In clone phishing, hackers use an existing email as a template and replace the link in the mail with a malicious one. This makes clone phishing a sophisticated way for hackers to easily trick their victims, because this type of phishing email appears very trustworthy as it is almost identical to the legitimate email it is cloned from.
Clone phishing in a nutshell
In clone phishing, cybercriminals get their hands on emails that a victim has already received in the past, for example from a colleague or an online service, and make them malicious by copying them and then replacing the legitimate link with a malicious one. In this way, cyber criminals exploit the trust the victim has in the sender of the original and legitimate email, which can be considered a form of social engineering.
But clone phishing can also manifest itself in more complex ways. For example, in the case of an email sent from a colleague, the hacker may launch the attack with an email that is a re-sent version of the original email but with a malicious link or file. Here, the email will typically contain explanations such as "Forgot to attach the file to the original email." The hacker will come up with a suitable explanation that will pique the victim's curiosity and make them click.
However, hackers can also impersonate various online services from which a victim is used to receiving many emails. If you are used to receiving emails on a daily basis from an online service, such as notifications from Slack, you probably won't think twice before clicking on their links. This is something hackers exploit in a big way when they try to phish you. They use email spoofing as a way to make emails appear legitimate by making it look like they are sent from legitimate people or companies.
The process is that they find out what type of emails you are used to finding their way to your inbox. They then copy the content and design of the email, which they can do in two ways. Either they find the email template online, or they receive the emails themselves from the given service and therefore know exactly how they are set up.
Cloning private messages
It is more difficult for hackers to clone private messages than emails or messages from online services. This is because private messages are harder to access as they are between you and another party. Therefore, when a third party manages to access them, it typically indicates that your or your friend's or colleague's user information has been exposed in an external data leak or otherwise hacked.
Once the hacker has access to a user, the situation can quickly spread and many people in their circle of acquaintances may be phished. Unfortunately, clone phishing is usually extremely difficult to spot when it comes from an otherwise trustworthy source, such as a friend.
The paradox of clone phishing
Clone phishing is in principle easy to perform, as the approach is essentially to copy the content from a legitimate email and then replace links or attachments with malicious or infected ones. At the same time, they are incredibly difficult for victims to detect.
Therefore, one might think that clone phishing was more widespread than it is. However, one of the aspects that makes the method significantly more difficult is that it is difficult for hackers to gain access to targeted emails. They need to do this in order to see what kind of emails a person sends and receives a lot of. And therefore the method can sometimes be useless, as there is no point for the hacker in sending phishing emails to someone whose account they already have access to. Conversely, however, this may mean that they can use your account to send phishing to others. This underlines the importance of cyber hygiene and account security, which can be enhanced by the use of unique and strong passwords, preferably generated by a password manager.
On the other hand, it is very easy to access e-mails from online services, as the hacker can simply subscribe to their newsletters like anyone else and thus copy their e-mail templates. However, this type of mail often ends up in the spam filter of most people, while many others do not open them at all.
This also explains why the most common form of phishing is the kind where hackers pretend to be a trustworthy sender, while at the same time going to great lengths to use the principles of social engineering, which are known to manipulate the victim's emotions. This method is thus not characterised as clone phishing.
How to avoid being hooked
By following our best practice advice, you can significantly minimise the risk of being hooked.
We recommend that you pay attention to:
- Duplicated mails, i.e. mails you receive that are almost identical to mails you have received in the past.
- Unwanted links. Hover over the link in the email without clicking on it. This way you can read the URL and spot if it is malicious or legitimate. This is generally good behaviour and you should always do this when you receive links in an email or message.
- Anyone can choose any name for their email account, but by checking the email address - and more specifically the domain name that comes after the @ - you can spot whether the email is coming from who the hacker is impersonating or not.
- Learn to identify phishing emails by receiving phishing simulations in your inbox. That way you can train yourself to be sharp at identifying malicious emails. Your eye for potential phishing attacks is like a muscle that needs to be trained to stay fit.
Emilie Hartmann is a student and copywriter at Moxso, where she is a language nerd and always on the lookout for new and exciting topics to write about. She is currently doing her Master's in English, where she is primarily working in the fields of Creative Writing and Digital Humanities.View all posts by Emilie Hartmann