Detect and Prevent Clone Phishing Attacks

July 21, 2022 | By IANS Faculty

Staying safe in the current cyber landscape is more difficult than ever. Hackers are coming up with novel phishing attacks that are harder to spot and more damaging than before. One of the most deceptive cyberattack methods are clone phishing attacks, and they can cause havoc to devices, networks and data with far reaching damage to your organization. 

This piece provides an overview clone phishing attack and methods to help identify attacks along with best practices to build a tailored, comprehensive anti-phishing strategy. 

What Is a Clone Phishing Attack? 

Clone phishing is a specific form of social engineering e-mail phishing and a subset of Business Email Compromise (BEC). Targeting companies of any size clone phishing attackers create duplicate email messages leveraging an existing or previously distributed trusted email containing legitimate attachments or links replaced with malicious ones containing ransomware, viruses, or spyware. 

These phishing attacks can be sent to individuals, small companies, or Fortune 50 companies alike and easy to fall for since the hacker relies on the trustworthy nature of the copied message. Clone phishing attacks are open-ended, so there’s no real limit to who can fall victim in an organization. It’s also relatively easy for the hacker to duplication email from many trusted organizations, which allows for endless target opportunities. 

Clone phishing attacks can be very specific and convincing - similar to spear-phishing and include phished details pertaining to an upcoming event, a site frequented by your organization, or a spoofed email pretending to be originating from your company’s CEO or other C-suite executives who are just as susceptible as entry-level interns. 

How Do Clone Phishing Attacks Work? 

Depending on the attacker and potential victim, security teams will find a lot of variability in clone phishing attacks but most typically start with the following steps as an example: 

  • Attackers research the names and email addresses of your finance department. They will discover that your company recently did business with the ‘General Supplier’ company, and work with ‘Michael Jones’ in their finance department. 
  • The hacker will then create an email account with the intention of posing as the invoice recipient at ‘General Supplier’. They might create the email of “” —that misspelling looks close enough to the real supplier’s email so that you might not notice the misspelling. 
  • Next, fraudsters take a legitimate invoice email, including the text, images, and format. The difference is that they’ll change the links and attachments into malware, or they’ll change the recipient address to their own so your finance department may send funds to the hacker’s account. 
  • They then send the email to a few members of the finance department with personalized text. 
  • The email will arrive as a trusted, unassuming message from the supplier that looks legitimate. If the finance group clicks a link or opens the attached file, the malware is launched start attacking their devices and organization network to steal data and even take over the device. 

Clone phishing attacks act as an easy gateway to a malicious breach of devices, networks and data. It allows the hacker to gain broad access to the victim’s device, increasing the severity and ease of the organizations breach. Think of it like holding the bank vault’s door open for the bank robber. 

Clone Phishing Common Techniques 

Clone phishing attacks can come in varying levels of specificity. It could mention individuals by name and even refer to people in close acquaintance groups or colleagues. Alternatively, it could broadly mention a company that you shop with and any type of organization you frequent. However, there are a few common traits that security teams will find between different clone phishing attacks. 

Sense of Urgency 

  • Hackers love to include a “shot clock” whenever they launch an attack. As humans, we’re less likely to use our best judgment when we don’t have a lot of time to think through what we’re doing. 
  • If a bad actors allowed the victim to mull over their email for a few days, they or the security team might discover that it’s a clone phishing attempt. Instead, the attacker might only give individuals a few hours or a day to click the link. 
  • The urgency might come from a “first come, first served” scenario, in which you lose the sale, discount or potential gift card if you’re too slow. It could also be the result of a trusted authority high level request or tasks that you should deal with right away. 

Very Good or Very Bad News 

Since phishing is a form of social engineering the hacker will play into the employee’s emotions further improving their chances of claiming a victim. 

  • For instance, the clone phishing attack message might give an individual very good news, such as the fact that they just won a lot of money that’s ready to be claimed. 
  • On the flip side, they can offer terrible news, like the fact that an employee’s personal Amazon order will be canceled, and their account will be terminated unless they quickly follow the link. 
  • Either of these scenarios might make an individual feel strong emotions and entice them to disregard their judgment, causing them to quickly click the link. 

A Link or Attachment 

No clone phishing attack can work without a link or attachment. This introduces the next phase of the attack. 

  • Recipients can’t blindly trust every email that doesn’t have a link or attachment — sometimes a hacker will send a few initial emails to gain trust before delivering the malicious email. 
  • When the spoofed e-mail arrives expect a malicious link or attachment with accompanying actions to open or click immediately. 

Challenges in a Clone Phishing Attack 

The biggest challenge to organizations experiencing a clone phishing attempt is whether or not employees can spot the attack. A hacker might check the Outlook calendar of a small company’s CEO, then pose as the CEO once they take a scheduled vacation. The hacker can then send an email to the staff asking for money or asking them to follow links. Since the CEO is out of the office, it’s harder to verify that it was actually sent from them. This is just one of many examples of clone phishing attempts that are tough to spot. 

These attacks can be very personal. For example, many fake emails are nearly identical to legitimate email sent from major organizations like Amazon and will mention the buyer specifically along with the recently purchased item. The email username and account will be almost identical to Amazon’s, with just a few characters changed. 

Another challenge is identifying the next stage of the hack. The next phase could involve locking your device, stealing your information, or gaining access to the entire company’s network and data. Since individuals don’t know the next step for sure, it’s harder to spot the early signs. 

In general, once a hacker gains access, they can do a lot of damage to a company. Regardless of the organization’s security architecture and risk mitigation in place, it’s very difficult to remove an unauthorized hacker once they gain access from the inside. Since these attacks can vary so drastically, it can be very difficult to detect and prevent a clone phishing attack. 

READ: Data Exfiltration: Threats, Challenges and Prevention 

How to Detect and Prevent a Clone Phishing Attack 

There are methods to detect and prevent a clone and other phishing attacks from taking down your organization. Best practices are based on security protocol, establishing policies around emails and training the organization including: 

  • Perform regular security awareness training. The entire organization needs to understand the different security risks surrounding clone phishing. If a hacker gains access to one computer, they can realistically take over the whole network. Ensure that everyone who operates a device within (and outside) your building has regular security awareness training
  • Check for typos. Hack attempts commonly come from areas where English may be a second language. A clone phishing email’s phrasing might be odd and there could be grammatical errors — unlike a legitimate email from Amazon, for example. If you see typos, you should suspect a phishing attack. 
  • Think before you click. A good rule of thumb is to imagine every link is malicious if you don’t recognize the sender, especially if the email is coming from outside of your organization. Before clicking anything, check for signs of a clone phishing attack and be very skeptical. 
  • Hover before clicking. If you hover over a link without clicking it, the destination will appear above the link. Doing this will let you see where the link will take you. If you don’t recognize the domain, then don’t click it. 
  • Confirm with a phone call. If a coworker or outside organization sends you an email asking you to click a link and you’re skeptical, call them directly to confirm. It’s possible for a hacker to pretend to be anyone insider or outside the organization while sending you a malicious link. A direct phone call to verify information and identities will help to confirm a legitimate email — however, never call a number that you find in the email since it can also be a fake number. 
  • Ask an IT expert. Whenever there’s doubt, it’s best to ask a security team or IT expert. Experts will be aware of the newest threats and methods, and they can provide guidance. 
  • Be skeptical. The best advice when it comes to cybersecurity is to be skeptical. For every call or email you receive from someone outside of your organization, take a second to think through everything. With extra vigilance, you can avoid and thwart a cyberattack before it gets too far. 

READ: How to Create an Effective Anti-Phishing Program 

When it comes to clone phishing attacks, they hard to detect, easy to fall for, and anyone can be victim. Clone phishing attacks can inflict lasting damage to an organization putting critical data and networks at significant risk. Understanding how they work, and how to prevent them is paramount.  

Performing regular security risk assessments and keeping both anti-phishing tools along with risk mitigation plans updated helps security teams build effective anti-phishing programs. Employees are the weakest link in clone phishing attacks and organizations must offer regular updates, training and simulations to help employees and management teams learn to recognize and report potential clone phishing attacks. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 

Access time-saving tools and helpful guides from our Faculty.

IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.