What Is a Man-in-the-Middle Attack and How Can You Stay Safe?

Man-in-the-middle (MitM) attacks get into your devices to steal your personal and financial data, but they are preventable with the right tools.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

A man-in-the-middle (MitM) attack is a particularly tricky form of hacking. It involves a bad actor sneaking into an online interaction between two parties that was thought to be private or secure.

Afterward, the attacker can have any range of sensitive data from your bank account, credit card numbers, or a work email login. It doesn’t stop there — with the access gained, that cybercriminal can install ransomware and other forms of malware.

This can be accomplished through eavesdropping, spoofing, hijacking, and browser cookies theft. In any case, the hacker gets a peek at sensitive information you don’t want to share. While this type of hacking can seem scary because you don’t know where it’s coming from, there are ways to keep yourself safe online.

Knowledge is your best weapon. Let’s first identify the types of MitM attacks, then talk about ways to thwart the hackers.

In this article
What is a man-in-the-middle attack?
How to protect yourself from a MitM attack
4 examples of MitM attacks
MitM attack FAQs
Bottom line

What is a man-in-the-middle attack?

Also described as monster-in-the-middle, person-in-the-middle, or adversary-in-the-middle, a MitM attack requires a hacker to intervene between two trusted parties. This intervention is accomplished through hijacking, eavesdropping, poisoning, or spoofing. The end goal is a form of identity theft.

Email hijacking

This method is mainly used to target banking and financial information. Cybercriminals send out a convincing-looking fake email to steal your information.

Once the hacker gains your credentials, they can monitor all transactions. They may also send out instructions on logging into your account or transferring money that look like they came from a secure financial institution. Sending your credentials through these emails or filling out information in the links can lead to further access for the hacker.

Wi-Fi eavesdropping

This type of attack happens more frequently in public. An attacker sets up a fake free public Wi-Fi network, and, once you connect, this allows them to intercept data from your devices.

These Wi-Fi connections can look as normal as the valid ones. Your personal Wi-Fi at home can also be subject to eavesdropping. Make sure you’re using complex passwords.

Session hijacking

This includes cookie theft or phishing scam emails. Whether you log into public Wi-Fi and the hacker is able to grab your cookie session data or you click a phishing link in an email, they now have access to whatever you do after they connect to you. It’s like leaving your front door open and now someone is walking through your house touching your things.

Cache poisoning

Cache poisoning is another name for domain name system (DNS) spoofing. To navigate to a website, an internet user types a domain name (like typing in the address for https://allaboutcookies.org), which the DNS translates into a numeric language (the IP address) that can be understood by the computer. Cache poisoning happens when a hijacker intercepts this translation and redirects your request, usually to a phony site.

Internet protocol (IP) spoofing

An IP address is unique to each device. It acts as an address so that digital information knows where to go. (Back to the device you’re using to access the internet, for instance.)

When an IP address is spoofed, it creates a fake address allowing the hacker to hide their identity or reroute information to a new place. IP spoofing means they can either pretend to be a site you trust or hide themselves so they aren’t recognized as a threat by a site.

HTTP spoofing

Hypertext transfer protocol (HTTP) transmits information across the internet. HTTP spoofing is when a hijacker makes a fake website with a URL that includes characters that look similar to the original intended site.

This could be using the number zero instead of the letter O or slightly switching words like ABCBank.com to ABCBanking.com. The cybercriminal is then able to steal all the information entered during your browsing session. On the other hand, an HTTPS connection is a secure, encrypted version of HTTP and lets you know the site you’re visiting is safe.

Secure sockets layer (SSL) hijacking

SSL hijacking is another name for browser cookie theft or cookie hijacking. It mostly affects websites or web applications.

When you visit a new site for the first time, your browser verifies the site’s SSL certificate (the cookie) and creates an encrypted connection. When the SSL certificate is hijacked, it presents a fake certificate that looks like a safe one. This allows hackers to steal the data you’re entering into the site.

How to protect yourself from a MitM attack

It can often feel overwhelming when you’re trying to figure out what the best practices are for staying safe online. Many sites use highly technical terms or don’t fully explain the process behind why something happens the way it does.

Education is your best level of defense against hackers and scammers, and learning about MitM attack methods helps make you a more diligent user.

Below are some best practices for protecting yourself from a MitM attack.

Use a VPN

A virtual private network (VPN) encrypts your connection so an attacker can’t see the data you’re transmitting. It also allows you to hide your location from attackers looking in specific areas.

Secure your personal Wi-Fi network

Although many MitM attacks happen on public Wi-Fi, shoddy home Wi-Fi security could leave you vulnerable. Use a strong Wi-Fi password and change it regularly. Timing your Wi-Fi password change with changing the batteries in your smoke detector seasonally is a good practice.

And change the password on your router. If you have the ability to bring a personal Wi-Fi network with you as a hotspot, that can help you avoid public Wi-Fi.

Avoid social engineering attacks

Social engineering attacks are designed to coerce you into sharing personal information through fear, charm, the promise of money, or other psychological tricks.

Always question the source before offering up personal info like Social Security numbers or bank information. Furthermore, if you have the option to turn on multi-factor authentication, do it every time. It’s an added layer of security.

Watch out for phishing scams

Phishing scams are one of the most common kinds of social engineering attacks. They’re based on the idea that your world is so fast-paced, you don’t have time to investigate the sender of the email, text, or call.

Always check the email address, time of day sent, number calling or texting, and don’t open attachments or click on links that might come from an unknown source.

Only use secure websites

Earlier we mentioned HTTPS was secure while HTTP wasn’t. The S stands for secure. It means the site has been checked and is safe to visit. You can see this at a glance by looking in the address bar in your web browser and seeing a lock symbol next to the web address.

4 examples of MitM attacks

It’s easy to dismiss these kinds of internet attacks as being theoretical. We’ve rounded up some examples from the past as well as more recent attacks to show you these techniques are being used in “the wild” every day.

While this isn’t an exhaustive list, with improved cybersecurity transparency, we can learn more about how attacks happen and how they could have been avoided. These four examples will show you some of those ways.

Juniper Junos OS

The attack on Juniper Junos OS happened from an improper certificate validation in the signature.

A signature is common in a lot of software applications so the company can push through a batch of updates and the signature can be verified rather than verify every single portion of the update. It’s supposed to be secure, but in this case, there was a vulnerability and the signature was compromised, which allowed anything with the compromised signature through protective software.

Uber social engineering hack

The ride-share company was hacked using a phishing scam. The hacker was able to trick an employee into disclosing their Slack login credentials.

From there, the hacker gained access to the company network and was able to view every single piece of information in Uber’s systems. They sent screenshots of delicate information to the company to prove they were inside. The company contacted law enforcement and launched a full-scale investigation.

While it takes a long time to investigate cyber attacks, Uber has determined the level of compromise and what information the alleged 18-year-old hacker was able to view.

Lenovo adware

“Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs,” says the Cybersecurity and Infrastructure Security Agency’s (CISA) alert page.

The company created a fake certificate to intercept, decrypt, and then re-encrypt user internet data in an effort to gain information for targeted ads. This attack was particularly egregious because it was a trusted company doing the spying.

Equifax breach

In 2019, Equifax reported they’d discovered a breach in their security systems going back to 2017. A weakness in an open-source certificate allowed an HTTP spoof to occur allowing the hackers in.

While the entire incident was a debacle, what made it even worse was the suspicious-looking website they set up for information and resources for victims. Equifaxsecurity2017.com was visually so similar to a phishing scam, it left many people wary of using it. Adding insult to injury, Equifax’s social channels mistakenly directed people to Securityequifax2017.com making the confusion even worse. Needless to say, it was a complete mess.

MitM attack FAQs


How do you know if you’re in a MitM attack?

Identifying a MitM attack doesn’t have to be tricky. Start by looking up at the address bar. Is there a locked icon next to the web address? Also, were you able to access the website without accepting any certificates?

If there’s any intervention between you typing in an address or clicking a link and getting to the actual site, it’s best to leave the site. An intervention can look like a pop-up asking you to accept something or a warning saying your connection is not private.


Does a VPN prevent MitM attacks?

While nothing is a 100% guarantee, a VPN is your best shot against these types of attacks. There are plenty of systems across the internet to encrypt data, but we’ve explored how those can fail.

A VPN is your personal data encryption warrior. VPNs give you an added layer of security that isn’t rooted in the browsing activity you’re already doing.


Can a MitM attack steal passwords?

Absolutely! The theft of personal and sensitive information is the goal of a MitM attack. Getting your credentials goes a long way in helping the attacker gain access to otherwise secure systems.

Bottom line

A MitM attack is when a hacker gets into your secure and encrypted interactions online and can redirect or steal your information. Most of the time, these types of attacks require you to fall for tricks like visiting a suspicious-looking site or opening an attachment in your email to create an access point.

Anyone is susceptible to these kinds of hacks, so never think you’re “not important” enough to be a target. Some of the most successful breaches started as a MitM attack on someone in an organization.

It sounds scary because MitM attacks are done so secretly and in ways difficult to detect. The language surrounding it can look confusing, especially if you aren’t a “tech person.” As we’ve covered, however, there are steps you can take to protect yourself from becoming a victim.

  1. Use a VPN, especially when accessing public Wi-Fi networks.
  2. Double-check email addresses and the origin of a phone number or email, look for the lock symbol beside a web address, and don’t open unrecognized attachments.
  3. Don’t accept prompts to bypass security features. If you can’t access a site, it’s probably not safe. Find another source.
  4. When in doubt, end the session. If you aren’t sure you have a secure connection, sever the internet connection to the device and go about your day.

Taking the time to learn about online safety and basic internet hygiene practices can be the difference between becoming a victim and staying secure. If you practice common sense and due diligence, you’ll likely stay out of the way of the bad guys.

Editorial Rating
Learn More
On NordPass's website
Password Manager
60% off + 3 months free
  • Strong encryption and security
  • User-friendly interface

Author Details
Mary is a seasoned cybersecurity writer with over seven years of experience. With a B.S. in Liberal Arts from Clarion University and an M.F.A. in Creative Writing from Point Park University, she educates audiences on scams, antivirus software, and more. Her passion lies in educating audiences on helpful ways to protect their data.