Evil Twin
You think you’re on your network. You’re on theirs.
What it is
An evil twin is a fake WiFi access point. The attacker stands up their own hardware that broadcasts the same network name (SSID) as one you trust — “CoffeeShop_WiFi,” your home network, an airport hotspot — hoping your device connects to it instead of the real one.
Once you’re on their access point, the attacker is your gateway to the internet. They can read unencrypted traffic, run a man-in-the-middle, serve fake login pages, and tamper with DNS — all while your device shows a perfectly normal WiFi connection.
You think you’re on your network. You’re on theirs.
How attackers do it
Setting one up is cheap. The attacker copies a legitimate network’s SSID and broadcasts it from their own access point — often with a stronger signal so nearby devices prefer it. Many devices will auto-join a remembered network name without checking that the hardware behind it is the same one they trusted before.
Sophisticated variants forward your traffic to the real internet so nothing seems wrong, and run a transparent DNS proxy so resolved names look identical — while the attacker silently substitutes the router underneath.
How we detect it
WifiThreatWatch works on two layers. First, a rolling environmental scan enumerates every access point advertising your network’s name. A new access point outside your network’s legitimate “vendor space” is flagged — and escalated when it out-signals your real router, a strong twin indicator.
Second, a connection-state monitor checks your current association against the saved baseline on three axes: BSSID (the access point’s hardware address), gateway MAC (your router’s identity), and DNS resolver. A hard mismatch on BSSID or gateway MAC means you may now be on the fake access point — a full alarm.
Crucially, detection is mesh-aware. Mesh systems like eero, Orbi, Nest WiFi, Deco, AiMesh, and Plume legitimately use multiple access points with different hardware addresses, so we recognize your own roaming nodes — by both hardware prefix and manufacturer — and only flag hardware that genuinely doesn’t belong.
How we stop it
When you’ve actually landed on an evil twin, that’s a critical event — the same full-screen alarm and Active Defense response as a confirmed ARP attack. Because an evil twin and a gateway ARP spoof can be the same attack seen by two detectors, we de-duplicate them so you see one verified alert, not two.
Tap Protect Me and we break the attacker’s hold — fresh network identity, then an encrypted tunnel to a server we control.
See the full Active Defense flow →
ARP Spoofing
An attacker on your network impersonates your router to silently intercept everything you send.
Read more →Rogue Device
A device you never authorized quietly joins your network and gains a foothold on your LAN.
Read more →Homoglyph SSID
A network named with look-alike Unicode characters renders identical to yours but isn’t.
Read more →