Phishing attacks are constantly evolving—and one of the most deceptive forms is clone phishing. Unlike generic spam, clone phishing cleverly uses your own trusted communications against you, making it incredibly difficult to detect.
In this guide, we’ll break down exactly what clone phishing is, how it works, share examples, and show you practical ways to protect yourself and your business.
What is Clone Phishing?
Clone phishing is a type of email scam where attackers create an identical copy of a legitimate email that you’ve already received, but swap out the attachments or links with malicious ones. It’s an effective form of phishing because it piggybacks on a message you already trust.
For example, imagine you recently received a contract from a partner company. A cybercriminal could get a copy of that email, create a perfect clone—same branding, same wording, same sender signature—but replace the PDF with a malware-laced file. They might even add a short note like, “Resending with an updated attachment due to a technical issue.”
Because it looks almost identical to the original, you’re far more likely to open it without suspicion.
How Does Clone Phishing Work?
Here’s a typical step-by-step of how clone phishing unfolds:
- Interception or acquisition: Attackers obtain a copy of a legitimate email. This might be through hacking an email account, monitoring an unsecured network, or leveraging data from a previous breach.
- Cloning: They copy the original message exactly—preserving logos, signatures, even previous email threads—so it feels familiar and authentic.
- Weaponization: Links or attachments in the message are replaced with malicious versions. For example, a link to a trusted document portal might be swapped with a fake login page designed to steal your credentials.
- Delivery: The cloned email is sent from an address that closely resembles the real sender’s. Often, it includes a note like, “Re-sending this document; please review at your earliest convenience.”
- Execution: If you click the link or download the file, you could inadvertently give away sensitive credentials or install malware on your device.
Examples of Clone Phishing Attacks
Fake invoice update
A company regularly receives invoices from a known supplier. An attacker intercepts one of these emails, clones it, and sends it again with slightly altered banking details. Because the email looks identical to previous ones, the accounting department unknowingly wires money to the fraudster’s account.
IT software update
A user receives what appears to be a repeat of an earlier email from the IT department about a mandatory software update. This time, however, the download link points to malware that compromises the entire network.
Internal project files
An attacker who has breached one employee’s email account can resend existing conversations—adding malicious attachments disguised as updated project documents. The recipients, seeing a familiar thread, trust the message and download the file.
Clone Phishing vs Other Types of Phishing
| Type | What Makes It Unique |
|---|---|
| Phishing | Generic mass emails sent to thousands of people. |
| Spear Phishing | Personalized, targets specific individuals. |
| Clone Phishing | Copies an actual previous legitimate email. |
| Whaling | Targets high-profile executives (CEOs, CFOs). |
Clone phishing stands out because it relies on the trust you’ve already established with a sender or conversation thread. This makes it more convincing—and dangerous—than a standard mass phishing email.
How to Spot Clone Phishing
Clone phishing is designed to be almost indistinguishable from genuine emails. However, there are some subtle clues you can watch for:
- Sender’s email address: Is the domain spelled correctly? Clone phishing often uses look-alike domains (e.g., @companny.com instead of @company.com).
- Unusual urgency or context: Does the message rush you to open a file or enter credentials? Or reference something you didn’t request?
- Changed reply-to address: Hover over the sender and reply fields to see if it redirects somewhere unexpected.
- Link destinations: Always hover over links before clicking. If the link preview doesn’t match the known company URL, it’s a red flag.
- Small inconsistencies: Formatting errors, slightly different signatures, or subtle grammatical mistakes can also indicate a clone.
How to Protect Yourself & Your Business
For individuals
- Verify unexpected emails: If you receive a “resend” email with an attachment or link, call or message the sender directly (using a known number, not the one in the suspicious email).
- Use two-factor authentication (2FA): Even if attackers steal your password, 2FA can block them.
- Keep systems updated: Security patches fix vulnerabilities that attackers exploit.
For businesses
- Security awareness training: Employees are your first line of defense. Teach them to spot suspicious emails, especially cloned ones.
- Implement email authentication protocols: Use SPF, DKIM, and DMARC to help block spoofed emails.
- Advanced email filtering: Invest in security solutions that scan attachments and detect anomalies in sender patterns.
- Have an incident response plan: Make sure employees know how to report suspected phishing quickly.
A layered approach is best—technology plus training dramatically lowers your risk.
What to Do if You Suspect a Clone Phishing Attack
If you think you’ve received a cloned phishing email:
- Do not click any links or download attachments.
- Contact the original sender (via phone or a fresh email you type yourself, not by replying).
- Report the email to your IT department or security team. If it’s a personal account, use the email provider’s “report phishing” feature.
- Change passwords immediately if you think you may have entered credentials on a suspicious site. Enable 2FA if you haven’t already.
Conclusion
Clone phishing is a sophisticated twist on traditional phishing. By replicating real emails you’ve already seen, attackers dramatically increase the chances you’ll take the bait.
The good news? Awareness is half the battle. By knowing what clone phishing looks like and putting the right protections in place—like careful link checks, 2FA, and strong internal policies—you can safeguard both yourself and your organization.