Clone Phishing: Here's What You Need to Know To Protect Your Organization

Clone phishing is when hackers take an existing email template and turn it into a malicious email with a simple bait-and-switch, such as changing a legitimate link to a malicious one. We look at real-world examples, prevention tactics, and actionable strategies to safeguard your organization.

Post hero image

Table of contents

Reduce your human cyber risk
Hoxhunt's adaptive security training dramatically increases engagement and security resilience.
Learn more

Have you ever received an email from your organisation or a brand you trust... but got the feeling that something just isn't quite right?

Chances are, it was a clone phishing attempt.  

Hackers can copy a legitimate message, make a few small tweaks, and send you a scam email in order to get you to click on their link or attachment.

Below we'll break down the techniques behind this type of phishing attack, real-world examples, and practical strategies to identify and mitigate the impact of clone phishing.

What is clone phishing?

Clone phishing is a type of cyberattack where scammers create a fake email or message that looks almost identical to a legitimate one you've received before.

Scammers make copies of an email you've already received and make a few changes to try and trick you or your employees.

They might copy the design, logos, and even the writing style to make it seem genuine.

Then, they send it to you again, making it look like it's from the original sender.

Usually, they'll try to get you to click on a malicious link, download malware, or provide sensitive information like passwords or credit card numbers.

Understanding how clone phishing works - what you need to know

More complex than just sheer duplication...

The attacker might start the email with a pretext that justifies the re-send.

Explanations we’ve seen are along the lines of “sending this again because I needed to update the attached file,” or “I forgot to add this in the original email.“  

You can be sure they will find a suitable explanation and if not, they trust your curiosity will take care of the rest.

Impersonating trusted sources

In addition to impersonating emails from a co-worker, a clone phish could mimic communications from a service provider.

Let’s say the place where you work uses Github and you receive emails from Github daily...

And you're accustomed to these emails and click on them without thinking too much.

If an attacker gets hold of one of these messages, they'll know exactly what you're used to seeing and turn this into a malicious email, pretending to be from Github.

Clone phishing scams rely on social engineering tactics designed to exploit human psychology and trust.

We're more likely to act impulsively or overlook red flags when confronted with familiar content from trusted sources... which is why even individuals with a high level of cybersecurity awareness can fall victim to these tactics.

So, we'd recommend getting into the habit of hovering over links.

How easy is it to clone personal emails?

While cloning messages from online services is relatively straightforward for attackers, cloning personal emails isn't quite as easy.

Accessing personal email accounts requires breaching individual accounts, a task that is more difficult to accomplish without raising suspicions.

Third-party access to personal email conversations may indicate a security breach, prompting individuals to take corrective action.

However, in cases where personal email accounts are compromised, attackers may use them for clone phishing attacks.

The zombie element: persistent threats

Even after security breaches have been addressed, clone phishing poses a persistent threat. Attackers can resurrect old email conversations using this technique, leveraging past interactions and relationships to deceive unsuspecting recipients.

While less common than other forms of phishing, this zombie-like persistence underscores the enduring threat posed by clone phishing attacks.

💡Fun fact: Emotet malware - one of history’s biggest botnets - spread by essentially using clone phishing with a twist. Once infecting a device, it would send a copy of itself to old email conversations from that machine’s email client. To the victim, it would appear that a trusted email conversation had been revived, and an attachment should be downloaded

Types of clone phishing to keep an eye out for

Clone phishing attacks can take a few different forms. Here's some of the types of attacks you can expect to encounter...

Account verification scams

In this type of attack, the scammer clones a legitimate email from a legitimate service provider, such as a bank or social media platform, requesting the recipient to verify their account information due to a supposed security concern.

The cloned email may look identical to the original message, including logos and formatting, but the links provided will direct you to fraudulent websites designed to steal your login credentials.

Invoice or payment requests

Attackers may clone legitimate invoices or payment requests from vendors, suppliers, or business partners, altering the payment details to redirect funds to their accounts.

By sending convincing replicas of familiar payment requests, scammers will look to trick you into transferring money or sensitive financial information to fraudulent accounts.

Software updates or security alerts

Cybercriminals may clone security alerts or software update notifications from reputable companies or software providers, urging you to download and install purported updates or patches.

These cloned messages often contain malicious attachments or links that, when clicked, install malware or ransomware on your device.

Employee impersonation

In this type of clone phishing, attackers will an clone email address or profile of employees within your organization, typically individuals in positions of authority or trust, such as executives or IT administrators.

The cloned messages may request sensitive information, instruct recipients to initiate unauthorized transactions, or induce them to download malware under the guise of legitimate communication from a trusted colleague.

Social media cloning

Scammers may clone social media profiles, particularly those of friends or acquaintances, to impersonate legitimate users and solicit personal information, financial assistance, or access to sensitive accounts.

Brand spoofing

Brand spoofing involves cloning emails or messages from reputable brands or organizations, such as financial institutions, e-commerce platforms, or government agencies.

Attackers replicate the branding elements, logos, and messaging style of the targeted organization to create convincing replicas of official communications.

BEC scams

BEC scams (business email compromise) are on the rise and for good reason. They are very effective! A BEC scam is when someone breaches a business account and they use it to send malicious emails.

Its effectiveness hinges on the trust that the business has established for itself. Combining BEC scams with clone phishing renders a serious weapon.

Just like in the case of Emotet, it is very hard to tell if the email is malicious when it comes from a trusted source. And in the case of a clone phish, the familiar context makes the attack even more convincing.

Real-life clone phishing examples

Facebook and Google were scammed for $100 Million (2017): In 2017, a Lithuanian scammer orchestrated a sophisticated clone phishing scheme targeting two tech giants, Facebook and Google. The scammer created fake email accounts and invoices impersonating a Taiwanese manufacturer with whom both companies did business.

Ubiquiti Networks lost $46 Million (2015): In 2015, Ubiquiti Networks, a manufacturer of networking equipment, fell victim to a clone phishing attack that resulted in the loss of $46 million. Cybercriminals impersonated company executives and targeted employees responsible for handling wire transfers.

Twitter Bitcoin scam (2020): In July 2020, a significant Twitter hack targeted high-profile accounts including Elon Musk, Barack Obama, and Bill Gates. The attackers used a combination of social engineering and clone phishing techniques to compromise the accounts and promote a Bitcoin scam.

COVID-19 vaccine phishing campaigns (2021): Throughout 2021, cybercriminals capitalized on the COVID-19 pandemic by launching clone phishing campaigns targeting individuals seeking information about vaccines.

How to recognise clone phishing attempts

Spotting a clone phishing attack: here are the warning signs to look out for

Email content anomalies: Pay close attention to the content of emails, especially if they seem familiar but contain slight variations or inconsistencies or things like spelling mistakes/poor grammar.

Unexpected requests for information or action: Be wary of emails that unexpectedly request sensitive information, such as login credentials, financial details, or personal identifiers. You may also want to think twice if asked to take urgent or unusual actions, such as clicking on unfamiliar links or downloading attachments from unknown sources. Legitimate organizations typically do not request sensitive information or prompt immediate action via email without prior notice or authentication procedures.

Unusual sender addresses or domain names: Check the sender's email address and domain name. Clone phishing emails may use sender addresses that resemble those of legitimate sources so be wary of any subtle differences.

Suspicious attachments or links: Look out for attachments or links in emails if they appear unexpected or out of context. Clone phishing emails may contain malicious attachments disguised as legitimate documents or links. Avoid clicking on suspicious links or downloading attachments from unfamiliar sources.

Sense of urgency or alarm: Emails with a sense of urgency or alarm should be looked over carefully. Attackers often use psychological tactics to manipulate recipients into responding impulsively without questioning the legitimacy of the communication.

Verification and authentication: When in doubt, you can always verify the authenticity of suspicious emails through alternative channels or direct contact with the sender.

Clone phishing vs spear phishing

📚 Quick definition: Clone phishing involves replicating existing emails to target a broad audience with less personalized content, while spear phishing attacks are highly targeted, personalized and tailored to specific individuals or organizations.

Clone Phishing Spear Phishing
Targeting Strategy Clone phishing attacks typically target a broader audience by replicating legitimate communications and sending them to multiple recipients. Spear phishing attacks are highly targeted and personalized, focusing on specific individuals or organizations.
Level of Customization Clone phishing attacks involve replicating existing emails or messages and generally lack the level of customization and personalization seen in spear phishing attacks. Spear phishing emails are meticulously crafted to appear highly personalized and relevant to the targeted individual (referencing specific events, projects, or relationships).
Objective Cone phishing attacks mainly aim to deceive recipients into clicking on malicious links, downloading malware, or providing sensitive information. Spear phishing attacks may have various objectives depending on the goals of the attackers - stealing credentials, gaining unauthorized access to systems or networks, distributing malware, financial fraud etc.
Complexity Clone phishing attacks are relatively straightforward in terms of execution, as they involve replicating existing emails or messages with minor modifications. Spear phishing attacks are more complex and sophisticated, requiring careful planning, research, and social engineering tactics

Identifying fake email addresses and domains

When it comes to spotting fraudulent communications, there are a few steps you can take to protect yourself from potential threats:

  • Check the sender's email address (misspellings, extra characters, or unfamiliar domain names etc)
  • Verify the domain name by checking its authenticity using a WHOIS lookup or domain verification tools.
  • Scrutinize the content of the email for any signs of suspicious or unusual language, formatting, or grammatical errors.
  • Avoid providing personal information like login credentials, financial details, or account numbers, via email.
  • Use email security measures like spam filters, antivirus software, and email authentication protocols (e.g., SPF, DKIM, DMARC), to detect and prevent phishing attempts.
  • Hover over links before clicking to verify that the URL matches the expected destination and does not redirect to a suspicious or unfamiliar website.
Example of a safe email link
Here's what a safe URL might look like
Example of an unsafe email link
And here is an example of a URL you should be wary of

Even if cloned phishing attacks are more difficult to notice than others, they still have some of the same weaknesses.

The most important indicator is the fact that links will lead to websites that are either malicious or contain links to malicious sites. This is something even a BEC combined with clone phishing can’t hide.

And if the email doesn’t have link but an attachment instead, it should raise a healthy amount of scepticism.

Always handle attachments them with caution and never open executables or enable macros in office documents.

If somebody only has a copy of an email you might have received, they can only send it from an address they have access to, or try to spoof it.

Spoofing the sender means it will likely get caught by your email filters, or get sent to your trash folder.

Also be mindful of the context! If the email is supposedly a part of a conversation, then why isn’t it in the same email thread? The attacker can’t send the email into the same email thread as the real message, if they don’t have access to that account. And in the case of a breached account, you can look for other clues like links.

Defending against clone phishing: here's how to protect your organization

Although clone phishing poses a significant threat to businesses - there are a few ways in which you can safeguarding your company against these attacks.

Here's a quick playbook for staying clear of clone phishing campaigns...

Implement 2FA (two-factor authentication)

Implementing two-factor authentication adds an extra layer of security which will help prevent unauthorized access even if login credentials are compromised through clone phishing messages.

Make sure employees are using strong passwords

Encourage employees to create strong, unique passwords for their accounts and regularly update them. You can always use password management tools to make this process easier.

Use email security solutions and anti-virus programs

Using robust email security software and anti-virus programs will detect and block clone phishing attempts and suspicious emails before they reach employees' inboxes.

Invest in security training

The more phishing attacks continue to evolve, the harder it will be for employees to legitimate and malicious emails apart. If you want to pro-active, long-term protection against all types of phishing - it may be time to look into cybersecurity awareness training

*Note: Traditional security awareness training tends to falls short. This is why here at Hoxhunt, we designed a solution that maximizes training outcomes by serving every user a personalized learning path that measurably changes behavior.

🔑 Key takeaways: how to keep your employees safe

  • Be wary of duplicate emails. This is the telltale sign of a clone phishing attack.
  • Hover over the links! The best phishes make you skip reason, but if you have a habit of hovering over the links, you’ll catch it right away.
  • Check the sender address. Anyone can pick any name for their account, but whats after the “@” is what counts.
  • Think twice before opening attachments - this is usually good reason to be suspicious.
  • Make sure you're using 2FA and strong passwords... and consider getting your employees trained up against these phishing threats.

Measurably reduce cyber risk with Hoxhunt 🔒

Hoxhunt uses a mix of gamification and AI to automatically assign personalized, bite-sized phishing training that employees genuinely enjoy and delivers real, tangible behavior change for security teams.

  • Personalize training at scale with AI
  • Maximize engagement using gamification
  • Train users with instant, bite-sized lessons
  • Measure the impact of your security training
Hoxhunt phishing training dashboard

Clone phishing FAQ

What happens if someone clones your email?

If someone clones your email for a clone phishing attack, they'll create a copy of a genuine email that appears to be sent from your email address. This cloned email may contain malicious content, phishing links, malware-infected attachments, or requests for sensitive information.

What is an example of a clone phishing email?

Below is an example of what a cloned, fraudulent email might look like:

Dear [Recipient],

Due to recent security concerns, we are conducting a mandatory security update for all users of [Your Company Name]. Your immediate action is required to ensure the security of your account.

To complete the security update process, please click on the link below:
[Malicious Link]

Can I stop my email being spoofed?

Whilst clone phishing can be fairly tricky to prevent, there are measures you can take to reduce the risk:

  • Implement 2FA (two-factor authentication)
  • Use email filtering and anti-spoofing tools
  • Use email security solutions and anti-virus programs
  • Use strong passwords
  • Consider introducing security training

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this