An evil twin is a rogue access point that attempts to deceive users into believing that it is a legitimate access point, like the organization's official Wi-Fi network. Evil twins are therefore a form of social engineering, as the attacker is trying to trick users into connecting to the attacker's network. This is often facilitated through a deauthentication attack—if the attacker can knock a client off the network, they may be able to trick them into reconnecting to the rogue AP. Once the user does so, the attacker can launch all manner of attacks against the victim. For example, they might set up a convincing captive portal with a login form to harvest users' credentials.

Evil twin attacks are effective because it's not always easy for a user to determine which is the correct Wi-Fi network and which is the fake. Both networks can even have the same SSID, making it even more difficult for the user. Of course, certain factors can make the evil twin more effective, such as using the same (or expected) encryption protocol and placing it close to the targeted user(s) so that its signal strength is high and it is put at the top of the client's list of APs. However, using any kind of encryption protocol will require that the victim knows the password, which may not be feasible. In these cases, evil twins usually operate in open mode.

There are also specific attacks that can leverage the evil twin technique to make it more effective or useful to the attacker. Some devices, especially those running older operating systems, will send out active probe requests for known Wi-Fi networks rather than waiting passively for an AP to send a beacon frame. An attacker listening for such a request can respond with their own rogue AP information and prompt the client to connect. The legitimate AP doesn't even need to be close by—as long as the client device believes it is connecting to the right network, it will do so. Likewise, the attacker doesn't need to broadcast a spoofed SSID to entice users and potentially raise suspicion. This type of attack is called a Karma attack.

Other significant attacks that can be used with an evil twin are the downgrade attack and SSL strip attack. In both of these attacks, the victim attempts to connect to a secure website normally using HTTPS. However, the evil twin inserts itself (usually through ARP poisoning) between the client and the server. In both cases the evil twin creates two separate connections, one with the server and one with the client. The connection with the server uses normal HTTPS. The connection with the client uses either a weaker version of SSL (downgrade attack), or dispenses with encryption altogether using cleartext HTTP (SSL strip attack). The client and website both think they are communicating directly with each other, but in reality their communications are being relayed through the evil twin, which is harvesting user credentials and other interesting data.

Both the downgrade and SSL strip attacks depend on the user permitting a connection to a website with an untrusted certificate. The certificate used in a downgrade attack is actually a self-signed certificate from the attacker machine, rather than a legitimately issued certificate from a trusted certificate authority. A browser normally detects this and warns the user, but many users, either not knowing or not caring about the significance of the warning, permit the connection anyway. Certificates that are untrusted will display a red circle with an X in their properties. The break in trust can occur anywhere in the certification path, including at the root level. Untrusted certificates should be replaced by trusted ones from a trusted source