Clone Phishing: Identifying and Avoiding Duplicate Email Scams

Ronan Mahony
Nov 13, 2023
Clone Phishing: Identifying and Avoiding Duplicate Email Scams

Most people are well aware of the classic phishing scams by now: the Nigerian prince, the lottery they never entered, the estranged relative leaving behind a fortune. Clone phishing, though, is a different beast. By preying on trust and mimicking legitimate emails to an uncanny degree, clone phishing emails dupe even the most vigilant employees.

Knowledge is the best defense, and in today’s rapidly evolving cyber landscape, staying ahead is not just an advantage—it’s a necessity. This post arms you with an in-depth understanding of what clone phishing truly is, showcases some clever examples, and equips you with the tools and tactics to help your organization defend against clone phishing attacks.

What is Clone Phishing?

Clone phishing is a sophisticated type of phishing attack in which cybercriminals replicate legitimate emails that a recipient previously received. These cloned emails appear as though they come from a trustworthy source, such as a payment provider, vendor, bank, or even a department within your company. However, in the cloned version of the message, attackers subtly modify certain elements to achieve their nefarious aims. 

The insidious nature of clone phishing lies in its manipulation of familiarity and trust. Because the recipient recognizes the content and format of the email, they are more likely to perceive it as legitimate. Trust in the apparent sender and the content of the email often overrides any sense of caution, which leads employees to click on a malicious link or download an infected attachment

Recent Examples of Clone Phishing

To better understand this threat, highlighting a few clone phishing examples from real-world cyber attacks is helpful. 

Microsoft SharePoint Scams

The relatively rapid shift to WFH arrangements enforced by the COVID-19 pandemic led companies and teams to increasingly rely on collaboration tools like Microsoft SharePoint. Exploiting this trend, threat actors crafted innovative phishing emails that imitated legitimate Microsoft SharePoint messages in mid-2021

Using the same template as standard email about SharePoint file requests or shared documents, the hackers then targeted recipients with malicious links to seemingly genuine files. Various spoofing tactics helped the hackers use legitimate-looking display names and email addresses that would only raise flags if closely inspected by employees. 

U.S. Department of Transportation Imitation

Another clone phishing example from 2021 saw companies in the engineering, energy, and architecture sectors targeted by emails that were ostensibly from the U.S. Department of Transportation. These deceptive emails invited recipients to submit bids for potentially lucrative government contracts. 

The reality was that the emails actually captured recipients’ Microsoft 365 login details by clicking a link in the message that instructed them to log in to Microsoft 365 in order to bid for the contracts. To make the imitation seem more real, hackers registered a domain with the word “gov” in it, which could easily be mistaken for a genuine U.S. government domain. 

How Clone Phishing Works

The previous clone phishing examples indicated some of the ways these attacks occur, but here is a more granular look at the attack process.

  • Threat actors begin the process by choosing a legitimate email from trusted senders like banks, service providers, collaboration tools, or even colleagues (for example, a regular company newsletter). This email serves as a template for the phishing attempt.
  • The next step involves crafting a near-identical copy of this email to ensure that the layout, branding, and overall appearance remain consistent with the original. 
  • A common tactic for cloning is to simply copy a legitimate email’s HTML source code, which dictates the email’s structure, design, and content.  Armed with the HTML code, threat actors can easily replicate the email in its entirety to preserve its layout, branding, and appearance. 
  • Another cloning method is to capture inline images, graphics, or other media elements from legitimate emails and then copy them into the cloned email to maintain visual consistency
  • After replicating a legitimate email’s structure and content, attackers make their own modifications. This typically involves changing links to point to their malicious websites or replacing legitimate attachments with malicious ones. 
  • Since they usually have access to the raw HTML code, it’s trivial to seamlessly modify legitimate emails in such a way that the changes are almost imperceptible to the average recipient.
  • To increase the likelihood that recipients believe the email comes from the purported source, tactics include spoofing the ‘From’ address, using domain names that are very similar to the genuine ones, or creating a sense of urgency. 
  • If the malicious modification points to a link, that link usually leads to a fake webpage designed to capture sensitive information, such as login credentials, credit card details, or personal data. If it’s a malicious attachment, opening it might install malware that gives attackers unauthorized access to the recipient’s system or data. 

Clone Phishing Use Cases

To further set the scene on clone phishing, here are some hypothetical use cases that hackers might use these tactics for:

Attackers Clone Executive Emails

Imagine a mid-level manager at a reputable company receiving an email that appears to be from the company’s CEO. The email, seemingly genuine with the company’s branding and the CEO’s typical signature, urgently requests a file or certain confidential information. The manager, not wanting to keep the executive waiting, complies without second-guessing.

By impersonating C-level executives, attackers exploit the inherent trust and authority of high-ranking positions. Employees are less likely to question or delay responding to directives from top-tier leadership. This makes clone phishing a powerful vector for cybercriminals to extract sensitive company information or manipulate internal processes.

Duping Clients with Cloned Bank Communications

A bank customer receives an email alert, which at first glance, mirrors the format of their bank’s regular communication. It claims there’s a security issue with their account and prompts them to click a link to verify their identity. The link redirects to a page identical to the bank’s login portal. Unwittingly, the recipient enters their credentials.

Financial data remains a prime target for cybercriminals. By replicating official communications from banks, attackers can deceive customers into revealing their login details. These credentials grant unauthorized parties access to accounts, funds, and other valuable financial data.

Imitating Order Confirmations for Data Harvesting

After a recent online shopping spree, Jane receives an order confirmation email from a popular e-commerce site. Everything appears in order; the company’s logo, the layout, even the order details. Hidden within, however, is a link prompting her to “update payment details” due to an alleged issue with her recent transaction. 

Jane clicks, entering her credit card information on a page that eerily mirrors the e-commerce site’s payment gateway. The e-commerce sector is rife with opportunities for clone phishing due to the sheer volume of transactional emails customers receive. By cloning order confirmations, attackers aim to lure victims into divulging personal and payment details. This is an easy way to exploit the trust between consumers and popular online vendors.

These use cases underscore the diverse applications and broad scope of clone phishing. Regardless of the arena—be it corporate, financial, or commercial—clone phishing leverages trust and familiarity as primary tools of deception.

Identifying Clone Phishing Attacks

Identifying clone phishing attacks is a big part of the battle in defending against this threat. Employees need to know how to be extra vigilant in looking out for some telltale signs. 

  • Inspect the sender’s email address: While the email may seem to come from a legitimate source due to being an exact imitation of that source’s usual email format, slight variations in the sender’s address are a clone phishing red flag. For instance, an email from “support@exarnpIe.com” instead of “support@example.com; this deceptive domain replaces the ‘m’ in example with ‘rn’ and the lower case ‘L’ with an uppercase ‘i’. Your employees should always hover over the sender’s name to reveal the actual email address and double-check for discrepancies.
  • Beware of urgent requests: Scammers who use social engineering often create a sense of urgency to rush people into making a decision without careful scrutiny. Instruct employees to be wary of emails insisting on immediate action, especially if they’re asking for sensitive information, passwords, or payment details.
  • Closely examine attachments and links: Even if an email looks familiar, unusual or unexpected attachments can be a sign of a phishing attempt. Similarly, recipients should always hover over links without clicking them to see where they lead. If the URL appears strange or doesn’t match the purported sender’s website, this is a strong sign of a clone phishing attack. Look for misspellings, extra characters, URL shortners like bit.ly that hackers often used to mask target links.

Avoiding Clone Phishing

While it’s helpful for employees to know what to look out for in clone phishing emails, how about some tips for avoiding these scams altogether? 

The most important avoidance tip is continuous education. Regularly update employees at all levels about the latest phishing tactics and techniques. Run regular training or awareness sessions, whether formal or informal. Ideally, try to blend traditional learning with interactive games, flyers, security newsletters, and simulated attacks. 

Try to cultivate a mindset of skepticism. If an email feels even slightly “off,” employees should trust their instincts. Let people know that it’s okay to take the time and reach out to the purported sender through a separate channel, like a known phone number or official website, to verify any email’s legitimacy. Never use the contact details provided in the suspicious email itself for this verification.

Clone Phishing Defense and Mitigation

Thankfully, hyper-vigilant or security-aware users are not the only layer of defense against clone phishing. The following technologies also have a role to play in reducing your company’s susceptibility to these attacks:

Email filters

Modern email services come equipped with built-in filters that use algorithms and pattern recognition to identify potential phishing emails. These filters scan emails for suspicious content, links, and attachments. If they detect potential threats, they either move the email to a spam or junk folder or flag it with a warning for the user. 

Anti-phishing solutions

These specialized tools often offer more comprehensive protection than generic email filters. They use a combination of heuristics analysis, machine learning, and known phishing signatures to detect potential threats. Many anti-phishing solutions also offer real-time link scanning to make sure that the content of a link is safe before the user accesses it. Additionally, these solutions may provide phishing awareness training and simulated phishing attacks to educate users.

Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC is an email authentication protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to detect and prevent email spoofing. When configured correctly, DMARC can help companies ensure that only authorized senders can send emails on their behalf.


Even with a security-aware workforce and advanced filtering and anti-phishing tools, some phishing attempts might still slip through the cracks. This is where multi-factor authentication (MFA) acts as a critical last line of defense.

MFA requires users to provide two or more verification methods to access an account. So even if a clone phishing attack tricks an employee into disclosing their username and password, the attacker would still need another form of verification to gain access.

Better still, opting for innovative passwordless authentication solutions can further bolster defenses against social engineering scams. At Kelvin Zero, we are even going a step beyond, building next-gen passwordless and trust solutions to secure our most critical organizations in today’s digital world. 

With our flagship solution, Multi-Pass, we are replacing passwords with enterprise-grade, phishing resistant passwordless authentication so you can stay one step ahead. 

Book a demo today to learn more about Multi-Pass and how Kelvin Zero can help your organization integrate trust throughout all of its operations.

Ronan Mahony

Ronan Mahony is a seasoned content writer who specializes in cybersecurity topics. With a knack for breaking down complex subjects into engaging and informative blog posts and articles, Ronan is dedicated to making cybersecurity accessible to a wider audience.