/ GUIDE — NETWORK SECURITY

How do you detect an evil twin?

The signs of a fake access point, how to check the hardware behind your network on Windows, and why your own mesh makes the whole thing harder to judge.

An evil twin gives itself away in the hardware, not the name. The network name looks exactly like one you trust — because the attacker copied it — so the only reliable tell is the BSSID, the radio’s hardware address behind that name. When a familiar SSID is suddenly carried by an unfamiliar BSSID, often with a stronger-than-usual signal, you may be looking at an impersonator. Everything else on your screen looks perfectly normal.

You think you’re on your network. The name matches. The hardware doesn’t.
CoffeeShopreal routerYOUyour deviceCoffeeShopevil twinauto-joins the stronger signal
EVIL TWINsame SSID, stronger signal — the device prefers the attacker's access point
/ THE SIGNS

What an evil twin looks like from your side

An evil twin is a rogue access point broadcasting the same SSID as a network you trust — “CoffeeShop_WiFi,” your home network, an airport hotspot — hoping your device joins it instead of the real one. Because many devices auto-join a remembered name without checking the hardware, the lure works. These are the fingerprints:

  • Two access points, one name. The same SSID advertised by two different BSSIDs at once.
  • An oddly strong signal. A network that’s usually faint suddenly at full bars — attackers out-signal the real router on purpose.
  • A login page that shouldn’t reappear. A captive portal or credential prompt on a network you’ve already joined before.
  • Certificate or DNS weirdness. Browser TLS warnings, or your DNS resolver quietly changing.
SSIDCoffeeShop_WiFi
aa:11:e8:3c:22:fbyour router · known BSSID
−48 dBm
f0:9e:2c:71:04:d9unknown radio · stronger signal
−32 dBm
A second radio answering to your network’s name — especially one out-signaling your router — is the evil-twin signature.
SAME NAME, TWO RADIOStwo access points broadcasting one SSID — only one is your real router
/ DETECTION

How to check the hardware on Windows

The name is easy to fake; the hardware is what you verify:

  1. Read the BSSID you’re on. Run netsh wlan show interfaces. The BSSID line is the radio you’re actually associated with. Compare it to your real router’s MAC (printed on the router). A mismatch on a network you trust is the loudest signal there is.
  2. List every AP with that name. netsh wlan show networks mode=bssid shows all access points and their BSSIDs. Two BSSIDs under one SSID, where you expect one, is worth a second look.
  3. Watch three axes at once. The connection you’re on can be weighed against a saved baseline on BSSID, gateway MAC, and DNS resolver — a hard mismatch on the first two means you may now be on the fake AP.
BSSID
aa:11:e8aa:11:e8
GATEWAY MAC
e8:d1:1be8:d1:1b
DNS RESOLVER
1.1.1.11.1.1.1
BASELINE MATCH — trusted hardware
BASELINE CHECKthe current association weighed against the saved BSSID, gateway MAC and DNS
/ WHY IT’S HARD

The mesh problem — why naive detection cries wolf

Here’s the catch that trips up simple checks: modern mesh systems — eero, Orbi, Nest WiFi, Deco, AiMesh, Plume — legitimately broadcast one network name from several radios with different BSSIDs, so your device can roam between them. To a naive detector, that looks like a swarm of evil twins.

YOUR MESH · SAME VENDOR
a4:83:e7:11eero · node 1
a4:83:e7:12eero · node 2
a4:83:e7:13eero · node 3
✓ recognized — roaming
EVIL TWIN · UNKNOWN VENDOR
f0:9e:2c:71unknown radio
✗ outside vendor space — flagged
MESH vs TWINyour mesh uses many radios on purpose — the trick is flagging only the one that doesn’t belong

Good detection has to be mesh-aware: recognize your own roaming nodes by hardware prefix and manufacturer, and flag only a radio that falls outside that trusted vendor space. Otherwise you either drown in false alarms or switch the warnings off — and miss the real one.

/ THE TOOL

Catching it automatically

WifiThreatWatch does both layers continuously: a rolling scan flags any access point advertising your network’s name from outside its legitimate vendor space (escalating when it out-signals your router), and a connection-state monitor checks your current association against the saved BSSID, gateway MAC, and DNS. Because an evil twin and a gateway ARP spoof can be the same attack seen twice, the two are de-duplicated into a single verified alert. Detection is free.

EVIL-TWIN DETECTORfires on the same attackARP DETECTORfires on the same attackDE-DUPcorrelate1verified alert
ONE VERIFIED ALERTan evil twin and a gateway ARP spoof are often one attack — we de-duplicate them so you act once
FREE FOREVERMesh-aware evil-twin detection is free, for Windows.

Go deeper: how we detect evil twins · detecting ARP spoofing · the threats library

/ FAQ

Evil twins: quick answers

How do I know if I’m connected to an evil twin?

The tell is hardware, not the name on screen. Your device shows a normal connection to a network you trust, but the access point behind it has a different BSSID (radio hardware address) than your real router — often with a suspiciously strong signal. On Windows, “netsh wlan show interfaces” prints the BSSID you’re actually associated with; if it doesn’t match your router’s real one, that’s the signal.

What is an evil twin attack?

An evil twin is a rogue WiFi access point that broadcasts the same network name (SSID) as one you trust, to lure your device onto attacker-controlled hardware. Once you connect, the attacker is your gateway to the internet and can read unencrypted traffic, run a man-in-the-middle, serve fake login pages, and tamper with DNS — while your device shows a perfectly normal connection.

How can I detect a fake WiFi network?

Look for two access points advertising the same SSID with different BSSIDs, a familiar network suddenly appearing with an unusually strong signal, a captive-portal or login page that reappears when it shouldn’t, browser certificate warnings, or your DNS resolver changing. Any one can be innocent; together, on a network you trust, they point at an impersonator.

Does a VPN protect against an evil twin?

Partly, and not in the way people assume. A VPN encrypts your traffic once it’s up, which limits what the attacker can read — but it doesn’t stop you connecting to the evil twin, doesn’t detect that you’re on one, and the attacker still controls your path and can interfere before or around the tunnel. Detecting the impersonation is a separate job from encrypting your data.

Isn’t my mesh WiFi just a bunch of “evil twins”?

No — and this is why naive detection cries wolf. A mesh system (eero, Orbi, Nest WiFi, Deco, AiMesh, Plume) legitimately broadcasts one SSID from several radios with different BSSIDs so your device can roam. Good detection recognizes your own nodes by hardware prefix and manufacturer and only flags a radio that falls outside that trusted vendor space.

The name is easy to fake.
The hardware isn’t — if you check it.