In the digital world, your laptop, smartphone, or digital device is your office on the go. You can work, connect with friends and coworkers, shop, book tickets or services, do your banking, and basically conduct your entire digital life from cybercafés, shared hot-desk office spaces, and other businesses that offer customers wifi connections through secure virtual private networks (VPNs). However, using public VPNs can carry risks and expose you to cybercriminals.

Your personal digital security is crucial, because there are so many fraudsters using phishing, smishing, vishing, fake AI-generated videos, and other tricks to fool you into giving them personal information like your banking and identity details. Cybercrime is rife, and fraudsters come up with a different scam every day.

Evil-twin VPNs are a relatively new threat. Here's what we know, and how you can protect yourself: 

What is a VPN?

A virtual private network is an app you can download on the device you use to connect to the internet. Popular brands include Nord VPN, Express VPN, and Proton VPN. Some VPNs are free, some are for sale, and many offer a hybrid of free basic services with the option of paid premium extras. A VPN helps protect your online privacy and security in 3 ways:

• Encryption
  A VPN encrypts your internet traffic, so that hackers or cybercafés can’t monitor your activity.
  
  
• IP masking
  A VPN hides your real IP address, making it harder for scammers to track your location.
  
  
• Secure connections
  VPNs create a private link between your device and the internet, reducing the risk of data theft.

Businesses that offer public computer access, like internet cafés, often set up a secure public VPN so that customers don’t have to waste their wireless data when they browse online. How secure is secure, though? Cybercafés and other public VPNs can pose risks if their wifi connection isn’t managed properly.

Be cautious when you use a public VPN. Usually, when you search for wifi in a busy public place, several options come up. To let you connect through the right VPN, staff will give you the name and password for their public wifi connection. However, this is where you might encounter an ‘evil-twin’ scam.

What is an evil twin scam?

Fraudsters create a fake VPN that mimics a legitimate one, trying to trick users into connecting to it. Evil-twin VPNs can be very difficult to tell from the real thing. For example, the real VPN might be named ‘COFFEE_freewifi’ – but there could be another option in the list named ‘C0FFEE_freewifi’. That would be the evil-twin VPN set up by a scammer. If you’re logging on in a hurry, or the font setting on your phone makes it harder to tell ‘0’ from ‘O’, you could tap and connect to the wrong VPN by mistake.

Once you’ve connected, scammers can intercept sensitive data like your login credentials, bank details, and private messages. A cyberattacker can monitor your online activity and steal your personal information.

How to avoid evil-twin scams

• Verify the network name and spelling with a member of staff and be sure to choose that exact name from the wifi options that appear on your device. If in doubt, type the complete, correct name into your search bar to connect, rather than clicking on a link.
• Disable autoconnect on your device, so that it can’t connect automatically to public wifi networks.
• Check for an ‘https’ address, rather than ‘http’ – 'https’ indicates a secure connection.
• Avoid entering sensitive data, using your passwords, or logging in to banking apps when you're using public networks.
• If you're unsure about a public VPN, use your device’s mobile data for better security.

Identifying a secure VPN

Whether you want to download your own VPN, or you just want to know what to look for when choosing an internet café to work in, there are 7 features that indicate a strong commitment to user privacy and security:

1.    Strong encryption: A reliable VPN should use AES-256 encryption, which is the industry standard for security.

2.    No-log policy: Ensue that the VPN provider has a strict no-log policy, meaning they don't store your browsing history.

3.    Verified provider: Trust only a reputable VPN service, rather than an unknown operator. A ‘free’ VPN might come with a catch in the terms and conditions – like giving the product provider permission to sell your data. Read all T&Cs carefully.

4.    DNS and IP leak protection: A secure VPN should be able to secure your domain name system (DNS) and prevent leaks that expose your real IP address.

5.    Multiplatform support: A good VPN will work across different devices and operating systems.

6.    Kill switch feature: This disconnects your internet if the VPN connection drops, preventing accidental exposure to cyberthreats.

7.    Independent security audits: Choose a VPN that has undergone third-party audits to verify their security claims.

If you want to test a public VPN, go to a site like ipleak.net to see if your real IP address is exposed. Similarly, you can test for DNS leaks at dnsleaktest.com. You should also read expert reviews and search for user feedback online before you choose a VPN or a business that offers public wifi. Make sure that most reviewers find it secure. And keep an eye on your connection speed and stability – a secure VPN should not drastically slow down your connection or disconnect frequently.

Be aware of scams constantly

Evil-twin VPNs are just 1 of the many scams that cybercriminals use to get your personal information, steal your identity, or access your digital banking apps. Other cyberfraud techniques include fake app downloads, phishing emails, messages, videos, fake online stores (often using AI to create very convincing forgeries on social media of reputable companies and their branding, or to impersonate celebrities), investment and job scams, fake selfie verification scams, or imposters posing as a loved one trapped in a financial emergency.

That’s only a partial list, and scammers invent new frauds every day. Memorise the following tips to help you stay safe:

• Verify sources before sharing personal or financial information.
• Be sceptical of offers that sound too good to be true.
• Use secure payment methods and avoid sending money to strangers.
• Look for reviews of businesses before making purchases.
• Avoid clicking on suspicious links in emails, texts, or social media ads.
• Read all bank notifications carefully before you approve anything. Choose a bank that offers advanced security measures like biometric verification using fingerprints or selfies.

Remember, keeping your personal and banking details secure is your responsibility. If you’re tricked by cyberfraud, like an evil-twin VPN, into giving criminals your login details, you won’t be able to claim compensation from the bank for any losses you suffer.