+1 (877) 634-6847
Customer Support
Cybersecurity Glossary

What Is Clone Phishing?

Clone phishing is a phishing tactic where an attacker copies a legitimate message and swaps in malicious links, files, or instructions. The message feels familiar because it resembles something the recipient may have already seen or expected.

Learn More
Glossary Index Phishing & Social Engineering
Short definition

Clone phishing uses a copied or nearly copied email, notification, or message to trick recipients. The attacker keeps the trusted look and context but changes the destination, attachment, payment instruction, or login path to capture credentials, deliver malware, or redirect action.

At a glance: Clone phishing is effective because the message does not feel new. It feels like a resend, correction, update, or routine follow-up.

Clone Phishing Meaning

Clone phishing starts with familiarity. The attacker copies a real or believable message and changes the part that matters. A safe document link becomes a fake login page. A normal attachment becomes a malicious file. A previous vendor notification is resent with a new payment path.

The copied message may come from a compromised mailbox, a forwarded thread, a common service notification, or a public template. In some cases, the attacker does not need the exact original. They only need a format that recipients are used to seeing, such as shipping alerts, document shares, HR forms, invoice updates, or password notices.

The message often includes a reason for duplication. It might say the previous link expired, the attachment was updated, the wrong version was sent, or the recipient needs to review the corrected file. That explanation lowers suspicion because people are used to revised documents and follow-up messages.

For businesses, clone phishing is risky because it abuses existing trust in communication patterns. Employees may not question a message that looks like a normal vendor alert, shared document, ticket update, or internal announcement, especially if it arrives close to a real conversation.

How Clone Phishing Works

Clone phishing keeps the trusted parts of a message and changes the action the recipient is asked to take.

  1. The attacker obtains or recreates a message. They copy branding, layout, subject lines, signatures, thread context, or attachment names.
  2. A malicious element is inserted. The safe link, file, login page, payment instruction, or callback path is replaced.
  3. A reason for the resend is added. The message may mention an updated file, expired link, corrected invoice, or previous delivery problem.
  4. The recipient trusts the context. Because the message resembles something known, the recipient may skip normal inspection.
  5. The attacker captures the result. Credentials, malware execution, payment changes, or data disclosure can follow.

Common Clone Phishing Examples

Clone phishing often appears as a corrected or repeated business message.

  • Updated document share: A copied file-sharing notification says a document was updated and asks the user to log in through a fake portal.
  • Corrected invoice: A vendor-style email resends an invoice with a changed attachment or payment link.
  • Resent HR form: An attacker copies an HR notice and swaps the benefits or tax form link for a credential page.
  • Fake ticket update: A support or project-management notification is cloned with a malicious attachment or login prompt.
  • Reused email thread: A compromised account replies to a real thread with a copied message and a new link.

Why Clone Phishing Matters

Familiarity can weaken caution. If a message looks like one the recipient already trusts, the dangerous part may be treated as just another routine update.

The impact can include credential theft, malware installation, invoice fraud, account takeover, and data exposure. Clone phishing is especially useful after mailbox compromise because attackers can reuse real conversations and timing.

It also makes user education harder. The warning signs are not always obvious design errors. Sometimes the key clue is a subtle change: a different link, unexpected attachment type, unusual resend reason, or request that breaks the original workflow.

How to Reduce Clone Phishing Risk

The safest habit is to verify repeated or corrected messages before using their links or files.

  • Compare with the original. Look for changed sender details, links, attachment names, timing, wording, or unexpected urgency.
  • Use known portals. Open documents, tickets, invoices, and HR forms from trusted apps or bookmarks rather than links in a resend.
  • Treat corrections carefully. Updated attachments and “previous link expired” messages should be verified if the request is sensitive.
  • Monitor compromised accounts. Mailbox rules, unusual replies, and suspicious sent items can reveal clone phishing from a real account.
  • Report duplicate messages. A strange resend may be part of a campaign targeting multiple people in the same thread or department.

What to Do After Interacting With a Cloned Message

Because cloned messages often look legitimate, response teams need both the suspicious message and the original context.

  1. Save both messages if possible. The original and cloned versions help analysts identify what changed.
  2. Reset exposed access. If credentials were entered, reset passwords, revoke sessions, and review MFA activity.
  3. Check the thread or sender account. A real thread may indicate mailbox compromise or a targeted attack against a business relationship.
  4. Warn related recipients. Anyone copied on the original thread may receive the cloned message or a follow-up lure.

Related Clone Phishing Terms

Clone phishing often overlaps with targeted email and sender impersonation.

  • Spear Phishing covers targeted messages that use context to feel more believable.
  • Email Spoofing explains forged sender details that can make cloned messages look trusted.

Clone Phishing Takeaway

Clone phishing succeeds when a familiar message gets a dangerous replacement part. The recipient trusts the shape of the message and misses the changed action.

A useful rule is to treat unexpected resends, corrections, and updated attachments as worth a second look, especially when they lead to login, payment, or file download.

Navigation
Back to Glossary View Category

Share This Page

Send this glossary page to a teammate, client, or employee who needs a quick explanation.

Email Facebook LinkedIn
FAQ

Questions Teams Ask About Clone Phishing

Quick answers about copied emails, malicious replacements, duplicate messages, and safer verification habits.

What is clone phishing?

Clone phishing is a phishing technique where an attacker copies a legitimate message and changes links, attachments, or instructions so the replacement message becomes malicious.

Why is clone phishing convincing?

It can look familiar because the original message may have been real. Recipients may recognize the subject, branding, sender, or conversation context.

How do attackers get messages to clone?

They may use compromised mailboxes, leaked emails, forwarded messages, public templates, vendor notifications, or common business communications.

How can users spot clone phishing?

They should compare unexpected duplicate messages, inspect links and attachments, verify through the original channel, and report messages that claim to resend or correct a previous file.