Clone phishing attacks, plus how to spot and avoid them, explained [2023]

clone phishing

When it comes to cybercrime, cloning is in. Now more than ever.

The biggest risk of answering a call from an unknown number used to be that you end up talking to a telemarketer and buy something you don’t need. Not anymore. “A scammer could use AI to clone the voice of your loved one. All he needs is a short audio clip of your family member's voice — which he could get from content posted online — and a voice-cloning program,” warned the US Federal Trade Commission in a recent blog post about scammers’ latest trick to con people out of money.

Cloning attacks, however, don’t need to be this sophisticated to wreak havoc on individuals or businesses. Ninety-six percent of phishing attacks come through a simple email. In the US alone, the FBI’s Internet Crime Complaint Center received 800,944 complaints in 2022 that cost the victims over $10.3 billion, shows the FBI's latest Internet Crime Report. Employees receive an average of 14 malicious emails per year, and in 2021, at least one of them clicked a phishing link in around 86% of organizations, Tessian and CISCO found, respectively.

Clone phishing, in particular, is one of the hardest types of phishing emails to detect. Here’s why – and how not to take the bait.

Everything is not what it seems: what is clone phishing?

An emerging subset of social engineering attacks, clone phishing means resending a legitimate email to a user and replacing a valid link or attachment with a malicious one, offers a clone phishing definition Greg Sisson, CISO of the US Department of Energy. What makes the signs of clone phishing messages notoriously difficult to spot is that most users aren’t looking for them at all. “Trust is an important part of any relationship and once it has been established, you can generally ignore any kind of vetting you have to do for the person. When you trust someone, responding back to an email or message without thinking twice is second nature,” points out information security expert Greg Belding.

This is exactly what clone phishers are betting on. These types of email scams prey on two major employee vulnerabilities: their willingness to respond to messages from people they know and trust and to comply with their request to keep workflows moving.

Once the attackers have successfully created a replica of a legitimate email, they will make sure to send it from a spoofed email address that strongly resembles the original one. All the links and attachments will have been swapped out for malware at this point, too. More often than not, scammers also add an explanation for good measure, citing an update or technical issue as the reason for the resend. Users who fall for the scam are either taken to a malicious website where they’re asked to submit sensitive information or they download malware to their computers that allows the attackers to steal it.

Don't try this at home: how do hackers clone email addresses?

It doesn’t take much to clone an email address: all attackers need is a Simple Mail Transfer Protocol (SMTP) server and a regular email platform, such as Outlook. They then create the fake message and manually change the “From” and “To” fields in the header to trick the recipient into thinking it comes from a trusted source or contact. This way, they exploit an inherent SMTP vulnerability that allows connections without authentication.

Low-effort clone phishing attacks can be launched using nothing but a newly registered Gmail account. Of course, in this case only the sender’s display name can be forged, while the “mailto” will show a different email address, explains Cybernews. In case of protected domains, hackers often resort to creating lookalike domains with a slightly altered spelling compared to the original (for example, instead of

Clone phishing vs. spear phishing: what’s the difference between the two types of phishing?

Phishing attacks get their name from the notion that fraudsters fish for random victims by using spoofed or fraudulent email as bait. Spear phishing attacks, Fahmida Y. Rashid explains, takes the fishing analogy one step further by referring to fraudsters who specifically target high-value individuals or groups. This means that spear phishers need to put serious effort into creating message content that is highly relevant to the recipients.

Clone phishers, by contrast, must obtain an existing email that they copy before launching an attack. Plus, the cloned emails are mostly distributed en masse rather than sent to specific recipients.

Whaling, smishing and barrel phishing: 3 more types of phishing you should know about

1. Whaling refers to a specific type of phishing attack where the target is an employee with high-level authority or access to resources within an organization. For example, a CFO who can authorize a high-value wire transfer or an HR executive who can disclose the bank details or change the payroll information of any staff member.

2. Smishing usually involves sending potential victims a text message that looks like it came from a legitimate sender, such as their bank, a package delivery service or a social media site. In reality, of course, it’s a trap designed by attackers to trick people into giving up sensitive information by replying or clicking a phishing link.

3. Barrel phishing differs from other types of phishing attacks in its highly personalized nature. It’s carried out through two or more emails. The initial messages are intended to build rapport with the unsuspecting target. Once trust is established, they’re followed by a high-urgency email spiked with malicious links or content.

The risks of clone phishing: how much does clone phishing cost companies?

According to the Ponemon 2021 Cost of Phishing Study, phishing attacks cost large organizations almost $15 million annually, or more than $1,500 per employee. Proofpoint’s latest State of the Phish study found that in 2022 the direct financial loss from successful phishing attacks had grown by 76%. This is in no small part because of the rise of remote and hybrid work, which poses a significant threat to data security.

In some cases, the direct financial damage alone can put a considerable dent in company coffers. The 2016 phishing swindle that cost Google and Facebook a whopping $100 million is a prime example. There, the scammers posed as the representatives of Taiwan-based Quanta Computer, an actual vendor of both tech giants, sending forged emails and invoices to unsuspecting Facebook and Google employees.

But that’s not nearly all. The indirect costs of a phishing attack also add up quickly, resulting from potential loss of employee productivity and focus, reputational damage, litigation costs, decreased consumer confidence, regulatory fines as well as higher insurance premiums and bigger security budgets.

A false sense of security: clone phishing in action

What could be a better example of a potentially damaging phishing attack than the ones we launch at our own employees? Let us explain: at Tresorit, we perform a phishing email drill each quarter by simulating phishing attacks of all types, from the obvious to the “this is probably real” variety.

From the very start, we decided to focus on spoofing attacks that try to obtain our employees’ highest-value user credentials, such as Azure Active Directory and LastPass, using emails and landing pages that seem business-as-usual based on their design and content.

On the lower end of the difficulty scale are fake notifications. We’ve taken a security alert sent by Microsoft after failed login attempts and tweaked it to appear scammier. Our messages claimed to be intended for Microsoft accounts instead of Azure Active Directory accounts, and the email domain was different from the one used by Microsoft. The message looked like a carbon copy of the original alert, but when the user clicked to see their activity history, a proxied clone of the Microsoft login page popped up to capture their credentials.

Savvier phishers tend to take things up a notch, however. For example, by targeting a business through an internal announcement sent by a colleague. After finding the right employee for the sender, we set up a fake email account that could be easily mistaken for Tresorit. Then, we crafted a text that reflected on the coronavirus pandemic, plus added a Hungarian translation and signed off using the sender’s first name to instill trust. It’s important to point out here that for a sophisticated attacker, none of this takes more than a few minutes.

The only link in the cloned email led to a fake Microsoft Forms site, with loading animation and all, where clickers were greeted by a login screen pre-filled with their email address and a prompt to enter their password. After successful sign-in, they got redirected to a real Microsoft Forms site, with no additional authentication login prompt. Most users who get to this point go about their day and have no idea that their credentials have been compromised.

Spotting a phishing email: how to know if you clicked a phishing link?

Phishing schemes come in all shapes and sizes. Some cloned messages might prompt users to check the updated attendee list for an upcoming conference, while others will urge them to secure their PayPal account that has been flagged for suspicious activity. All of them, however, are created with a single goal in mind: to make them look like another run-off-the-mill email blast that you can – and should – open without hesitation or further inspection. Except, of course, they:

  • Are sent from a spoofed email address that closely resembles that of a known sender;
  • Contain an infected attachment or link instead of the original or a legitimate one; or
  • Claim to be a resend or updated version of a previously received, harmless message.

Or all of the above. What is a common indicator of a phishing attempt, you ask? Here are ten giveaways to look out for in a potential clone phishing email.

  1. Unfamiliar URLs: Check for mismatches or discrepancies between the old link and the new one, especially in terms of domain names.
  2. Sender’s name is off: In the potentially cloned email, look for misspelled names or email addresses with missing letters, like “co” instead of “com”.
  3. Poor grammar: Always be on high alert if you see an email ridden with grammatical and spelling errors the original sender wouldn’t make.
  4. Missing SSL certificate: If a URL begins with “https” instead of “http”, the site is secured using an SSL certificate – something most cloned sites don’t have.
  5. Threat or urgency: Be careful with warning messages that tell you to act immediately, especially if they demand you to hand over sensitive data.
  6. Unusual requests: No invoice is late or important enough to warrant a request from the CEO for you to check or settle by clicking a link.
  7. Demanding sensitive information via email: In the same vein, no legitimate business will ever ask you to submit sensitive data via an email link or attachment.
  8. Suspicious attachments: If your organization uses collaboration tools such as Tresorit, SharePoint, OneDrive, or Dropbox, attachments should have no place in internal emails.
  9. Uncharacteristic tone or greeting: Netflix probably knows more about you than your mom, but that doesn’t mean they will start a payment reminder with “Hi Dear”.
  10. Anything that’s too good to be true: Be wary of any mention of money rewards, coupons or offers you need to claim by a certain date.

How to prevent phishing attacks: 6 ways to prevent phishing

  1. Check senders’ address for the tell-tale signs of spoofed emails, such as missing or extra letters, numbers, symbols, or punctuation marks.
  2. Always hover over links the message asks you to click and only follow instructions if the URL matches the hyperlink and starts with HTTPS.
  3. If you’re asked to provide sensitive information, especially in an urgent manner, follow up with the sender in a separate message to check its validity.
  4. Bear in mind that as a general rule no legitimate business requests customers to submit information such as login credentials or bank details via email.
  5. If your organization uses collaboration tools like Tresorit or Microsoft Teams, attachments in internal emails should be handled with caution.
  6. Use an email encryption add-in as a fast and easy way to replace risky email attachments with encrypted share links and password-protected files.