What is clone phishing and why it matters

Share on facebook
Share on twitter
Share on linkedin
Share on reddit


The next level of nefarious? Clone phishing campaigns. In this article, discover how to define, recognize and prevent clone phishing attacks. 

Clone phishing definition: What is clone phishing?

A clone phishing attack leverages an existing or previously distributed email containing attachments or links. In the clone version, these elements are replaced with malicious doppelgangers containing ransomware, viruses, or spyware. 

Clone phishing emails may appear to come from colleagues or contacts, and will look like a resend of an earlier message. Hackers may try to explain the resend by way of mentioning updates to the original version. 

The attack is based on a previously seen email, which increases the likelihood that an individual will fall for the attack. Think about it – we respond to emails from people whose names we recognize almost instantly. 

It’s easy to fall victim to clone phishing. Clone phishing attacks are among the most difficult types of phishing emails to detect.

How clone phishing campaigns persist

Once victims have clicked on a malicious element within a clone phishing email, the cyber attackers suddenly gain access to 100% of the victim’s contacts, to whom another clone phishing email is sent. The process continues as clone phishers send emails to a person’s contacts, a person’s contacts’ contacts’, and a person’s contacts’ contacts’ contacts.

Clone phishing vs. spear phishing

Clone phishing means that hackers have to obtain an existing or previously sent email ahead of developing a replica. Hackers often clone an email that is commonly distributed en-masse  and then send the cloned version en-masse. For example, an organization that has internally and externally distributed an invitation to an event might be a target of clone phishing attacks. 

In contrast, spear phishing campaigns force hackers into developing original email content that’s unique to the target’s business priorities or interests. Spear phishing campaigns are also highly targeted, and are typically only distributed to a single individual or a very limited number of individuals at a time. 

Clone phishing examples

Become expert in identifying clone phishing attacks. Here is an example of what a clone phishing attack could look like:

[Subject line: Quick, updated attendee list]

Hi Jennifer, 

We have additional attendees registered for the promotional event in New York City on July 1st. Here is an updated list of attendees: [Malicious link here]



This is simply an example and it is worth noting that clone phishing attacks can take on many different written formats.

Clone phishing in 2022: Staying Safe

Watch out for resends! Additional best practices, such as the ones below, can also help keep you and your organization safe from clone phishing.

  1. Look for links and attachments in emails and ensure their authenticity
  2. Look for errors in the presentation of the emails. They are not always 100% cloned. 
  3. Verify the legitimacy of an email by contacting the sender via phone call or text message.
  4. Information security professionals can provide employees with security awareness training.
  5. Leverage anti-phishing technologies, which can block the most sophisticated of phishing attacks. 


Phishing attacks can lead to irreconcilable business damage. A combination of employee awareness and multi-layered security solutions that include anti-phishing and email security capabilities can effectively mitigate clone phishing attacks.

Discover CyberTalk.org’s additional phishing resources here and here. Learn more about email security here.

Lastly, please join us at the premiere cyber security event of the year, CPX 360 2022. Register now

Read more

Explore the site

More from the blog

Latest News