting team advised Interior to: 

• Prohibit pre-shared keys and require mutual certificate authentication (client and server) for all ESN (enterprise service network) communications 

• Implement network segmentation to prevent wireless network clients from accessing unrequired resources at other bureaus 

• Treat evil twin alerts as a high-level threat 

• Implement a wireless intrusion prevention system to prevent evil twin attacks 

• Include wireless infrastructure in threat hunting and containment activities 

• Replace outdated guidance on 802.11x wireless systems with updated STIGs (Security Technical Implementation Guides) that outline clear minimum controls for wireless networks  

Note: If you’re doing business today, new NIST guidelines (that build on 800-97) provide next-gen strategies you don’t want to miss. Curious about the nuts and bolts? Check out the table below and uncover actionable insights for robust enterprise security. 

Are evil twin attacks still a threat? 

At this point, you may be forgiven for thinking these “old-school” evil twin attacks are passe. However, the threat is more alive than ever. 

In April 2024, an Australian man was arrested for setting up evil twin networks at airports in Perth, Melbourne, and Adelaide. His purpose? To steal email and social media credentials from unsuspecting travelers. 

This is the same evil twin attack the Interior Department fell victim to, just in a different location.  

And in 2025, the scale of the problem is breathtaking. There are now 17.7 billion active IoT devices worldwide, a figure which will grow to 40.6 billion in 2034. This means the attack surface for evil twin attacks will expand dramatically. 

It’s clear today’s defenders must pivot as attackers deploy ever more sophisticated strategies. 

This brings us to an important question. 

How do I detect an evil twin attack? 

There are five (5) key ways to detect an evil twin attack. 

• Look for suspicious access point (AP) characteristics: A wireless intrusion detection system (WIDS) can spot rogue access points with the same SSID (service set identifier or Wi-Fi name) but slightly different MAC addresses (BSSID).  

• Jamming + signal amplifier technique: This type of attack is particularly dangerous as you can’t easily tell if you’re connecting to the real access point.

An attacker may use a frequency sweeping jammer to emit radio interference and jam the real access point (AP). This forces your device to disconnect. Then, with signal amplifiers, they create a stronger Wi-Fi signal than the real AP to trick you into connecting to the fake AP. 

• Watch for certificate validation failures: If your business uses EAP-TLS authentication, both the client and server must present valid certificates. A mismatch can indicate an evil twin masquerading as the real authentication server – which the client will refuse to connect to. 

• Unusual network traffic or behavior: When attackers set up an evil twin, they often try to force connected devices to downgrade to weaker encryption. This makes it easier for them to intercept traffic. 

From endpoint sensor logs, SIEMs can identify known attack signatures related to these forced attempts. SIEMs can also raise an alert when new access points appear at the same time as a spike in failed logins. 

• User-level signs: If you’re seeing frequent disconnects, difficulty accessing familiar sites, and unexpected captive portal requests for information, beware. Your device may be trying to connect to a fake access point. 

How do I avoid or prevent evil twin attacks? 

To avoid or prevent evil twin attacks, you need a layered defense. If you’ve ever wanted a cheat sheet that’s both practical and powerful, check out the table below. 

Protection category	Consumer protections (easy, practical tips)	Business protections (NIST framework and guidance)
Use FIDO2 MFA & SaaS Monitoring	With LastPass FIDO2 MFA and SaaS Monitoring, you can track unusual logins and get a second layer of defense against account takeovers. Unlock them for free with a LastPass Premium or Business Max trial (no credit card required)	NIST emphasizes FIDO2 MFA for phishing-resistant authentication and compliance across enterprise platforms
Personal hotspots or private network	Avoid public Wi-Fi and use personal mobile hotspots for safer connections	Segment wireless networks to reduce risk exposure (NIST SP 800-215)
Auto-connect settings	Disable auto-connect to Wi-Fi networks to avoid evil twins	Enforce strict configuration management to prevent auto-connects to Wi-Fi networks
Access point verification	Double-check Wi-Fi names for typos or misspellings and ensure devices are connected only to your router’s real MAC address	Use EAP-TLS certificate-based authentication for safe wireless connections (NIST SP 800-97)   Certificate authentication ensures clients verify the authenticity of access points before connecting
VPN	Use a VPN to encrypt your connection in public environments	Layer VPNs with other defenses to achieve end-to-end data protection (NIST SP 800-215)
HTTPS and secure DNS	Get DNS over HTTPS (DoH) with secure DNS providers like Google Public DNS or Cloudflare DNS.   This means that if you accidentally connect to a fake Wi-Fi access point, DoH stops attackers from redirecting you to phishing sites.	Enforce enterprise DNS security with DoH to safeguard DNS queries from interception and manipulation (NIST SP 800-81r3)   Note: DoH must be properly configured and monitored to balance privacy and security
Wireless security protocols	Use WPA3 for your Wi-Fi home router Keep your router firmware updated Use the LastPass generator to create strong router admin credentials	Transition to WPA3-Enterprise, which provides Protected Management Frames (PMF)   If someone tries to send fake disconnect commands to your device, PMF blocks it. So, your device isn’t tricked into joining a fake network.
Intrusion detection & monitoring	N/A (typically outside consumer control)	Deploy WIDS/WIPS and integrate with SIEM for threat detection (SP 800-215)
User training & awareness	Avoid signing in to sensitive accounts on public Wi-Fi Use a privacy-focused browser like Brave or Zen Browser Don’t ignore browser security warnings about invalid certificates	Continuous user training on WLAN security (NIST SP 800-97)

Don’t let evil twins steal your passwords: What LastPass does for you 

Did you know that LastPass can protect you, even if you mistakenly connect to a fake access point? Here’s how: 

• LastPass autofill only enters your information on legitimate sites. So, even if an URL is missing one character, LastPass won’t autofill your passwords. This dramatically reduces your risk of credential theft and account takeovers. 

• The LastPass generator makes it fast and easy to create strong passwords. This means no more wasting time trying to come up with passwords that meet complexity requirements. 

• All your data is protected by AES-256 encryption, the same type of encryption used by the military, NSA, and federal agencies. Learn how our battle-trusted security architecture protects your data and access our latest security certifications at the new LastPass Compliance Center. 

• Whether you’re a consumer or business, powerful LastPass FIDO2 MFA options can stop unauthorized access, even if attackers manage to capture some of your data. 

• At LastPass, we’re committed to your security. That’s why we’ve made Dark Web Monitoring available to all accounts (free, Premium, and Business).  

Sources 

What is an evil twin attack? How to spot and avoid them

Understanding evil twin AP attacks and how to prevent them

How Russian spies infiltrated hotel Wi-Fi to hack victims up close

Interior IG team used evil twins and $200 tech to hack department Wi-Fi networks

Evil Twins, eavesdropping, and password cracking: How the Office of Inspector General successfully attacked the U.S. Department of the Interior’s wireless networks

Why it’s time to take warnings about using public Wi-Fi, in places like airports, seriously

Evil twin attacks: Vulnerabilities and defense mechanisms

Bitdefender: Evil twin attacks

A single supervised learning model to detect fake access points, frequency sweeping jamming and deauthentication attacks

Your home Wi-Fi isn't as private as you think - 6 free ways to tighten its security