Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

Clone phishing explained: What you need to know

In clone phishing, hackers use an existing email as a template and replace the link in the mail with a malicious one.

09-01-2023 - 9 minute read. Posted in: phishing.

Clone phishing explained: What you need to know

Everything you need to know about clone phishing

In a clone phishing email, hackers use an existing email as a template and replace the link in the mail with a malicious one. This makes clone phishing a sophisticated way for hackers to easily trick their victims, because this type of phishing email appears very trustworthy as it is almost identical to the legitimate email it is cloned from.

What is clone phishing?

Clone phishing is a type of phishing attack where hackers create a nearly identical duplicate of a genuine email from a trusted organization. These “clone” emails contain attachments that appear similar to the originals but are embedded with malware designed to steal sensitive user information. Clone phishing attacks can be highly convincing, making them a growing threat to both businesses and consumers. Understanding how these attacks work is crucial for preventing them and protecting your sensitive information.

For an in-depth explanation, read our guide on how phishing works.

How clone phishing works

Clone phishing works by creating a nearly identical duplicate of a genuine email from a trusted organization. Cybercriminals employ various methods to extract sensitive information from unsuspecting internet users. Clone phishing scams often target individuals who frequently engage in online banking or shopping. It’s essential to be mindful of the typical appearance of branded emails from the online retailers you interact with most. If you notice slight design discrepancies or misspellings in the sender’s address, the message might be a clone containing potentially harmful links and files.

Clone phishing attacks in a nutshell

In clone phishing, cybercriminals get their hands on emails that a victim has already received in the past, for example from a colleague or an online service, and make them malicious by copying them and then replacing the legitimate link with a malicious one, often containing malicious links. In this way, cyber criminals exploit the trust the victim has in the sender of the original and legitimate email, which can be considered a form of social engineering.

But clone phishing can also manifest itself in more complex ways. For example, in the case of an email sent from a colleague, the hacker may launch the attack with an email that is a re-sent version of the original email but with a malicious link or file. Here, the email will typically contain explanations such as “Forgot to attach the file to the original email.” The hacker will come up with a suitable explanation that will pique the victim’s curiosity and make them click.

However, hackers can also impersonate various online services from which a victim is used to receiving many emails. If you are used to receiving emails on a daily basis from an online service, such as notifications from Slack, you probably won’t think twice before clicking on their links. This is something hackers exploit in a big way when they try to phish you. They use email spoofing as a way to make emails appear legitimate by making it look like they are sent from legitimate people or companies.

The process is that they find out what type of emails you are used to finding their way to your inbox. They then copy the content and design of the email, which they can do in two ways. Either they find the email template online, or they receive the emails themselves from the given service and therefore know exactly how they are set up.

Learn more about how email spoofing works and how to spot it to stay protected.

Types of clone phishing attacks

Clone phishing attacks can take various forms, including:

  • Account verification scams: Scammers clone legitimate emails from service providers, such as banks or social media platforms, requesting recipients to verify their account information due to a supposed security concern.

  • Invoice or payment requests: Attackers clone legitimate invoices or payment requests from vendors, suppliers, or business partners, altering the payment details to redirect funds to their accounts.

  • Software updates or security alerts: Cybercriminals clone security alerts or software update notifications from reputable companies, urging users to download and install purported updates or patches.

  • Employee impersonation: Attackers clone the email addresses or profiles of employees within an organization, typically those in positions of authority or trust.

  • Social media cloning: Scammers clone social media profiles, particularly those of friends or acquaintances, to impersonate legitimate users and solicit personal information, financial assistance, or access to sensitive accounts.

  • Brand spoofing: This involves cloning emails or messages from reputable brands or organizations, such as financial institutions, e-commerce platforms, or government agencies.

  • BEC scams: Business email compromise (BEC) scams involve breaching a business account and using it to send malicious emails.

Cloning private messages in clone phishing emails

It is more difficult for hackers to clone private messages than emails or messages from online services. This is because private messages are harder to access as they are between you and another party. Therefore, when a third party manages to access them, it typically indicates that your or your friend’s or colleague’s user information has been exposed in an external data leak or otherwise hacked. Therefore, it is crucial to safeguard your login credentials to prevent unauthorized access and potential clone phishing attacks.

Once the hacker has access to a user, the situation can quickly spread and many people in their circle of acquaintances may be phished. Unfortunately, clone phishing is usually extremely difficult to spot when it comes from an otherwise trustworthy source, such as a friend.

Clone phishing is in principle easy to perform, as the approach is essentially to copy the content from a legitimate email and then replace links or attachments with malicious or infected ones. At the same time, they are incredibly difficult for victims to detect.

Unlike spear phishing, which involves highly targeted and personalized attacks, clone phishing relies on replicating existing emails to deceive recipients. Therefore, one might think that clone phishing was more widespread than it is. However, one of the aspects that makes the method significantly more difficult is that it is difficult for hackers to gain access to targeted emails. They need to do this in order to see what kind of emails a person sends and receives a lot of. And therefore the method can sometimes be useless, as there is no point for the hacker in sending phishing emails to someone whose account they already have access to. Conversely, however, this may mean that they can use your account to send phishing to others. This underlines the importance of cyber hygiene and account security, which can be enhanced by the use of unique and strong passwords, preferably generated by a password manager.

On the other hand, it is very easy to access e-mails from online services, as the hacker can simply subscribe to their newsletters like anyone else and thus copy their e-mail templates. However, this type of mail often ends up in the spam filter of most people, while many others do not open them at all.

This also explains why the most common form of phishing is the kind where hackers pretend to be a trustworthy sender, while at the same time going to great lengths to use the principles of social engineering, which are known to manipulate the victim’s emotions. This method is thus not characterised as clone phishing.

Signs of a clone phishing attack

Clone phishing emails are more difficult to spot than traditional phishing emails because they look more legitimate and plausible. Some telltale signs of clone phishing include:

  • The email is a duplicate of a legitimate email the recipient has received before.

  • The email contains attachments or links that are not legitimate.

  • The email is trying to trick the recipient into revealing sensitive information.

  • Spelling and grammatical errors.

  • Different domain extensions.

  • Password managers don’t work.

  • Urgent language.

  • Requests for personal information.

  • Low-quality images and design.

How to block clone phishing attempts and avoid being hooked

By following our best practice advice, you can significantly minimise the risk of being hooked. Implementing robust email security solutions can help block clone phishing attempts and protect your sensitive information.

We recommend that you pay attention to:

  • Duplicated mails, i.e. mails you receive that are almost identical to mails you have received in the past.

  • Unwanted links. Hover over the link in the email without clicking on it. This way you can read the URL and spot if it is malicious or legitimate. This is generally good behaviour and you should always do this when you receive links in an email or message.

  • Anyone can choose any name for their email account, but by checking the email address - and more specifically the domain name that comes after the @ - you can spot whether the email is coming from who the hacker is impersonating or not.

  • Learn to identify phishing emails by receiving phishing simulations in your inbox. That way you can train yourself to be sharp at identifying malicious emails. Your eye for potential phishing attacks is like a muscle that needs to be trained to stay fit. Learn more about Moxso’s phishing simulations and strengthen your defenses against cyber threats.

Email security solutions for clone phishing protection

To protect against clone phishing attacks, it’s essential to implement robust email security solutions. Some effective measures include:

  • Multi-factor authentication (MFA): MFA requires more than one method of authentication, making it harder for attackers to gain access to the target’s account. Discover why multi-factor authentication is essential for your security.

  • Phishing awareness campaigns: These campaigns can help employees recognize clone phishing attacks and report them to the IT department.

  • Anti-phishing software: This software can detect and prevent clone phishing attempts by scanning emails for malicious content and blocking suspicious links and attachments.

  • Email filtering systems: These systems assess various aspects of each email, including the sender’s reputation, suspicious links, and phishing language, to block or flag potential clone phishing emails.

  • Web browser extensions: These extensions offer real-time analysis of websites users visit and detect malicious sites based on indicators such as reputation or mismatched identity.

By understanding how clone phishing works and implementing these email security solutions, individuals and organizations can significantly reduce the risk of falling victim to clone phishing attacks.

This post has been updated on 24-01-2025 by Sarah Krarup.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

What is a Man in the Middle Attack?
hacking

What is a Man in the Middle Attack?

A Man in the Middle attack involves a third party monitoring a transaction between two parties. Here we explain what it is, and what you can do about it.

30-11-2022 · 8 min.
15 simple steps to increase safety at work
cybercrime

15 simple steps to increase safety at work

Learn how to create simple security policies for your business that are easy to follow and increase cyber security in your organization.

22-07-2022 · 8 min.
Malvertising: A malicious advertisement
hacking

Malvertising: A malicious advertisement

We can't avoid encountering advertisements when we browse the internet. But the ads we see can harbor malicious malware, which we want to avoid.

12-07-2023 · 6 min.