Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

What is clone phishing and how can you avoid it?

Clone phishing is a scam where a cybercriminal replicates a legitimate email or website to trick the victim into giving personal information. The cloned email looks almost the same as the original and contains legitimate details, making clone phishing more difficult to spot than other phishing attacks. Here’s how clone phishing works and how to prevent it.

What is clone phishing and how can you avoid it?

Table of Contents

Table of Contents

How does clone phishing work?

Clone phishing is similar to other types of phishing in that the cybercriminal attempts to trick you into providing sensitive information (e.g., your username, password, or financial details). However, clone phishing attacks take phishing to the next level because the signs are often more subtle and harder to spot.

Clone phishing involves the cybercriminal creating an almost identical replica (or clone) of a legitimate email, text, social media account, or website.

The cybercriminals attempt to get every detail right, including the logos, layout, and content. They use email spoofing techniques to make it look like the message is from a person or organization the victim knows and can trust.

The main difference between the original message and the cloned email is that the replica contains a malicious attachment or link. Once the user clicks or downloads this attachment, it infects their device with malware or takes them to a site where their information is accessible to the attacker.

Here’s how clone phishing typically works:

  1. The attacker intercepts a message sent to a user from a legitimate source (e.g., a bank, client support service, money transfer site, or employer). Attackers may use various techniques to intercept emails, including DNS hijacking. A hacker won’t always need to intercept emails to carry out clone phishing attacks. However, if they do, these clone emails become much more difficult to spot because they look just like the original.
  2. The scammer creates a replica of the email. These phishing scams typically involve clone phishing emails, but not always. Sometimes, attackers clone social media accounts or websites instead. A more advanced clone phishing attack may clone all three components and even make the sender’s address look legitimate.
  3. The attacker sends the cloned email to the victim, urging them to take action. Scammers want their victims to act quickly, so phishing emails always sound urgent. You may see common social engineering tactics like asking users to change their passwords or provide other sensitive data because their account has been “compromised.” It’s also common for clone phishing scams to contain a malicious link that a user can click thinking they’ll access a legitimate website.
  4. The victim opens the email, believing it is from a legitimate source. They may open an attachment (e.g., a PDF document) that instantly installs malware on their machine and provides cybercriminals access to their sensitive information. Or they may click on a link included in the email and be redirected to a malicious site, allowing attackers to steal their information.

Signs of a clone phishing attack

Spotting clone phishing attacks can be tricky, especially if the scammers have a lot of experience in creating cloned emails. However, knowing the signs of fake email messages can help you avoid these scams. Here’s what you need to watch out for.

Grammatical errors

One of the most common signs of a scam email is spelling and grammatical errors. If the tone of the email seems off and you notice mistakes, be cautious. It is unlikely that a legitimate message would be littered with grammar errors because companies care about their reputation and put steps in place to prevent that. However, scammers often operate from non-English speaking countries and may not have the tools to ensure the content is error free.

A sense of urgency

Clone phishing scammers rely on users acting before they can think about the consequences (or realize they’re being scammed). That’s why clone phishing emails often have an urgent and even threatening tone and insist that you act immediately. If the tone of the email is suspiciously urgent, don’t rush into clicking on links or opening attachments. Take a moment to review the email to ensure it is from a legitimate source.

Unfamiliar, long email addresses

Though spoofed emails often come from email addresses that closely resemble the original, they may also come from long email addresses made up of random letters and numbers. If you receive an email from an address that looks computer generated, be wary. Someone could be trying to scam you.

Generic greetings

Most companies or individuals you deal with know your name and will use it to address you in emails. However, scammers won’t often have access to this information, so you’re likely to see something general (like “Dear sir/madam”). Though this isn’t a foolproof method of detecting a clone phishing email, it is one of the possible signs of one.

Pixelated images

Cloned emails may have images that look similar to the original, including logos and and headers. However, because scammers don’t always have the tools to make these images look good, they may be pixelated or distorted.

Clone phishing email example

Clone phishing scam emails come in various forms, with some looking more legitimate than others. Here’s an example:


Subject: Urgent issue with your PayPal account

Message: Hello,

The PayPal team identified a critical issue with your account. Click the link below to read the message from our customer service representative. Failing to do so may result in us blocking your account. [insert malicious link]

As you can see, the subject conveys a sense of urgency, attempting to trick you into immediately taking action. The attacker may send an email like this to thousands of people, hoping to access the credentials of at least a few.

Clone phishing vs. spear phishing

Spear phishing typically involves the attackers researching their victims beforehand, including where they work, their credentials, work priorities, and interests.

These attacks are highly targeted and require advanced preparation and customization. Spear phishing emails often come from scammers pretending to be coworkers, old friends, or representatives of a popular service the victim uses. They also target high-security privilege users, such as network administrators, HR employees, accountants, or senior executives.

A clone phishing email may use some spear phishing elements (like targeting high-security privilege individuals). However, with spear phishing, scammers can use any message, while cloned emails will closely resemble an existing email sent by the original sender.

Clone phishing scammers need to get hold of such emails before they can target their victims. Cybercriminals who carry out clone phishing emails will typically aim to access an email that’s distributed en masse, then send the cloned version to many recipients at once.

How to prevent clone phishing attacks

Completely preventing clone phishing attacks can be difficult because cybercriminals carry them out in a number of ways. However, you can take several steps to reduce the likelihood of falling victim to one.

Check the sender’s email address

Before you click anything or reply to the email, make sure the sender’s email address is legitimate. Clone phishing attempts often come from email addresses that resemble the original. However, they may have additional full stops, dashes, symbols, or other subtle differences. Check the sender’s email address carefully to ensure it’s from a legitimate source.

Don’t click on links

Avoid clicking on links unless you’re absolutely sure the email isn’t a scam. The email may contain links that redirect you to a malicious website where scammers can steal your personal information. Only click on links and buttons after you’ve confirmed that the email is safe by activating anti-phishing protection on your device.

Use spam filters

Spam filters are helpful if you receive many emails daily. These filters analyze the content of every email and identify unwanted or dangerous messages. While they won’t always spot a cloned email, using them in addition to other measures is a good idea.

Use Threat Protection Pro to scan attachments

NordVPN has a handy Threat Protection Pro feature that automatically scans the files you download for malware. If a malicious file is detected, Threat Protection Pro removes it before it can damage your device.

Additionally, Threat Protection Pro doesn’t let you land on malicious websites. If you click on a link designed to take you to a fake, malicious website, Threat Protection Pro will block access to it and show you a warning.

Online security starts with a click.

Stay safe with the world’s leading VPN