Glossary Home

Clone Phishing

What is clone phishing?

Clone phishing is a type of phishing attack in which the attacker sends an email that is an exact clone of a legitimate one the victim has received earlier. The only difference is that the original links or attachments are replaced with malicious ones.

In clone phishing, the emails may redirect the victim to a fake website designed to steal sensitive information such as login credentials or personal data. Malicious attachments, when downloaded, can install ransomware, Trojans, keyloggers, or other types of malware. This makes clone phishing a serious cyberattack that threatens email security.

How does clone phishing work?

A clone phishing attack is carried out through a step-by-step approach. Following are the steps involved in a clone phishing attack:

1. Account takeover or interception: Cybercriminals gain access to the sender’s or recipient’s mailbox, or intercept emails during transit.
2. Target email selection: They identify a legitimate email the victim is expecting or one already present in the recipient’s inbox or the sender’s sent items, or has been intercepted during transit. For example: an invoice, shipping update, or customer service communication, financial notifications, software or platform updates, etc.
3. Cloning the email: The phishing email is copied exactly as it was, but safe links or attachments are swapped with malicious ones.
4. Sending the clone: – The attacker resends the email, often labeled as a “re-send” or “updated version" or "Immediate action required" or "Revised attachment", etc.
5. Exploiting trust – The victim trusts the familiar-looking email and clicks the link or downloads the attachment, leading to credential theft, malware infection, or other cyberattacks.

Best practices to protect against clone phishing

• Educate users through security awareness training

  • Train employees to spot clone-phished emails, which are trickier than general phishing emails because they look exactly like legitimate ones, except for the URL or attachment being replaced with malicious content.
  • Conduct periodic, simulated phishing campaigns to test how your team would react to a real phishing attack.

• Verify the email source carefully

  • Always check the sender’s email address for any misspellings or irregularities in the domain name.
  • If suspicious, type the domain manually in your browser instead of clicking on links from the email.
  • If an email is resent multiple times urging you to click a link or download a file, confirm its authenticity by calling the sender directly or emailing a known contact in the organization.
  • Check the email header for:
    • Return path.
    • SPF, DKIM, and DMARC verification status. If these checks fail, the email likely came from a spoofed domain.

• Use advanced email security solutions

  • Deploy email security tools like Zoho eProtect to:
    • Analyze links using URL protection and sandboxing.
    • Enforce SPF, DKIM, and DMARC verification for all incoming and outgoing emails.
  • These solutions can block spoofed domains and malicious links before they reach users.

• Enforce MFA and strong access controls

  • Implement multi-factor authentication (MFA) so even if credentials are stolen, attackers can’t log in without an additional verification factor. Apply role-based access controls to limit exposure of sensitive data.

• Monitor for insider threats

  • Be aware that malicious insiders can leak legitimate emails to attackers, enabling clone phishing.
  • Use monitoring tools to detect unusual user activity while respecting privacy.

• Report suspicious emails immediately

  • If an employee identifies a clone-phishing email, they should report it to the security team to alert the organization and prevent further attacks.

• Practice safe browsing habits

  • Before entering any information, verify website security by:
    • Ensuring the URL starts with https://.
    • Looking for the padlock icon indicating a valid SSL certificate.