A fake WiFi hotspot and a £5 voucher: gateway to an all-you-can eat data buffet

The target

100+ group of business owners and employees attending a conference for a national services group franchise, at a central London hotel. We’re keeping any specific details anonymous for the purpose of this article.

The scenario

We were invited to present at a customer’s conference on Cyber Security and the different types of threats businesses need to be aware of.

Before the attendees arrived at the hotel, we set up a fake WiFi hotspot, named “[Customer name] Conference”.

Fake wifi connection

We had also printed some fake £5 Amazon gift vouchers, with a QR code and web address, and left them on the conference chairs.

And then we waited!

As the attendees started arriving and merrily chatted with their colleagues in the registration lounge, we monitored the hotspot activity.

Within minutes of the guests arriving at the hotel, at least half of them had fallen for our scam, connecting to the fake WiFi hotspot. We had got our foot in the door.

When it was time for the conference to start, the guests made their way into the main room, picking up the event material, including the fake Amazon voucher, and taking their seats.

Phase two

Throughout the course of the day, several of the guests had fallen for scam number two… the fake Amazon voucher.

After scanning the QR code or entering the web address, the user was redirected to an Amazon login page – a fake one of course which looked like the real deal, designed to steal their username and password.

On logging in, they were greeted with this screen (we came clean at this point!)…

The result

Once they were connected to the fake WiFi hotspot, we had a front row seat to all of their online activity. At this point we would have also been able to infect their devices with malware to steal their passwords. And by entering their details into the fake Amazon website, they would have given us access to their Amazon account, had it been a real scam.

We hadn’t just got our foot in the door, we had been invited in for an apéritif and an all-you-can-eat buffet!

Of course, this was all staged. The franchise owner had agreed to this elaborate ruse beforehand, and the audience thought they were in safe hands. And, we must stress, no data was actually stolen! But it had the desired effect of showing the audience just how easy it is for a hacker to steal your data and that you need to take as many precautions as possible to stop that from happening.

Here’s a summary of how the hackers work and the security measures you should take:

What happens when you connect to a fake WiFi hotspot?

Whether you’re at a hotel, a café or an airport, you could easily be duped by a fake WiFi network. It will look legitimate, but once connected, you are open to a variety of attacks. For example:

  1. Data Eavesdropping – hackers can see the images you send, the text you type and even the usernames and password you use.
  2. Malware Injection – a fake hotspot may have been configured to install viruses or trojans onto your phone, or any other device. This malware can steal your passwords, prevent you from accessing your data and also spread the virus to other devices.

What can you do to avoid becoming a victim?

Data breaches might not only cost you your data, but you could also be hit with a hefty fine – and your business reputation could also suffer. Here are some steps you can take to keep your data safe:

  1. Change your passwords regularly. Make them difficult to guess and don’t use the same password for multiple accounts.
  2. Make sure your office networks and mobile devices are secured with antivirus, firewalls, two-factor or multi-factor authentication (2FA/MFA) and encryption.
  3. Don’t connect to free or open WiFi networks! Even if it is a legitimate hotspot, hackers can easily access these open networks.
  4. Use your own hotspot on your phone or other device.
  5. If you must connect to a public network, use a VPN (Virtual Private Network).

Next steps

Whilst the above steps will help, cyber attacks are evolving all of the time, so you need to be sure that your cyber security solutions are too. That’s where an IT Management partner can help. We know you’re busy focusing on running your business and the last thing you need is to be worrying about cyber attacks. Let the experts take the stress out of IT for you, so you can focus on the things that you do best.

We offer a 3-step approach:

If you’re unsure where to start and would like to have an informal chat about cyber security, please get in touch.

Useful links

National Cyber Security Centre (NCSC)  
NCSC Exercise in a box
Metropolitan Police Cyber Protect
Sort-IT Cyber Security Solutions
Prevention is better than cure: protecting your small business against cyber threats