I would still disagree.

Why go through the hassle to pretend to be a hotspot?

1) Its not as difficult as it seems to create that hack, especially if the end users are using IE and didn't apply the latest security fixes.

2) You're response is basically asking "Why do criminals phish?"

3) Stealing a laptop may get you the data on the laptop, it doesn't allow you to create a trojan that will give you access behind the corporate or ISP's firewall.

4) Brute strength is easier, but you'll know that you've been hit right away. Stealth gives you time and also makes it harder for the victim to know where and when he's been hit.

5) Its harder to catch someone than you think. ;-)

The point I'm trying to make is that there are valid reasons why a criminal would phish or create a phony hotspot.

Questioning the "risk vs reward" is a difficult task. You could easily overstate the risk and underestimate the reward.

Just because you don't see the value in it, doesn't mean the value doesn't exist. ;-)

The bottom line: As a good network admin / system admin, you can protect your fixed assets via your firewall. Its your mobile assets that pose a risk and represent vunerabilities.