The clone wars: everything you need to know about clone phishing attacks – and how to avoid them

When it comes to cybercrime, cloning is in. Or rather still in. In a live-action version of every CISO’s worst nightmare, a Hong Kong bank manager received a call in 2020 from someone whose voice he’d immediately recognized. It was a company executive whom he’d spoken to before, calling with exciting news: in preparation for an acquisition, he needed the bank to authorize some transfers, Forbes reported. The request was also confirmed via email by the lawyer who had been appointed to see the transaction through. And so, the manager wired the money, totaling some $35 million.
Of course, there was no lawyer in charge of the acquisition. There were no acquisition plans, to begin with. And the familiar voice? One of the 17 fraudsters who used deep voice technology to replicate the voice of the company executive in question. “Audio and visual deep fakes represent the fascinating development of 21st-century technology, yet they are also potentially incredibly dangerous, posing a huge threat to data, money, and businesses,” pointed out former police officer and ESET cybersecurity expert Jake Moore.
Cloning attacks, however, don’t need to be this sophisticated to work – and wreak havoc on unsuspecting businesses. In the US alone, phishing attacks cost 323,972 victims over $44 million in adjusted losses in 2021, according to the FBI’s latest Internet Crime Report. Research by Tessian has found that employees receive an average of 14 malicious emails per year. And at least one person clicked a phishing link in around 86% of organizations, according to CISCO. Clone phishing, in particular, is one of the hardest types of phishing emails to detect. Here’s why – and how not to take the bait.
Not everything is not what it seems: what is clone phishing?
An emerging subset of social engineering attacks, clone phishing means resending a near-identical email to a user and replacing a valid link or attachment with a malicious one, according to the clone phishing definition by Greg Sisson, CISO of the US Department of Energy. What makes the signs of clone phishing messages notoriously difficult to spot is that most users aren’t looking for them at all. Why would they? “Trust is an important part of any relationship, and once it has been established, you can generally ignore any kind of vetting you have to do for the person. When you trust someone, responding back to an email or message without thinking twice is second nature,” points out information security expert Greg Belding.
This is exactly what clone phishers are betting on. These types of email scams prey on two major employee vulnerabilities: their willingness to respond to messages from people they know and trust and to comply with their request to keep workflows moving.
Once the attackers have successfully created a replica of a legitimate email, they will make sure to send it from a spoofed email address that strongly resembles the original one. All the links and attachments will have been swapped out for malware at this point, too. Often, scammers also add an explanation for good measure, citing an update or technical issue as the reason for the resend. Users who fall for the scam are either taken to a malicious website where they’re asked to submit sensitive information, or they download malware to their computers that allows the attackers to steal it.
Another reason why clone phishing as a cyberattack technique is in a league of its own is that it hardly ever stops at one victim. With a single click, users can grant clone phishers access to all their contacts, who will soon receive spoofed emails themselves. As will their contacts, their contacts’ contacts, and so on.
Clone phishing vs. spear phishing: what’s the difference between the two types of phishing?
Phishing attacks get their name from the notion that fraudsters fish for random victims by using spoofed or fraudulent emails as bait. Spear phishing attacks, Fahmida Y. Rashid explains, take the fishing analogy one step further by referring to fraudsters who specifically target high-value individuals or groups. This means that spear phishers need to put serious effort into creating message content that is highly relevant to the recipients.
Rashid brings Group 74’s 2017 attack as an example. In a move that wasn’t entirely without irony, recipients were targeted with a malicious document related to CyCon, the international conference on cyber conflict organized by the NATO Cooperative Cyber Defence Centre of Excellence. While the event is real, the attachment was only a decoy to get the recipients to download the reconnaissance malware Seduploader.
Clone phishers, by contrast, must obtain an existing email that they copy before launching an attack. Plus, the cloned emails are mostly distributed en-masse rather than sent to specific recipients.
A false sense of security: clone phishing examples in action
What could be a better example of a potentially damaging phishing attack than the ones we launch at our own employees? Let us explain: at Tresorit, we perform a phishing email drill each quarter by simulating phishing attacks of all types, from the obvious to the “this is probably real” variety.
From the very start, we decided to focus on spoofing attacks that try to obtain our employees’ highest-value user credentials, such as Azure Active Directory and LastPass, using emails and landing pages that seem business-as-usual based on their design and content.
On the lower end of the difficulty scale are fake notifications. We’ve taken a security alert sent by Microsoft after failed login attempts and tweaked it to appear scammier. More specifically, our messages claimed to be intended for Microsoft accounts instead of Azure Active Directory accounts, and the email domain was different from the one used by Microsoft. The message looked like a carbon copy of the original alert, but when the user clicked to see their activity history, a proxied clone of the Microsoft login page popped up to capture their credentials.
Savvier phishers tend to take things up a notch, however. For example, by targeting a business through an internal announcement sent by a trusted colleague. After finding the right employee for the sender, we set up a fake email account that could be easily mistaken for Tresorit. Then, we crafted a text that reflected on the coronavirus pandemic instead of company-specific goings-on, plus added a Hungarian translation and signed off using the sender’s first name to instill trust. It’s important to point out here that for a sophisticated attacker, none of this takes more than a few minutes.
The only link in the cloned email led to a fake Microsoft Forms site, with loading animation and all, where clickers were greeted by a login screen pre-filled with their email address and a prompt to enter their password. After successful sign-in, they got redirected to a real Microsoft Forms site, with no additional authentication login prompt. Most users who get to this point go about their day and have no idea that their credentials have been compromised.
Something’s phishy: How to spot a phishing email a mile off
Phishing schemes come in all shapes and sizes. Some cloned messages might prompt users to check the updated attendee list for an upcoming conference, while others will urge them to secure their PayPal account that has been flagged for suspicious activity. All of them, however, are created with a single goal in mind: to make them look like another run-off-the-mill email blast that you can – and should – open without hesitation or further inspection. Except, of course, they:
- Are sent from a spoofed email address that closely resembles that of a known sender;
- Contain an infected attachment or link instead of the original or a legitimate one; or
- Claim to be a resend or an updated version of a previously received, harmless message.
Or all the above. What is a common indicator of a phishing attempt, you ask? Here are ten giveaways to look out for in a potential clone phishing email.
- Unfamiliar URLs: Check for mismatches or discrepancies between the old link and the new one, especially in terms of domain names.
- Sender’s name is off: In the potentially cloned email, look for misspelled names or email addresses with missing letters, like “co” instead of “com.”
- Poor grammar: Always be on high alert if you see an email ridden with grammatical and spelling errors the original sender wouldn’t make.
- Missing SSL certificate: If a URL begins with “https” instead of “http,” the site is secured using an SSL certificate – something most cloned sites don’t have.
- Threat or urgency: Be careful with warning messages that tell you to act immediately, especially if they demand you to hand over sensitive data.
- Unusual requests: No invoice is late or important enough to warrant a request from the CEO for you to check or settle by clicking a link.
- Demanding sensitive information via email: In the same vein, no legitimate business will ever ask you to submit sensitive data via an email link or attachment.
- Suspicious attachments: If your organization uses collaboration tools such as Tresorit, SharePoint, OneDrive, or Dropbox, attachments should have no place in internal emails.
- Uncharacteristic tone or greeting: Netflix probably knows more about you than your mom, but that doesn’t mean they will start a payment reminder with “Hi Dear.”
- Anything that’s too good to be true: Be wary of any mention of money rewards, coupons, or offers you need to claim by a certain date.