What is Clone Phishing? How to Identify and Prevent Copycat Phishing Emails

Clone phishing occurs when attackers create a convincing clone of a legitimate email. They compromise or impersonate the original sender and use the copycat email to dupe victims into entering login credentials, paying an invoice, downloading malware, or sharing sensitive data. These emails are often identical to a previous email the victim has received, except a malicious attachment or link is included.

How Clone Phishing Works

Clone phishing involves duplicating a previously received message, such as an order confirmation, newsletter, customer support message, or bank alert. The attacker meticulously replicates every aspect, including wording, images, and the sender's address. They may even have access to a compromised email address after a successful account takeover.

The key distinction lies in the attachments or links of the clone phishing email. Instead of legitimate functions, these elements either contain malware or redirect to a fake login page, setting the stage for potential harm.

Here’s a step-by-step breakdown of a common clone phishing attack:

  1. Attackers compromise a legitimate email account or spoof the sender's address.

  2. Using the compromised or spoofed account, attackers copy or follow up on previous emails sent by the original sender after adding a malicious link or attachment.

  3. Attackers may also gather information about the target through LinkedIn, social media, or other online sources to make their cloned email even more convincing.

  4. The victim interacts with the malicious email since it is virtually identical to previous trusted communication.

A Classic Clone Phishing Example

This email uses an existing email thread from a compromised vendor to trick a user into paying a

Compromised Vendor with Hijacked Thread

The email, seemingly from a vendor's finance head, requested a list of unpaid invoices, offering a 5% discount for quick payment. It claimed an ongoing audit necessitated disregarding existing bank details. Although the origin email appeared compromised, the reply address was hidden behind encrypted services, making it challenging to detect malicious intent. This tactic involves accessing vendor emails, replicating messages, and sending them from seemingly legitimate accounts to original recipients.

Read a more in-depth breakdown of this particular attack.

Why Clone Phishing is Growing in Popularity

Several factors contribute to the increasing prevalence of clone phishing:

  • Easy to make: Cybercriminals leverage generative AI and readily available templates and tools, making crafting convincing clone phishing websites and emails simpler than ever.

  • Convincing: Clone phishing attacks leverage previous email interactions, making them seem less suspicious. The realistic designs and content can deceive even vigilant individuals.

  • Opportunity: With a growing number of people conducting financial transactions and shopping online, clone phishers have a broader pool of potential targets, increasing the opportunities for successful attacks.

  • Lack of awareness: Many individuals remain unaware of the existence and tactics of clone phishing, rendering them more susceptible to falling victim to these attacks.

How to Identify and Prevent Clone Phishing

The two most important steps in protecting your organization against clone phishing attacks:

  1. Educate employees about this threat and how it works.

  2. Prevent these emails from landing in inboxes to begin with.

See How Abnormal Prevents Clone Phishing

On the individual side, employees can identify clone phishing emails by carefully examining the email address of the sender - attackers often use similar but slightly different domain names in their cloned emails. Another red flag is when an email asks for sensitive information such as passwords or personal data that would not typically be requested via email.

On the organizational side, a sophisticated email security solution can automate this process by using behavioral AI and content analysis to identify suspicious requests, compromised vendor accounts, and phishing attempts.

Organizations should also implement multi-factor authentication (MFA) for email accounts to prevent attackers from accessing legitimate emails. Additionally, having strong spam filters and email security solutions in place can help detect and block malicious emails before they reach users' inboxes.

Get the Latest Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo