When you buy sunglasses or a purse on the streets of New York or Hong Kong, you know there’s the chance you could be buying a fake. But, when you or your employees connect to a website or a corporate email account while working from a hotel lobby, chances are you don’t question the legitimacy of the connection.

But you should.

There are many ways that cybercriminals can infiltrate corporate resources, and one of the easiest is perhaps the man-in-the-middle (MITM) attack.

With relative ease, an MITM attacker can set up a Wi-Fi access point in a hotel lobby or coffee shop that mimics the legitimate hotspot and even uses the same SSID, such as “Mike’s Cafe.” The attacker can either knock the user off the real Wi-Fi hotspot and only allow them to connect to the fake one, or can simply wait for users to connect to the wrong one.

This can be done with software run from any laptop, so it is possible for a man-in-the-middle situation to exist at any public hotspot.

Once the user is connected to the fake hotspot, the attacker can then intercept and decipher communications to enumerate passwords, credentials and other sensitive information. Even supposedly secure connections can be compromised by presenting unvalidated SSL certificates as part of the authentication process. Most devices will present a warning that the security certificate is invalid, but many users have gotten used to such warnings and are likely to use the connections anyway rather than take the warning seriously.

MITM attacks pose a great risk for the enterprise, in that it is far too easy for employees to unintentionally pass sensitive data to attackers without even needing to install malware or act unsafely.

Thankfully, there are ways that businesses can defend against MITM attacks.

One method is using Kerberos Constrained Delegation and mutual authentication for ActiveSync, which is a method employed by mobile device management firm, MobileIron. This mutual authentication includes not only a server-side SSL certificate, but also a client certificate. The client certificates must be authenticated against the server side certificate as part of the standard authentication handshake, so an attacker will not have the proper relationship to make the connection.

Using attachment security that encrypts email attachments to protect data-in-motion and data-at-rest also helps ward off MITM attacks, and using a sentry secure gateway that ensures only registered and compliant devices have access to sensitive data can further limit damage from MITM. All of these methods also are part of MobileIron’s security measures.

When business leaders talk about security, usually things like unauthorized downloads and insecure authentication is discussed. But with MITM, even simple and seemingly secure employee behavior can be dangerous.