Frequently Asked Question - Clone Phishing - What is Clone Phishing & Prevention Best Practices

Clone phishing is a type of Phishing attack in which a legitimate, and previously delivered, email containing a link or attachment has had its content and recipient address(es) stolen by a malicious hacker and used to create an almost identical, or “cloned”, email.

what is clone phishing

Clone phishing is a subset of phishing. It refers to an email that has been cloned from an original message sent by an organization. The recipient might receive this type of email after they have started communication, or it may be unsolicited. The cloned emails appear legitimate and can trick the user into giving up information. The cyber attacker gains access to sensitive data through their fake website, which looks identical to the original website.

Clone phishing has evolved into a cyber security threat & is often targeted at high-profile individuals because of increased interest in their affairs. For example, people who work in politics or at large corporations are frequently targeted because clone phishing offers a way for attackers to explore financial information about these individuals' activities inside and outside their organizations.

Additionally, clone phishing is carried out through a spoofed email sent from a location outside an organization. The emails contain a link or attachment that links to a malicious version of the website which swaps information with the attacker.

The only difference between clone phishing and regular phishing attacks is that all of the original data remains intact, but it has been duplicated. This technique can also be used to trick the victim into taking action by cloning one message into another that looks exactly like it.

Attackers use clone phishing because they will receive an automatic welcome response from real employees at their target's company after sending unsolicited messages. When this email arrives, the attackers have enough information about computers and internet security protocols to create an effectual online scam.

The effectiveness of clone phishing depends on the quality of the email messages that have been cloned. Attackers can use a real message as it arrives, intercept and change its contents or send their own version before the legitimate sender presses "send". The result is that recipients receive information from a source they trust, but which has actually been sent by someone else with malicious intent.

Clone phishing attacks seek to fool employees into giving away sensitive data such as passwords for business applications, accounts and financial records. Users may also be asked to open attachments in these messages to download malware onto their computer systems. This allows attackers to access all files and programs on an individual's device, steal personal information such as banking details and gain control over an individual's computer.

The success of clone phishing attacks depends on how quickly an attacker can access a target's information before security staff realize that the data has been compromised. When an employee is targeted, these attacks are often well-crafted to ensure they go undetected for several days or weeks until further damage is done.

Clone phishing is also known as "spoofing", because attackers create messages which are identical in content and appearance to genuine emails sent by legitimate companies or individuals.

What Does Clone Phishing Look Like?

The appearance and format of clone phishing emails can vary depending on the sender's purpose. Some messages appear to be sent by a real person at the company, accompanied by copy and pasted content from a genuine message. Other spoof emails include attachments which claim to offer important information such as invoices or vehicle shipping notices. All of these messages attempt to make users think they are legitimate and should be opened immediately without further inspection.

  • Sent from an email address spoofed to appear to come from the original sender
  • The attachment or link within the email is replaced with a malicious version
  • It may claim to be a resend of the original or an updated version to the original.

Tips & best practices for recognizing & defending against Clone Phishing attacks:

  • If an email appears strange in any way, contact the sender with a phone call to confirm the legitimacy of the email.
  • If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than hitting “reply”.
  • Scan all attachments for viruses or malicious code.
  • Verify shared links to ensure that they do not lead to fraudulent websites or dangerous code.
  • Check for spelling and grammatical errors which can indicate that an email is fraudulent or malicious. Also, keep an eye out for suspicious subject lines and signatures.
  • Think before you act! Take adequate time to thoroughly evaluate each email you receive before clicking on links or downloading attachments. For example, ask yourself: Does an order confirmation email you’ve received correspond to a recent purchase you have made? Do the sender and recipient addresses make sense?
  • Address Bar Spoofing : watch for URLs and domain names that look similar to those of the sites you visit often (instead of "", it might say "" or "").
  • SSL Certificate Errors : if there's no certificate, then beware! Often these clone phishing sites don't bother getting legitimate SSL certificates from trusted authorities because they know victims won't check.
  • HTTPS Everywhere : If your bank or email provider appears to be secure via HTTPS, then it will probably be safe too. But if you notice a lack of a "secure" icon in the address bar of your browser, be careful!
  • Browser Plugin Detections: Some clone phishing sites can attempt to deceive users by mimicking plugin detection pages from popular websites and brands, such as PayPal and Google Docs, so they can steal user data when victims enter their login information.
  • Custom Error Messages: A lack of custom error messages or generic error messages can be a sign that the site is illegitimate.
  • Similar Domain Names: If you're on and not, then it might be suspicious .
  • Popup Errors: Watch for authentication popup errors when attempting to go to a website knowing something is wrong would prevent this from happening, but don't become distracted by them as they could also potentially trick you into giving up your data if you didn't look at the address bar first.
  • Google Account Access: Be cautious with any sites asking for your Gmail account information; make sure you only log in on and ensure that you are on HTTPS before doing so.

Implement a comprehensive, fully-managed cloud email security solution. Investing in an advanced, multi-layered email security solution that prevents all malicious and fraudulent emails from reaching the inbox is the most effective way to prevent clone phishing and other dangerous social engineering and impersonation attacks.

Read detailed article on Phishing - how it works, different types of Phishing & how to prevent.

Phishing Is Evolving

Are Your Current Email Defenses Falling Behind?

Get the Guide

Other FAQs