Skip to main content

What is Clone Phishing?

A man receives a clone phishing alert on his laptop.

The increased digitalization of society has brought with it a corresponding rise in cyber threats. Chief among these is phishing, a particular type of cyberattack that aims to surreptitiously steal user data and use it for nefarious purposes. There are several different types of phishing scams, differing only in the method of execution. But, one of the most sophisticated versions around is clone phishing attacks.

Clone phishing: A definition

So what does clone phishing mean? This particular cyberattack is similar to regular phishing in that a malicious actor sends an email to try and steal sensitive user data or compromise an electronic device. The main difference between a clone phishing attack and traditional phishing is that instead of trying to mimic an authentic source and sending an unsolicited email, the attacker copies a legitimate email before it reaches the recipient and makes small modifications.

These subtle alterations are usually malicious features, such as links to fraudulent websites or corrupt attachments. The intended result is the same, though. The attacker hopes the email recipient will click the malicious link and share information such as login credentials, or download the attachment which will likely install ransomware, trojans, or other malware on their device. Hackers can use the details they steal to carry out all sorts of illegal or problematic issues, such as identity theft, financial fraud, and reputation damage, leading to a host of negative consequences for individuals and companies.

How does clone phishing work?

Understanding clone phishing is the first step in protecting users from these attacks, but how do bad actors carry them out? Because clone phishing emails are hijacked from legitimate emails, there is an extra layer of authenticity that can help make these attacks successful. Here are a few things scammers do to try and ensure that their clone phishing attack works:

  • They impersonate a known brand or individual for their phishing email, even going to the extent of creating fake websites and email addresses that appear to be legitimate.
  • The clone phishing emails are sent out to a large number of potential victims at one time for the highest chance of success.
  • The clone email very closely mimics an authentic email from the brand – using very similar language, style, layout, and design - with only subtle changes that would be hard for most people to identify.

To carry out clone phishing attacks, the cybercriminal could use a variety of effective techniques, such as DNS hijacking. They then simply replicate the email to maintain an aura of authenticity and embed malicious elements that will allow them to steal user data or infect the user’s device.

Like with ordinary phishing, clone phishing emails often use a range of social engineering techniques to lure the potential victims into a sense of complacency. These might include, for example, asking users to change their login credentials because they have been compromised, or update their billing details to avoid losing access to account features. There is often a sense of urgency to these emails, too.

If the recipient clicks the malicious link – or downloads the compromised attachment – from the email, two things may happen. In the first case, they are usually taken to a legitimate-looking – but fraudulent – website where they are asked to input sensitive data such as passwords or credit card information. Or, in the second case, if they download the attachment, they may inadvertently install malware on their device, which the cybercriminal can then use to steal the information they want.

In certain clone phishing attacks, the attacker manages to intercept a legitimate email thread and compromise an authentic reply. These types of attacks can be more successful because the recipient is expecting the email.

Clone phishing v phishing v spear phishing

Clone phishing is just one in a group of very similar types of cyberattacks. But what is clone phishing in cybersecurity and how does it differ from other phishing attacks?

As mentioned, when it comes to clone phishing, usually, the attacker intercepts an email and modifies it – adding malicious elements – so that the recipient is lured into sharing personal data or downloading malware.

This differs from traditional phishing, where the attacker impersonates a well-known organization – usually a bank or e-commerce brand, for example – and sends an unsolicited email requiring the recipient to take action that will allow the attacker to steal sensitive information.

Spear phishing and whaling are two other examples of these types of cyberattacks. The former are personalized attacks targeting specific individuals or organizations that have extensive access to privileged information—such as system administrators—while the latter are highly tailored attacks that target high-profile individuals such as CEOs.

Despite their subtle differences, all phishing attacks work in similar ways to achieve the same end – stealing data or compromising devices.

10 Signs of a clone phishing attack

Knowing what red flags to look for is a crucial aspect in the defense against clone phishing. Although the emails used in these cyberattacks may appear to be legitimate, there are subtle signs that, if the recipient spots, should cause them to become suspicious. Clone phishing example emails may have one or more of the following irregularities, with some being more common than others:

  1. Sender’s email address appears legitimate but might be misspelled or use slightly different characters.
  2. Email address format or domain is not exactly the same as the purported company’s legitimate email addresses.
  3. There are random letters or numbers within the sender’s email address.
  4. There is a sense of urgency in the email, such as asking the recipient to complete an action within a short timeframe.
  5. The recipient is required to provide login details, credit card details, or other personal information to keep their account active or secure. This might be requested as a reply to the email, or the user may be directed to a website to provide this.
  6. The email greeting is genetic, even though the company the email is from should have the recipient’s name.
  7. Images and logos are pixelated or otherwise distorted.

Although this is not an exhaustive list, and the above indications are not always foolproof, it is good practice to scan potentially suspicious emails for these 10 signs. Individually they could suggest that the email is part of a clone phishing attack—or any type of phishing attack in general—but if more than one appears, then there is a high probability that the email should be treated with suspicion.

14 tips for preventing clone phishing attacks

Clone phishing – along with other forms of cyberattacks – is always going to be a potential threat for anyone with an email address. This is especially true because this particular form of phishing impersonates real emails and only makes subtle changes to insert malicious elements. However, there are several steps that recipients can take to try and analyze emails and minimize the chances of clone phishing. Here are 14 best practices for avoiding these attacks:

  1. Check the sender’s email address for any irregularities, such as odd domains, strings of numbers, incorrect formatting, and misspellings.
  2. Always verify URLs before clicking a link – hover over the link embedded into the email to check what website it goes to.
  3. Check the website URL to ensure that it uses the HTTPS security prefix.
  4. Instead of clicking email links, type the known official website into the address bar and complete any requested actions —such as logging into accounts or updating payment information—directly into the legitimate site.
  5. If in any doubt, start a new, separate email and ask the individual or company to verify the suspicious email.
  6. Legitimate organizations, such as banks, will never ask for sensitive information such as PINs or complete social security numbers – if they do, be suspicious.
  7. Look for any kind of errors, such as spelling or grammatical mistakes, incorrect formatting, or low-resolution images.
  8. Always use a virtual private network (VPN) to protect internet activity.
  9. Use a password manager that creates strong passwords, and stores them for automatic filling in so that typing passwords to log into accounts becomes unnecessary.
  10. Ensure all emails and attachments are scanned using antivirus software.
  11. Use email spam filters on the highest settings.
  12. Keep all software up to date.
  13. Look out for unusual actions, such as SSL Certificate
  14. errors, browser plugins, error messages, and unexpected pop-ups.

What is clone phishing in cybersecurity?

As with most cyber threats these days, there is no failsafe method of preventing clone phishing attacks. They are an unfortunate reality in the age of digital communication. However, by understanding the clone phishing definition—and how these attacks work—users can begin to build safeguards against these attacks. By employing common-sense safeguards and email best practices, email users can be on guard against clone phishing and avoid becoming a victim of these attacks.

Frequently Asked Questions

What is clone phishing?

Like traditional phishing attacks, the aim of clone phishing is to compel targets to share sensitive information—such as login credentials—or download malware that infects their electronic devices and gives the attacker the means to steal whatever information they find. The difference is that a clone phishing attack mimics legitimate emails and makes minimal alterations to insert malicious features. Because of this, clone phishing emails appear to be very authentic and are very difficult for the average recipient to recognize. Using the information they steal, attackers can go on to commit further crimes, such as identity theft or financial fraud.

What is a clone phishing example?

One common clone phishing example is when the attacker sends an email to the target impersonating their bank or a major brand that the target likely uses (such as Amazon or iTunes). In the email, the attacker will use an email address that appears legitimate (but will have small errors such as the wrong format or domain) and create a sense of urgency to encourage the recipient into action. This might be telling them that they need to log into their account to keep it active or update a payment method to continue accessing services, for example, using a link embedded in the email. The link takes the recipient to a fraudulent website—albeit one that looks legitimate—and when they enter the requested information, the attacker can immediately steal it and use it for their own purposes.

What is clone phishing in cybersecurity?

Clone phishing is a very specific type of cyberattack. Its aim is to compromise the target’s cybersecurity by getting them to share privileged information with the attacker, or by infecting their devices with malware that gives the attacker privileged access to the information stored on them. This is achieved by intercepting the target’s emails, then impersonating a legitimate email so that the target is less likely to be on guard against cybersecurity threats.

Related Articles and Links:

My email has been hacked! What should I do next?

I’m a phishing victim! What do I do now?

All about phishing scams & prevention: What you need to know

Related Products and Services:

Kaspersky Premium

Kaspersky Endpoint Security Solution

Kaspersky VPN Secure Connection

What is Clone Phishing?

Clone phishing is a very specific type of cyberattack that lures targets in by impersonation. Here’s how these attacks work—and how to avoid them.
Kaspersky logo

Related articles