Phishing techniques: Clone phishing

Greg Belding
March 10, 2020 by
Greg Belding

Trust is an important part of any relationship and once it has been established, you can generally ignore any kind of vetting you have to do for the person. When you trust someone, responding back to an email or message without thinking twice is second nature. 

But what if I told you that this trust can be abused by an attacker? An attacker who can ride on this trust to make you do something they want, like downloading malware. One of the many flavors of phishing out there does just this — clone phishing. 

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

This article will explore clone phishing. We’ll look at what clone phishing is, the different types of clone phishing, how you can spot clone phishing and what you can do to avoid falling victim to what has been called the most harmful form of phishing. 


What is clone phishing?

If the name conjures images of fish cloning or “Star Wars” movies, I must disappoint you. Instead, clone phishing refers to the email or message used by attackers. 

As mentioned earlier, trust is huge in business relationships, and this can affect tasks that seem relatively insignificant to the involved parties such as readily responding to emails and messages. Attackers are well aware that this trust relationship is an essential part of an email producing the sender’s desired effect, and they use clone phishing to take advantage of this relationship.

The different types of clone phishing

OK, so you get that the essential trust in a business relationship is abused in clone phishing. But what does a clone phishing email look like? There are three different types of clone phishing emails:

  1. An email sent from a spoofed email address intended to trick the recipient into thinking it is from a legitimate sender
  2. An email containing a link or attachment that has been replaced with a malicious link or attachment
  3. An email or message that claims to be from a resent email from a legitimate sender but is updated in some way

Think about it this way: if you are sitting at your desk during a busy workday and you receive an email from an individual that you trust, you will most likely comply with whatever request the email has to keep the continuity of workflow going. When phishers take advantage of this, it is sort of like an abuse of system feature attack — but in this case, the system is you!

Phishers can also use clone phishing to pivot from a previously infected system and gain a foothold on other systems in an organization by abusing this trust. 

Due to using a solid anti-spam solution, I don’t have any examples of a clone phishing email to present for you all. However, just a few years ago when I did not use this solution I remember encountering at least one of these emails a month. They often purported to be from a trusted business but were riddled with URL mismatches and sometimes even humorous “pron” spam email misspellings and grammatical errors. (Sometimes life is about finding humor in little things like these!)

How to spot clone phishing

There are some tell-tale signs of clone phishing that should stand out to anyone with a minimal eye for detail. 

  • URL mismatches: This refers to mismatches or discrepancies between the actual links and the displaced URLs. One way to confirm if they match is to simply hover over the link to see where it leads
  • Impersonated domains
  • Apparent and actual sender mismatches: This can be determined by the sender name being off in some way. Many times, the actual sender will be somebody entirely different
  • Suspicious email misspellings, grammatical errors and other “phishy” mistakes that a legitimate sender would not make

What can you do to avoid becoming a clone phishing victim?

The good thing is that there are a number of measures you can take to ensure you do not fall victim to a clone phishing scheme. 

  • Cybersecurity education for end users: This is the top way to prevent clone phishing from claiming another victim at your organization, as the end user is the last line of defense in the face of phishing. Once you know what to look for, the power is indeed in your hands to stop it
  • Anti-spam software: This is one of the easiest ways to prevent clone phishing because it will simply filter out emails that look “phishy” without end users or the organization administrator having to think about it
  • Firewalls/threat management solutions: This is another “not have to think about it” solution that will work in the background to look for mismatched URLs and sender discrepancies that may indicate clone phishing
  • Contact the sender: Call the sender and ask whether the email is legitimate. This is my favorite method of prevention, as it provides notification to the other legitimate party


Clone phishing is a type of phishing that has been said to be the most harmful form of phishing. This heightened risk of harm comes from the fact that an end user is more likely to trust an email from a trusted sender that looks identical to others they have received in this past. The scary thing is that just one click of a malicious link in this cloned email is all it may take to compromise a system and potentially other systems as well.

By following the fairly straightforward ways to spot and prevent clone phishing emails, your organization will be far less likely to fall victim.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.


Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.