In an evil twin attack, an adversary sets up their own wireless access point (WAP) with an SSID similar or identical to a target network, tricking victims into connecting so the attacker can capture their network traffic.
An evil twin attack is a fake Wi-Fi network that impersonates a real one. The adversary stands up their own wireless access point (WAP) and gives it a service set identifier (SSID) that looks just like the network you actually want, maybe "AirportFreeWiFi" or your coffee shop's exact name. You see a familiar name in your Wi-Fi list, tap connect, and now you're routing your traffic through the attacker's equipment instead of the legitimate one (EK 1.3.B.1).
The whole trick relies on you not noticing. That's why the CED hammers on one defense: verify that the network name exactly matches the one you mean to join (EK 1.3.C.1). Here's the limit, though. Once you're connected, the attacker can capture your traffic, but they still can't read anything sent over an encrypted protocol like HTTPS. The evil twin gets the packets; encryption keeps the contents locked.
This term lives in Unit 1: Introduction to Security, specifically Topic 1.3, Best Practices for Public Networks. It's the headline example for AP Cybersecurity 1.3.B, identifying types of wireless cyberattacks, and it connects straight to 1.3.C, the actions you take to protect your data on Wi-Fi. The exam pairs the threat (evil twin) with the defense (check the SSID, use HTTPS, consider a VPN) so you understand both halves of the same problem. It also ties to 1.3.A because pulling off an evil twin doesn't take a high-skilled adversary; the tools are widely available, which is exactly why public Wi-Fi is risky.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view gallerySSID and verifying network names (Unit 1)
The evil twin works by faking the SSID, so the SSID is both the weapon and the warning sign. EK 1.3.C.1 tells you to confirm the network name exactly matches the one you want, which is the single defense aimed right at this attack.
HTTPS and encryption (Unit 1)
Even if you connect to an evil twin, HTTPS scrambles your traffic so the attacker captures gibberish, not your password. This is why the CED says the adversary can capture traffic but cannot read encrypted protocols.
VPN (Unit 1)
A VPN encrypts all your traffic to the VPN operator, so even on a sketchy or fake access point your data stays unreadable. Think of it as wrapping every connection, not just web pages, in its own protected tunnel.
Jamming attack (Unit 1)
Both are wireless attacks from EK 1.3.B, but they aim at opposite goals. An evil twin quietly steals your data, while jamming loudly floods the airwaves to knock everyone offline.
Expect multiple-choice questions that describe a scenario and ask you to name the attack. A classic stem: a user connects to what looks like their company's network but it's actually controlled by an attacker who can now intercept unencrypted data. The answer is an evil twin attack. The key skill is telling it apart from other Unit 1.3 wireless attacks, since jamming (flooding EM signals to deny access) and war-driving style SSID scanning are common wrong answers in the same question set. No released FRQ has used this term verbatim, but it fits the kind of question that asks you to identify a wireless threat and recommend a protection like verifying the SSID, using HTTPS, or running a VPN.
An evil twin is sneaky and wants you connected so it can capture your traffic. A jamming attack is the opposite vibe: it floods an area with a strong electromagnetic signal on the network's frequency to make the Wi-Fi unavailable for everyone. One steals data, the other denies access.
An evil twin attack is a rogue wireless access point with an SSID copied from a real network to trick you into connecting.
Once you connect, the adversary can capture your network traffic, but they cannot read anything sent over an encrypted protocol like HTTPS.
The main defense is verifying that the network name exactly matches the one you intend to join (EK 1.3.C.1).
Using a VPN protects you even on an evil twin because it encrypts all your traffic, not just web pages.
It belongs to the wireless attacks in EK 1.3.B alongside jamming, and the exam wants you to tell those two apart.
It's a wireless attack where an adversary sets up their own access point with an SSID similar or identical to a real network, so victims connect to the fake one and the attacker can capture their traffic (EK 1.3.B.1).
Not if you're using encryption. The attacker captures your traffic, but data sent over an encrypted protocol like HTTPS stays unreadable, which is exactly why the CED stresses encrypted protocols and VPNs.
An evil twin tricks you into connecting so it can steal data, while a jamming attack floods the area with a strong EM signal on the same frequency to make the network unavailable. One captures traffic, the other denies access.
Verify that the network name exactly matches the one you mean to join (EK 1.3.C.1), stick to HTTPS sites, and consider a VPN to encrypt all your traffic in case you connect to a fake access point.
No. Tools to spin up a fake access point are widely available, so even a low-skilled adversary can run an evil twin, which is part of why public Wi-Fi is treated as risky in Topic 1.3.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.