You open your inbox to find a new email from a service provider you use every day. It’s a product update with a CTA asking you to log in to their service—nothing sketchy. However, a few minutes later, a second message arrives: “Sorry, we sent the wrong link in the previous email. Please use this updated one instead.” At first glance, it has the same branding, tone, and email address. It seems like a simple human error until you realize it’s actually a clone phishing attempt.
Contents:
So, what is clone phishing? The scam begins when cybercriminals hijack a legitimate organization’s email account. They use this access to locate and clone an actual email previously sent to you. In this case, by adding text claiming the original email was missing an urgent attachment, they trick you into downloading malware instead of receiving the important information you expected. This sophisticated phishing attack exploits your existing professional trust, making clone phishing dangerous.
What is clone phishing?
At its core, clone phishing is a specialized and highly deceptive form of phishing attack. It occurs when a cybercriminal takes a legitimate email that has already been delivered—one that you have likely already seen and trusted—and creates a near-perfect replica of it. The hacker then swaps the original, safe links or attachments with malicious versions designed to steal your data or infect your device.
However, clone phishing doesn’t always rely on hijacking active email replies. Sometimes, the attack is carried out by copying a message commonly sent by a well-known business entity, like a bank or a SaaS provider, and sending a targeted recipient a copy of that legitimate email. What makes modern clone phishing attacks particularly dangerous is that these replicas often contain malware attachments that install rootkits, ransomware, or other software designed to steal your sensitive information.
Furthermore, AI now allows attackers to perfectly clone the tone and writing style of the original sender. The result is a clone phishing email that sounds exactly like a colleague or a trusted brand, which effectively neutralizes your internal alarm for suspicious messages. Understanding what is clone phishing means recognizing that even a correction to a real conversation or a standard business notification can be a calculated entry point for clone phishing scams.
How a clone phishing attack works
A successful clone phishing operation is a calculated process that often begins with a data breach. To prevent clone phishing attacks, it helps to see how hackers move through the stages of a phishing attack:
Interception. The process begins when cybercriminals gain access to a legitimate email account. This typically happens after an email account is hijacked or an inbox is compromised through a previous data breach. This access allows the attacker to locate real communications and identify which messages are most effective to clone.
Creation of the replica. Using the intercepted information, the hacker creates a pixel-perfect replica of the email. They replicate every detail to ensure the clone phishing email looks authentic, including the corporate branding, layout, and the sender’s specific signature.
Substitution of content. The attacker modifies the content by adding text that claims the original email was missing an attachment or contained an incorrect link. They swap the legitimate “Invoice.pdf” with a malicious version, such as “Invoice_Updated.exe,” or replace a safe URL with a fraudulent one.
Unexpected resends or follow-ups. Receiving an unexpected resend or follow-up email for a message you’ve already seen can indicate clone phishing. These clone phishing attempts rely on the recipient believing the message is a standard follow-up or an innocent human mistake where only the link has been corrected. If you’re unsure about the legitimacy of the resend, verify with the sender through a separate, trusted channel before interacting with any links or files.
Who says business security has to be hard?
Protect your company from cyber threats without sacrificing convenience
Clone phishing vs. spear phishing: what’s the difference?
While both are types of targeted phishing attacks, they rely on different psychological triggers to succeed. Spear phishing is built on research and customization, whereas clone phishing is built on replication.
More precisely, spear phishing requires the attacker to gather personal or professional details to craft a unique message. In contrast, a clone phishing email relies entirely on the trust you’ve already established during a real previous interaction. Because the email looks like a continuation of a legitimate conversation, your natural defenses are much lower.
| Feature | Spear phishing | Clone phishing |
|---|---|---|
| Origin | Custom-made based on target research. | A direct copy of a real, previously delivered email. |
| Trust factor | Built through personalization and urgency. | Based on a pre-existing, legitimate interaction. |
| Execution | Usually starts as a new, highly tailored thread. | Often appears as a correction or resend of an existing message. |
| Primary goal | To trick a specific individual or small group. | To exploit established trust by substituting content. |
Common examples of clone phishing
Identifying a phishing attack often comes down to recognizing several familiar patterns before clicking on a link or file. Here are some of the clone phishing examples:
The revised invoice scam. Common in B2B and freelance contexts, this begins with a legitimate bill. A clone phishing email follows shortly after, claiming that the banking details were incorrect or that a discount was missing. This is a primary tactic in many clone phishing scams.
The updated link scam. A clone phishing example targeting SaaS users might claim, “We updated our Privacy Policy—please sign the new version here.” These clone phishing attempts lead to fraudulent login portals designed to harvest credentials.
The service provider clone. They mimic automated templates from brands like Amazon, FedEx, or Microsoft. Because these brands send high volumes of emails, these clone phishing attacks often go unnoticed and appear as standard delivery updates or account security notifications.
Red flags: how to spot a cloned email
Even the most convincing clone phishing email has flaws. Because these attacks rely on your autopilot behavior, taking a second to look for technical inconsistencies can break the spell of the phishing attack:
Header analysis. Always check the “Reply-to” field against the “From” field. While the display name might say “IT support,” the actual reply-to address could be a string of random characters or an unrelated personal account. This is a common indicator of a clone phishing attempt.
The hover test. Before you click any link in a suspected clone phishing email, hover your cursor over it. A small box will appear showing the actual destination URL. If the text says nordpass.com but the preview shows an unfamiliar site, it’s a phishing attack.
Lookalike domains. Attackers often register domains that are visually similar to legitimate ones—a tactic known as typosquatting. Keep an eye out for subtle changes like nordpasss.com or nord-pass.com. These clone phishing scams rely on you being in too much of a hurry to notice the extra letter or symbol.
Developing a habit of checking these details is one of the most effective ways to prevent clone phishing attacks from reaching their goal.
How to protect your identity from clone phishing
To prevent clone phishing attacks, you don’t need to be a technical expert. Incorporating a few proactive habits and the right security tools can stop a phishing attack before it starts:
Use a password manager. A reliable business password manager like NordPass is vital for preventing clone phishing attacks. It stores your credentials for specific, verified URLs. If you receive a clone phishing email directing you to a fake site that looks identical to the real thing but has a slightly different web address, NordPass won’t offer to autofill your details. That silence is an immediate red flag that you’re facing a phishing attack.
Enable multi-factor authentication (MFA). Even if clone phishing attacks trick you into giving up your password, MFA acts as a second lock on the door. Without the temporary code from your phone or security key, a stolen password is useless to an attacker.
Verify out-of-band. If a corrected email feels suspicious—especially one from a colleague or a vendor asking for a change in payment details—verify it through a separate, trusted channel. Ping them on Slack or give them a quick call to confirm they actually sent the follow-up. Taking a moment to verify is the best way to deal with clone phishing scams.
By staying vigilant, you can ensure that even the most convincing clone phishing email fails to compromise your digital life, allowing you to keep your focus where it belongs—on your work, not on second-guessing your inbox.