The next level of nefarious? Clone phishing campaigns. In this article, discover how to define, recognize and prevent clone phishing attacks. 

Definition: What is clone phishing?

A clone phishing attack leverages an existing or previously distributed email containing attachments or links. In the clone version, these elements are replaced with malicious doppelgangers containing ransomware, viruses, or spyware. 

Clone phishing emails may appear to come from colleagues or contacts, and will look like a resend of an earlier message. Hackers may try to explain the resend by way of mentioning updates to the original version. 

The attack is based on a previously seen email, which increases the likelihood that an individual will fall for the attack. Think about it – we respond almost instantly to emails from people whose names we recognize. 

It’s easy to fall victim to clone phishing attacks, as they are among the most difficult types of phishing emails to detect.

How clone phishing campaigns persist

Once victims have clicked on a malicious element within a clone phishing email, the cyber attackers suddenly gain access to 100% of the victim’s contacts, to whom another clone phishing email is sent. The process continues as clone phishers send emails to a person’s contacts, a person’s contacts’ contacts’, and a person’s contacts’ contacts’ contacts.

Clone phishing vs. spear phishing

Clone phishing means that hackers have to obtain an existing or previously sent email ahead of developing a replica. Hackers often clone an email that is commonly distributed en-masse and then send the cloned version en-masse. For example, an organization that has internally and externally distributed an invitation to an event might be a target of clone phishing attacks. 

In contrast, spear phishing campaigns force hackers into developing original email content that’s unique to the target’s business priorities or interests. Spear phishing campaigns are also highly targeted, and are typically only distributed to a single individual or a very limited number of individuals at a time. 

Clone phishing examples

Become expert in identifying clone phishing attacks. Here is an example of what an attack could look like:

[Subject line: Quick, updated attendee list]

Hi Jennifer, 

We have additional attendees registered for the promotional event in New York City on July 1st. Here is an updated list of attendees: [Malicious link here]



This is simply an example and it is worth noting that clone phishing attacks can take on many different written formats.

Staying safe 2022

Watch out for resends! Additional best practices, such as the ones below, can also help keep you and your organization safe from clone phishing.

  1. Check the sender’s email message
  2. Look for links and attachments in emails and ensure their authenticity
  3. Look for errors in the presentation of the emails. They are not always 100% cloned. 
  4. Verify the legitimacy of an email by contacting the sender via phone call or text message.
  5.  Ensure that credentials are not shared with others.
  6. Information security professionals can provide employees with security awareness training.
  7. Leverage anti-phishing technologies, which can block the most sophisticated of phishing attacks. 


Phishing attacks can lead to irreconcilable business damage. A combination of employee awareness and multi-layered security solutions that include anti-phishing and email security capabilities can effectively mitigate clone phishing attacks.

With a vision for how to enhance your cyber defenses, you’ll be well on your way to preventing clone phishing. Discover CyberTalk.org’s additional phishing resources here and here

Lastly, please join us at the premiere cyber security event of the year, CPX 360 2022. Register now