Skip to content

Hit enter to search or ESC to close

The manipulation of human behaviors, such as trust, has always been integral to social engineering and phishing. However, Clone phishing, a variation on the theme of spear phishing, is taking social engineering tricks to new levels to ensure a phishing attack is successful. The critical tactic of clone phishing is to copy a legitimate email using enough detail that a recipient thinks it is authentic. The recipient then feels comfortable enough to click an email link or hand over sensitive information via a spoof website, such as login credentials.

These clever phishing attacks are behind the increasing cost to organizations of lost credentials. According to the Ponemon Institutephishing attacks have soared by 65%, from $2.79 million in 2020 to $4.6 million in 2022. As the war of attrition between phishing and anti-phishing continues, this innovation in phishing tactics means that your organization must have prevention measures in place.

Did You Know?


cyber attacks begin with phishing

10 minutes

to seamlessly install PhishTitan

$10.5 trillion

estimated global cybercrime cost

295 days

to stop & spot a phishing attack

What is the Clone Phishing Process?

Clone phishing involves a carefully constructed process that results in the theft of sensitive data or login credentials. These data are then used or sold to perpetuate fraud and cyber-attacks. The typical steps taken to perform a successful clone phish are:

Phase One: Plan and Set up the Clone Phishing Scam

Potential targets are identified. The clone phisher then conducts intelligence on targeted companies and trusted brands to plan a successful clone phishing email attack.

The attackers typically intercept emails from trusted brands/target companies or third-party vendors used by the target organization; these emails are then used to create a clone phishing email. The attackers will also build an associated spoof website if required. Planning will involve carefully designing these spoof websites and associated Clone phishing emails and include mechanisms to help them evade detection by traditional email protection tools.

Phase Two: Creating the Clone Email

The clone phisher will use the intelligence gathered during the planning phase to generate the components of the Clone phishing campaign. This will include a fraudulent email containing a link to a spoof website or a malicious attachment. If the email encourages a click to a website, the scammers will have created a realistic-looking website that mimics the brand they are spoofing. Clicking the link in the email takes the target to the website.

Intercepted emails are used as a baseline for the clone phishing email; these emails will be made to look like a follow-up email to the first email or some similar relationship; this creates a mind map in the recipient who associates the Clone email with the legitimate email. The intercepted email acts as a template to help trick the user into believing it is legitimate. The Clone phishing email will be carefully adjusted to include a malware attachment, link to a malicious website, or request sensitive information.

Phase Three: Execution of the Clone Phishing Scam

The clone phishing emails are sent to the identified victims from the intelligence gathered in phase one. By the time the target receives the email, it will have been expertly composed to fool the recipient. For example, suppose the recipient clicks a link in a legitimate looking, but cloned email. In that case, they will be on a spoofed website used to steal confidential information and/or login credentials. Alternatively, the cloned email may contain malware disguised as a typical attachment that the intercepted legitimate email usually contains.

Once the credentials or sensitive data are gathered, they will be used or sold to perform cyberattacks, including unauthorized access, ransomware infection, etc.

"Phishing attacks have soared by 65%, from $2.79 million in 2020 to $4.6 million in 2022."

Clone Phishing vs. Spear Phishing

Clone Phishing takes spear phishing to new levels of sophistication and believability. Where spear phishing campaigns typically create messages from scratch to target individual employees, Clone phishing emails are based on actual business emails, usually intercepted by a hacker; the hacker uses the recognized format, wording, and specific content of a company email, to trick recipients. Often the emails intercepted by the hackers for cloning will be mass distributed emails, for example, to attend a company webinar.

Where Clone phishing emails may be sent out to multiple recipients, Spear phishing targets specific organizational roles, such as administrators. Both types of phishing will result in significant financial losses and damage to a business caused by credential theft and unauthorized access.

Clone and spear phishing are designed to evade detection by traditional anti-phishing solutions. Therefore, an essential part of protecting your organization from the harms of Clone phishing is through a program of education using behavior-driven security awareness training and role-based phishing simulation exercises.

Tell-tale Signs of Clone Phishing

Clone phishing messages are based on legitimate emails, and scammers use branded images and content, making it difficult for employees to notice they are a phishing attack. However, there are some tell-tale signs to look out for:

  • Poor spelling and grammar: scammers do not typically employ editors, so typos and simple grammatical mistakes slip into the cloned email. However, cybercriminals now turn to AI-enabled chatbots like ChatGPT to fix their poor grammar.
  • Non-matching domains: check the URL extension of the website the email link goes to; for example, should it be an, but instead, it is showing xxxxxx.AI.
  • Emotive content: does the email contain content that feels pushy or has a sense of urgency? Chances are it is a phishing attempt.

There are other indicators that an email could be a Clone phishing email. However, it is essential to note that scammers continuously evolve their tactics; only regular security awareness training and phishing simulations can keep employees updated with the latest trick or tell-tale signs.

Book a free demo of SafeTitan to see how phishing simulations can train employees to recognize and prevent dangerous phishing attacks.

"90% of data breaches result from a phishing email."

How to Prevent Clone Phishing

Clone phishing attacks are subtle and clever and use techniques that evade detection by traditional email security tools. The only way to be sure that your organization is ahead of the scammers is to use a multi-layered, human-centric approach to tackling Clone phishing emails:

Behavior-Driven Security Awareness Training

People are the target of Clone phishing scammers: Cisco reported that 90% of data breaches result from a phishing email, and 86% of organizations, at least one person, will click on a phishing link. The human-centric nature of Clone phishing means that training employees on security matters is critical. Security awareness training helps build a security culture where employees know what to look for when using email. However, the training should be based on packages designed to be behavior-driven. Security packages that place behavior as a central pillar of educating users will apply the discipline of cyberpsychology to tackle risky behavior and help change poor security behavior into a positive stance.

Security awareness training must be designed to educate the human operator on their role in influencing technologies and what happens when security mishaps occur. A human-centric approach to cybersecurity is one where education and understanding form a central pivot in changing the cybersecurity culture of an organization. In terms of clone phishing, this level of security awareness is required because of the subtleties of the cloned email.

Hear from our Customers

Security system for companies

What do you like best about PhishTitan? It is helpful against scammers and used frequency in the base of security What problems is PhishTitan solving and how is that benefiting you? It is a basic security needed for every mail users against scammers

Samuel J.


Easily Implemented Product

Pros: Great UI. Good detection service. URL Rewrites. Compliance and Regulation. Improved Security Posture. Enhanced Employee Awareness. Overall: The Support team are great at TitanHQ, helped us every step of the way with onboarding our 365 tenancy, since implementing we haven't had to make any changes, simply checking the dashboard for detections once a day.

A PhishTitan User

IT Support Technician

Simple setup, minimal maintenance

Pros: PhishTitan is extremely easy to setup & onboard customers, it typically takes us less than 5 minutes to have a client completely onboarded onto the platform. We've been using the platform for around 6 months now and have had to perform next to no maintenance on it, it just works. Phishing detection is extremely accurate Cons: Not had any issues to report yet! And based on their responses from queries, their support team would be on it straight away with a fast resolution. Overall: Great product, easy to use & setup, great detection & next to no maintenance required. Would fully recommend the product to greatly reduce your phishing threats and administration time.

Ricky B.

IT Operations Director

TitanHQ is ever-evolving and advancing its tool stack to help business protect their data.

As a TitanHQ partner, we have used all their other products to help secure our customers. The addition of PhishTitan shows that TitanHQ is ever-evolving and advancing its tool stack to help businesses protect their data. PhishTitan is helping us layer in more protection right inside the M365 mailbox. With threat actors now having the assistance of AI to help them form their malicious email attacks, it is more important now than ever for us to use an AI-driven tool like PhishTitan.

Hunter McFadden


We are planning to deploy to all our clients.

Since we deployed PhishTitan our users are more aware and better protected from phishing emails. The visual cues users get with suspicious emails is a great help. The Outlook Add-In also works fantastically. We are planning to deploy to all our clients. This is a definite win-win.

Hugh Meighan


Phishing Simulations

Data from Coveware shows that phishing is becoming the most common method to deliver ransomware, with Q3 2022 showing a surge in the use of phishing for ransomware infections. Clone phishing is successful because it uses the clever tactic of basing the clone emails on real emails sent out by the target company. This makes spotting clone emails difficult but possible. Using advanced phishing simulation exercises, an organization can train employees to be vigilant about emails. Phishing simulations are essential because phishing is one of the main methods to deliver ransomware. Phishing simulators also provide ongoing metrics to show how well employees respond to specific phishing tests. These metrics provide the intelligence needed to tailor spoof emails further, focusing on specific trouble areas that challenge employees.

Phishing Protection Solutions

Advanced phishing protection solutions provide a first layer to prevent phishing messages from reaching employees' inboxes. For example, PhishTitan provides comprehensive, AI-enabled protection to stop even yet unknown threats from entering inboxes. In addition, advanced phishing protection tools will also offer DNS filtering to prevent employees from navigating to the malicious website behind a Clone phishing attack.

Robust Authentication Measures

Another layer of protection important in a 360-degree approach to preventing Clone phishing is ensuring that robust multi-factor authentication (MFA) is used. Strong MFA measures include password hygiene taught as part of security awareness training, layered with additional login mechanisms such as a second factor software-based authenticator or a biometric. However, it is essential not to rely solely on MFA to prevent phishing attacks as cybercriminals are now using methods to circumvent MFA; researchers have recently identified toolkits for sale on the dark web that bypasses two-factor authentication.

Phishing is an evolving threat, and clone phishing is part of this evolution. Therefore, one of the best ways an organization can prepare for this human-centric threat is to inform employees about this insidious and subtle phishing attack. Receive the latest guides & whitepapers in your inbox.

Susan Morrow

Susan Morrow


Talk to our Team today

Talk to our Team today