Have you ever received an email from your organisation or a brand you trust... but got the feeling that something just isn't quite right?
Chances are, it was a clone phishing attempt.
Hackers can copy a legitimate message, make a few small tweaks, and send you a scam email in order to get you to click on their link or attachment.
Below we'll break down the techniques behind this type of phishing attack, real-world examples, and practical strategies to identify and mitigate the impact of clone phishing.
What is clone phishing?
Clone phishing is a type of cyberattack where scammers create a fake email or message that looks almost identical to a legitimate one you've received before.
Scammers make copies of an email you've already received and make a few changes to try and trick you or your employees.
They might copy the design, logos, and even the writing style to make it seem genuine.
Then, they send it to you again, making it look like it's from the original sender.
Usually, they'll try to get you to click on a malicious link, download malware, or provide sensitive information like passwords or credit card numbers.
Understanding how clone phishing works - what you need to know
More complex than just sheer duplication...
The attacker might start the email with a pretext that justifies the re-send.
Explanations we’ve seen are along the lines of “sending this again because I needed to update the attached file,” or “I forgot to add this in the original email.“
You can be sure they will find a suitable explanation and if not, they trust your curiosity will take care of the rest.
Impersonating trusted sources
In addition to impersonating emails from a co-worker, a clone phish could mimic communications from a service provider.
Let’s say the place where you work uses Github and you receive emails from Github daily...
And you're accustomed to these emails and click on them without thinking too much.
If an attacker gets hold of one of these messages, they'll know exactly what you're used to seeing and turn this into a malicious email, pretending to be from Github.
Clone phishing scams rely on social engineering tactics designed to exploit human psychology and trust.
We're more likely to act impulsively or overlook red flags when confronted with familiar content from trusted sources... which is why even individuals with a high level of cybersecurity awareness can fall victim to these tactics.
So, we'd recommend getting into the habit of hovering over links.
How easy is it to clone personal emails?
While cloning messages from online services is relatively straightforward for attackers, cloning personal emails isn't quite as easy.
Accessing personal email accounts requires breaching individual accounts, a task that is more difficult to accomplish without raising suspicions.
Third-party access to personal email conversations may indicate a security breach, prompting individuals to take corrective action.
However, in cases where personal email accounts are compromised, attackers may use them for clone phishing attacks.
The zombie element: persistent threats
Even after security breaches have been addressed, clone phishing poses a persistent threat. Attackers can resurrect old email conversations using this technique, leveraging past interactions and relationships to deceive unsuspecting recipients.
While less common than other forms of phishing, this zombie-like persistence underscores the enduring threat posed by clone phishing attacks.
💡Fun fact: Emotet malware - one of history’s biggest botnets - spread by essentially using clone phishing with a twist. Once infecting a device, it would send a copy of itself to old email conversations from that machine’s email client. To the victim, it would appear that a trusted email conversation had been revived, and an attachment should be downloaded
Types of clone phishing to keep an eye out for
Clone phishing attacks can take a few different forms. Here's some of the types of attacks you can expect to encounter...
Account verification scams
In this type of attack, the scammer clones a legitimate email from a legitimate service provider, such as a bank or social media platform, requesting the recipient to verify their account information due to a supposed security concern.
The cloned email may look identical to the original message, including logos and formatting, but the links provided will direct you to fraudulent websites designed to steal your login credentials.
Invoice or payment requests
Attackers may clone legitimate invoices or payment requests from vendors, suppliers, or business partners, altering the payment details to redirect funds to their accounts.
By sending convincing replicas of familiar payment requests, scammers will look to trick you into transferring money or sensitive financial information to fraudulent accounts.
Software updates or security alerts
Cybercriminals may clone security alerts or software update notifications from reputable companies or software providers, urging you to download and install purported updates or patches.
These cloned messages often contain malicious attachments or links that, when clicked, install malware or ransomware on your device.
Employee impersonation
In this type of clone phishing, attackers will an clone email address or profile of employees within your organization, typically individuals in positions of authority or trust, such as executives or IT administrators.
The cloned messages may request sensitive information, instruct recipients to initiate unauthorized transactions, or induce them to download malware under the guise of legitimate communication from a trusted colleague.
Social media cloning
Scammers may clone social media profiles, particularly those of friends or acquaintances, to impersonate legitimate users and solicit personal information, financial assistance, or access to sensitive accounts.
Brand spoofing
Brand spoofing involves cloning emails or messages from reputable brands or organizations, such as financial institutions, e-commerce platforms, or government agencies.
Attackers replicate the branding elements, logos, and messaging style of the targeted organization to create convincing replicas of official communications.
BEC scams
BEC scams (business email compromise) are on the rise and for good reason. They are very effective! A BEC scam is when someone breaches a business account and they use it to send malicious emails.
Its effectiveness hinges on the trust that the business has established for itself. Combining BEC scams with clone phishing renders a serious weapon.
Just like in the case of Emotet, it is very hard to tell if the email is malicious when it comes from a trusted source. And in the case of a clone phish, the familiar context makes the attack even more convincing.
Real-life clone phishing examples
Facebook and Google were scammed for $100 Million (2017): In 2017, a Lithuanian scammer orchestrated a sophisticated clone phishing scheme targeting two tech giants, Facebook and Google. The scammer created fake email accounts and invoices impersonating a Taiwanese manufacturer with whom both companies did business.
Ubiquiti Networks lost $46 Million (2015): In 2015, Ubiquiti Networks, a manufacturer of networking equipment, fell victim to a clone phishing attack that resulted in the loss of $46 million. Cybercriminals impersonated company executives and targeted employees responsible for handling wire transfers.
Twitter Bitcoin scam (2020): In July 2020, a significant Twitter hack targeted high-profile accounts including Elon Musk, Barack Obama, and Bill Gates. The attackers used a combination of social engineering and clone phishing techniques to compromise the accounts and promote a Bitcoin scam.
COVID-19 vaccine phishing campaigns (2021): Throughout 2021, cybercriminals capitalized on the COVID-19 pandemic by launching clone phishing campaigns targeting individuals seeking information about vaccines.
How to recognise clone phishing attempts
Spotting a clone phishing attack: here are the warning signs to look out for
Email content anomalies: Pay close attention to the content of emails, especially if they seem familiar but contain slight variations or inconsistencies or things like spelling mistakes/poor grammar.
Unexpected requests for information or action: Be wary of emails that unexpectedly request sensitive information, such as login credentials, financial details, or personal identifiers. You may also want to think twice if asked to take urgent or unusual actions, such as clicking on unfamiliar links or downloading attachments from unknown sources. Legitimate organizations typically do not request sensitive information or prompt immediate action via email without prior notice or authentication procedures.
Unusual sender addresses or domain names: Check the sender's email address and domain name. Clone phishing emails may use sender addresses that resemble those of legitimate sources so be wary of any subtle differences.
Suspicious attachments or links: Look out for attachments or links in emails if they appear unexpected or out of context. Clone phishing emails may contain malicious attachments disguised as legitimate documents or links. Avoid clicking on suspicious links or downloading attachments from unfamiliar sources.
Sense of urgency or alarm: Emails with a sense of urgency or alarm should be looked over carefully. Attackers often use psychological tactics to manipulate recipients into responding impulsively without questioning the legitimacy of the communication.
Verification and authentication: When in doubt, you can always verify the authenticity of suspicious emails through alternative channels or direct contact with the sender.
Clone phishing vs spear phishing
📚 Quick definition: Clone phishing involves replicating existing emails to target a broad audience with less personalized content, while spear phishing attacks are highly targeted, personalized and tailored to specific individuals or organizations.
Identifying fake email addresses and domains
When it comes to spotting fraudulent communications, there are a few steps you can take to protect yourself from potential threats:
- Check the sender's email address (misspellings, extra characters, or unfamiliar domain names etc)
- Verify the domain name by checking its authenticity using a WHOIS lookup or domain verification tools.
- Scrutinize the content of the email for any signs of suspicious or unusual language, formatting, or grammatical errors.
- Avoid providing personal information like login credentials, financial details, or account numbers, via email.
- Use email security measures like spam filters, antivirus software, and email authentication protocols (e.g., SPF, DKIM, DMARC), to detect and prevent phishing attempts.
- Hover over links before clicking to verify that the URL matches the expected destination and does not redirect to a suspicious or unfamiliar website.
Even if cloned phishing attacks are more difficult to notice than others, they still have some of the same weaknesses.
The most important indicator is the fact that links will lead to websites that are either malicious or contain links to malicious sites. This is something even a BEC combined with clone phishing can’t hide.
And if the email doesn’t have link but an attachment instead, it should raise a healthy amount of scepticism.
Always handle attachments them with caution and never open executables or enable macros in office documents.
If somebody only has a copy of an email you might have received, they can only send it from an address they have access to, or try to spoof it.
Spoofing the sender means it will likely get caught by your email filters, or get sent to your trash folder.
Also be mindful of the context! If the email is supposedly a part of a conversation, then why isn’t it in the same email thread? The attacker can’t send the email into the same email thread as the real message, if they don’t have access to that account. And in the case of a breached account, you can look for other clues like links.
Defending against clone phishing: here's how to protect your organization
Although clone phishing poses a significant threat to businesses - there are a few ways in which you can safeguarding your company against these attacks.
Here's a quick playbook for staying clear of clone phishing campaigns...
Implement 2FA (two-factor authentication)
Implementing two-factor authentication adds an extra layer of security which will help prevent unauthorized access even if login credentials are compromised through clone phishing messages.
Make sure employees are using strong passwords
Encourage employees to create strong, unique passwords for their accounts and regularly update them. You can always use password management tools to make this process easier.
Use email security solutions and anti-virus programs
Using robust email security software and anti-virus programs will detect and block clone phishing attempts and suspicious emails before they reach employees' inboxes.
Invest in security training
The more phishing attacks continue to evolve, the harder it will be for employees to legitimate and malicious emails apart. If you want to pro-active, long-term protection against all types of phishing - it may be time to look into cybersecurity awareness training
*Note: Traditional security awareness training tends to falls short. This is why here at Hoxhunt, we designed a solution that maximizes training outcomes by serving every user a personalized learning path that measurably changes behavior.
🔑 Key takeaways: how to keep your employees safe
- Be wary of duplicate emails. This is the telltale sign of a clone phishing attack.
- Hover over the links! The best phishes make you skip reason, but if you have a habit of hovering over the links, you’ll catch it right away.
- Check the sender address. Anyone can pick any name for their account, but whats after the “@” is what counts.
- Think twice before opening attachments - this is usually good reason to be suspicious.
- Make sure you're using 2FA and strong passwords... and consider getting your employees trained up against these phishing threats.
Measurably reduce cyber risk with Hoxhunt 🔒
Hoxhunt uses a mix of gamification and AI to automatically assign personalized, bite-sized phishing training that employees genuinely enjoy and delivers real, tangible behavior change for security teams.
- Personalize training at scale with AI
- Maximize engagement using gamification
- Train users with instant, bite-sized lessons
- Measure the impact of your security training
Clone phishing FAQ
What happens if someone clones your email?
If someone clones your email for a clone phishing attack, they'll create a copy of a genuine email that appears to be sent from your email address. This cloned email may contain malicious content, phishing links, malware-infected attachments, or requests for sensitive information.
What is an example of a clone phishing email?
Below is an example of what a cloned, fraudulent email might look like:
Dear [Recipient],
Due to recent security concerns, we are conducting a mandatory security update for all users of [Your Company Name]. Your immediate action is required to ensure the security of your account.
To complete the security update process, please click on the link below:
[Malicious Link]
Can I stop my email being spoofed?
Whilst clone phishing can be fairly tricky to prevent, there are measures you can take to reduce the risk:
- Implement 2FA (two-factor authentication)
- Use email filtering and anti-spoofing tools
- Use email security solutions and anti-virus programs
- Use strong passwords
- Consider introducing security training
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt