Skip to content

How Clone Phishing Works

Home  /  Phishing Protection  /  How Clone Phishing Works

How Clone Phishing Works

The manipulation of human behaviors, such as trust, has always been integral to social engineering and phishing. However, Clone phishing, a variation on the theme of spear phishing, is taking social engineering tricks to new levels to ensure a phishing attack is successful. The critical tactic of clone phishing is to copy a legitimate email using enough detail that a recipient thinks it is authentic. The recipient then feels comfortable enough to click an email link or hand over sensitive information via a spoof website, such as login credentials.

These clever phishing attacks are behind the increasing cost to organizations of lost credentials. According to the Ponemon Institute, phishing attacks have soared by 65%, from $2.79 million in 2020 to $4.6 million in 2022. As the war of attrition between phishing and anti-phishing continues, this innovation in phishing tactics means that your organization must have prevention measures in place.

What is the Clone Phishing Process?

Clone phishing involves a carefully constructed process that results in the theft of sensitive data or login credentials. These data are then used or sold to perpetuate fraud and cyber-attacks. The typical steps taken to perform a successful clone phish are:

Phase One: Plan and Set up the Clone Phishing Scam

Potential targets are identified. The clone phisher then conducts intelligence on targeted companies and trusted brands to plan a successful clone phishing email attack.

The attackers typically intercept emails from trusted brands/target companies or third-party vendors used by the target organization; these emails are then used to create a clone phishing email. The attackers will also build an associated spoof website if required. Planning will involve carefully designing these spoof websites and associated Clone phishing emails and include mechanisms to help them evade detection by traditional email protection tools.

Phase Two: Creating the Clone Email

The clone phisher will use the intelligence gathered during the planning phase to generate the components of the Clone phishing campaign. This will include a fraudulent email containing a link to a spoof website or a malicious attachment. If the email encourages a click to a website, the scammers will have created a realistic-looking website that mimics the brand they are spoofing. Clicking the link in the email takes the target to the website.

Intercepted emails are used as a baseline for the clone phishing email; these emails will be made to look like a follow-up email to the first email or some similar relationship; this creates a mind map in the recipient who associates the Clone email with the legitimate email. The intercepted email acts as a template to help trick the user into believing it is legitimate. The Clone phishing email will be carefully adjusted to include a malware attachment, link to a malicious website, or request sensitive information.

Phase Three: Execution of the Clone Phishing Scam

The clone phishing emails are sent to the identified victims from the intelligence gathered in phase one. By the time the target receives the email, it will have been expertly composed to fool the recipient. For example, suppose the recipient clicks a link in a legitimate looking, but cloned email. In that case, they will be on a spoofed website used to steal confidential information and/or login credentials. Alternatively, the cloned email may contain malware disguised as a typical attachment that the intercepted legitimate email usually contains.

Once the credentials or sensitive data are gathered, they will be used or sold to perform cyberattacks, including unauthorized access, ransomware infection, etc.


       Protect your business from phishing threats with SafeTitan security awareness training. Learn how it works today.    

        Book Free Demo

Clone Phishing vs. Spear Phishing

Clone Phishing takes spear phishing to new levels of sophistication and believability. Where spear phishing campaigns typically create messages from scratch to target individual employees, Clone phishing emails are based on actual business emails, usually intercepted by a hacker; the hacker uses the recognized format, wording, and specific content of a company email, to trick recipients. Often the emails intercepted by the hackers for cloning will be mass distributed emails, for example, to attend a company webinar.

Where Clone phishing emails may be sent out to multiple recipients, Spear phishing targets specific organizational roles, such as administrators. Both types of phishing will result in significant financial losses and damage to a business caused by credential theft and unauthorized access.

Clone and spear phishing are designed to evade detection by traditional anti-phishing solutions. Therefore, an essential part of protecting your organization from the harms of Clone phishing is through a program of education using behavior-driven security awareness training and role-based phishing simulation exercises.

Tell-tale Signs of Clone Phishing

Clone phishing messages are based on legitimate emails, and scammers use branded images and content, making it difficult for employees to notice they are a phishing attack. However, there are some tell-tale signs to look out for:

  • Poor spelling and grammar: scammers do not typically employ editors, so typos and simple grammatical mistakes slip into the cloned email. However, cybercriminals now turn to AI-enabled chatbots like ChatGPT to fix their poor grammar.
  • Non-matching domains: check the URL extension of the website the email link goes to; for example, should it be an, but instead, it is showing xxxxxx.AI.
  • Emotive content: does the email contain content that feels pushy or has a sense of urgency? Chances are it is a phishing attempt.

There are other indicators that an email could be a Clone phishing email. However, it is essential to note that scammers continuously evolve their tactics; only regular security awareness training and phishing simulations can keep employees updated with the latest trick or tell-tale signs.

Book a free demo of SafeTitan to see how phishing simulations can train employees to recognize and prevent dangerous phishing attacks.


       Protect your business from phishing threats with SafeTitan security awareness training. Learn how it works today.    

        Book Free Demo


How to Prevent Clone Phishing

Clone phishing attacks are subtle and clever and use techniques that evade detection by traditional email security tools. The only way to be sure that your organization is ahead of the scammers is to use a multi-layered, human-centric approach to tackling Clone phishing emails:

Behavior-Driven Security Awareness Training

People are the target of Clone phishing scammers: Cisco reported that 90% of data breaches result from a phishing email, and 86% of organizations, at least one person, will click on a phishing link. The human-centric nature of Clone phishing means that training employees on security matters is critical. Security awareness training helps build a security culture where employees know what to look for when using email. However, the training should be based on packages designed to be behavior-driven. Security packages that place behavior as a central pillar of educating users will apply the discipline of cyberpsychology to tackle risky behavior and help change poor security behavior into a positive stance.

Security awareness training must be designed to educate the human operator on their role in influencing technologies and what happens when security mishaps occur. A human-centric approach to cybersecurity is one where education and understanding form a central pivot in changing the cybersecurity culture of an organization. In terms of clone phishing, this level of security awareness is required because of the subtleties of the cloned email.

Phishing Simulations

Data from Coveware shows that phishing is becoming the most common method to deliver ransomware, with Q3 2022 showing a surge in the use of phishing for ransomware infections. Clone phishing is successful because it uses the clever tactic of basing the clone emails on real emails sent out by the target company. This makes spotting clone emails difficult but possible. Using advanced phishing simulation exercises, an organization can train employees to be vigilant about emails. Phishing simulations are essential because phishing is one of the main methods to deliver ransomware. Phishing simulators also provide ongoing metrics to show how well employees respond to specific phishing tests. These metrics provide the intelligence needed to tailor spoof emails further, focusing on specific trouble areas that challenge employees.

Phishing Protection Solutions

Advanced phishing protection solutions provide a first layer to prevent phishing messages from reaching employees' inboxes. For example, PhishTitan provides comprehensive, AI-enabled protection to stop even yet unknown threats from entering inboxes. In addition, advanced phishing protection tools will also offer DNS filtering to prevent employees from navigating to the malicious website behind a Clone phishing attack.

Robust Authentication Measures

Another layer of protection important in a 360-degree approach to preventing Clone phishing is ensuring that robust multi-factor authentication (MFA) is used. Strong MFA measures include password hygiene taught as part of security awareness training, layered with additional login mechanisms such as a second factor software-based authenticator or a biometric. However, it is essential not to rely solely on MFA to prevent phishing attacks as cybercriminals are now using methods to circumvent MFA; researchers have recently identified toolkits for sale on the dark web that bypasses two-factor authentication.

Phishing is an evolving threat, and clone phishing is part of this evolution. Therefore, one of the best ways an organization can prepare for this human-centric threat is to inform employees about this insidious and subtle phishing attack. Receive the latest guides & whitepapers in your inbox.


Book a free demo of SafeTitan to see how phishing simulations can train employees to recognize and prevent dangerous phishing attacks.

Book Free Demo

Start My Free Trial Now

Sign Up
Get Your 14 Day Free Trial

Talk to Our Email and DNS Security Team

Call us on US +1 813 304 2544

Contact Us