Understanding Clone Phishing and How to Protect Yourself

Imagine getting an email receipt from Amazon -- for a 98-inch HDR Smart TV for which you supposedly paid $3,997.00. At the end of the email, you see a big red button with the words CANCEL. Warning bells go off in your head.  

Below, we explain how you can spot a clone phishing attack, why you should care, and how you can protect your business against this growing threat. 

What Is Clone Phishing?

Definition and explanation of clone phishing

So, what’s a clone phishing attack or clone attack? 

Briefly, it’s an email-based threat that capitalizes on your trust in big-name brands.  

Clone phishing is a common phishing attack, where attackers duplicate a legitimate email from a reputable brand like Amazon. The attacker creates an identical copy of the original email you received but replaces the links and attachments with malicious versions. 

Ultimately, the goal is to steal your sensitive data or trade secrets. 

Common techniques used in clone phishing attacks

Did yo know that 91% of phishing attempts are made via email? Attackers leverage many techniques to lull you into a sense of security. These include: 

• Invoice or payment scams: Here, you get a cloned copy of a legitimate email you received from a vendor like Microsoft. When you click on the payment button, your funds are redirected to a fraudulent account. 
• Software security alerts: Attackers clone software update notifications from your anti-virus provider, urging you to install malicious updates that contain Trojan malware. 
• Fictitious requests from authority figures: Cybercriminals clone emails from your upper-level managers or a member of your C-suite. The emails instruct your employees to make unauthorized transactions or money transfers. 
• Fraudulent customer support alerts: You receive a cloned customer support message from your bank telling you that money has been transferred out of your account by an unknown third party. When you click on the link to provide your login info, data thieves exfiltrate that data to a malicious server.

Why clone phishing is a significant threat to organizations

Clone phishing attacks have become more prevalent and are increasing in sophistication. According to the Anti-Phishing Working Group (APWG), threat actors are spoofing both email addresses and subject lines to trick recipients into giving up sensitive data. And they are bypassing email filters successfully.  

In Q1 2024, the APWG received 116,473 complaints about email phishing campaigns.  

The typical scam involves sending you an email with a fraudulent purchase receipt. You are then invited to call customer support to “resolve” a non-existent issue. When you get on the phone, the scammer asks for your personal or credit card info. 

According to Bolster’s 2024 State of Phishing and Online Scams report, brand impersonation clone phishing has increased exponentially. In Q2 2023, Bolster found 6,000 active phishing sites targeting 100+ well-known brands.  

Most alarmingly, phishing has become an attack vector for triple-extortion ransomware schemes. 

How to Recognize Clone Phishing Emails

Identifying red flags and warning signs of clone phishing

So, how do you recognize cloning in the context of cybersecurity? 

Here are four red flags you should watch out for: 

• Mismatched URLs: The link you see in a cloned email may seem legitimate. However, if you hover over it, you’ll see a different address. 
• Urgent or threatening language: Clone phishing emails often contain highly charged language such as “account suspension imminent” or “immediate action required” to create tension and lure you into clicking on links without careful consideration. 
• Poor grammar and spelling: This isn’t a foolproof method as more attackers are using AI to help them draft better emails. However, many phishing emails still contain poor grammar and vocabulary. 
• Generic greetings or salutations: Instead of addressing you by name, you see generic greetings like “Dear Friend” or “Dear Customer.”

Analyzing suspicious URLs and email content

Here are some key steps for analyzing URLs and email content: 

• Check the email address and headers. Is the domain misspelled or is a supposed corporate brand using a free email provider like Gmail? In addition, check the email header to track the path the email took to get to your inbox. 
• Check the email content for suspiciously urgent language and requests for sensitive information. 
• To make sure links are legitimate, hover over the links to see the actual destination URL. 
• Analyze attachments carefully: Is the attachment an expected file type? Be wary of executables. 
• Look up domains and IP addresses to verify the legitimacy of the email sender. Use a reputable IP WHOIS Lookup tool to verify the origin of the IP address and its ownership. 

Understanding the tactics employed by clone phishers

So, how does clone phishing work? Understanding the tactics employed by attackers requires a comprehensive look at the psychology behind phishing scams. 

• Attackers are expert emotional manipulators. They leverage primal instincts like fear, curiosity, and greed to achieve their goals. Subject lines like “Claim your $100,000 prize now!” are designed to get a visceral reaction out of you. 
• If you or anyone you know has an impulsive personality, watch out: you’re a main target for clone phishers. 
• Other attackers like to exploit the human desire for belonging. A clone phishing email may mention that 5,000+ people have already claimed their free iPhones, thus encouraging you to click on the link. 
• Attackers also like to play on the FOMO (fear of missing out) factor, telling you that the limited time offer will expire in 24 hours. 
• Finally, attackers leverage human error, the weakest link in cybersecurity, to send innocent-looking emails infected with ransomware. 

Differences Between Clone Phishing and Spear Phishing

Comparing clone phishing and spear phishing techniques

An important question we get asked is, “What’s the difference between clone phishing and spear phishing?” 

Below, we reveal four of the major differences: 

• Target audience. While clone phishing targets a broad audience, spear phishing targets specific individuals in an organization. 
• Attack method. Clone phishers leverage the trust recipients have in major brands, while spear phishers conduct detailed reconnaissance about the target to craft a credible, compelling email that inspires action. 
• Email content. Clone phishing emails are near exact replicas of legitimate emails received. Meanwhile, spear phishing emails are customized for the target, often using information gathered from social media accounts and corporate websites. 
• Ease of detection. Clone phishing emails may be easier to detect, especially if you notice discrepancies in the link destination or email header. However, spear phishing emails may be harder to detect because they are specifically tailored to your role, personality, and habits.  

Recognizing the unique risks and characteristics of each

If you think clone phishing sounds suspiciously like being hacked, you’re not alone. 

But, what’s the difference between cloned and hacked? 

While it’s true that both are forms of unauthorized access, cloning refers to duplicating a real profile for unethical purposes. 

Essentially, clone phishers impersonate trusted brands to send you emails with malicious links.  

Meanwhile, hackers primarily focus on gaining access to your sensitive data through vulnerabilities in your IT infrastructure.  

In cybersecurity, risk is often calculated in terms of likelihood and impact.  

Although businesses experience a lower likelihood of spear phishing attacks than hacks, the impact of spear phishing attacks are far more devastating.  

For example, spear phishing accounts for less than 0.1% of emails but leads to 66% of successful breaches. 

Meanwhile, the likelihood of hacks like zero-day attacks is set to not only increase but rise in sophistication level. And the fallout is severe: 60% of SMBs go out of business after a hack. 

Preventive measures to mitigate both types of attacks

Preventive measures to mitigate both types of attacks must take into consideration these factors: 

• Combining SASE and zero trust policies to protect endpoint devices 
• Implementing strong BYOD security policies  
• Adopting a security-by-design mentality 
• Pairing detection and response with AI-powered threat intelligence

Can Hackers Clone Your Email Address?

Email address cloning versus email spoofing

We’re often asked, “Can hackers clone my email address?

The answer is yes.

There are two ways attackers can use email against you: email address cloning and email spoofing.

Email address cloning occurs when attackers clone your email address to send spam to your email contacts.

The attackers can also intercept a legitimate email from one of your contacts and re-send it to you, along with the original email address, logos, images, and content.

However, any links or attachments in the email are changed to malicious versions. When you click on the “new” links, you may unknowingly download malware such as keyloggers or information stealers on your device.

On the other hand, email spoofing refers to the practice of altering the email header and “From” fields to make it appear as if the email is from a trusted source.

How email spoofing works

There are several ways hackers can spoof your email address:

• Spoofing via the display name. This is where the sender’s name is forged but the actual email address contains no information tying the sender to the address. For example, you may get an email from a celebrity or politician – from unknown or suspicious-looking email addresses.
• Spoofing via legitimate domains. This is when both the display name and sending email address are manipulated to appear as if the email is from a trusted person and familiar domain. An example of this is getting an email from Google CEO Sundar Pichai via the domain google.com. But when you hover over the email address, you see that the email comes from an entirely different domain.
• Spoofing via lookalike domains. This is when attackers register domains that closely resemble legitimate ones. These domains may contain special characters or numbers to mislead you, such as @micros0ft.com instead of @microsoft.com.
• Email forwarding spoofing. This occurs when an attacker intercepts an email and uses it to deceive unsuspecting parties into transferring funds or executing unauthorized transactions.
• Reply-to spoofing. This is when attackers modify the “Reply-to” header to direct your response to a different email address.

How to stop email spoofing and email address cloning

As required by Yahoo and Google, organizations sending 5,000+ messages per day to Yahoo and Gmail accounts must implement stronger email authentication protocols like SPF, DMARC, and DKIM.

SPF (Sender Policy Framework): Verifies which IP addresses can send emails on behalf of a domain

DKIM (Domain Keys Identified Mail): Uses cryptographic signatures to verify the integrity and authenticity of emails

DMARC (Domain-Based Message Authentication, Reporting, and Conformance): Defines how servers should handle emails that fail SPF and DKIM checks and provides policy and reporting mechanisms for SPF and DKIM

Despite this requirement, DMARC adoption is low: In an examination of over 1 million websites, only 33.4% have valid DMARC records. Meanwhile, an astounding 3.4 billion phishing emails are sent daily around the world.

So, how can you protect yourself? Below are our best tips to stop email spoofing and email address cloning from putting your online safety at risk:

• Look at the full email header. If you use Gmail, click on the three dots at the immediate top right corner of every email, and select “Show Original.” Check the From, To, Subject, SPF, DKIM, and DMARC components. The SPF, DKIM, DMARC records should show “PASS” for legitimate emails. Below are instructions for viewing email headers for other providers.

Yahoo Mail: head to More > View Raw Message

Outlook: navigate to File > Properties

Apple Mail: navigate to View > Message > Raw Source

• If you use Yahoo Mail, look for the Yahoo icon  next to the subject or sender. If you don't see it, you can be sure the email isn't from Yahoo. The Yahoo  icon won't appear in apps, however, even if the email is legitimate. In that case, check the sender's email address without opening the email by mousing over the sender's name in your Inbox.

• Avoid clicking on unknown or suspicious-looking links and always hover over the display address to see the actual destination URL. Check out the 13 email scams to look out for in 2025

• Use stronger MFA methods such as authenticator apps, hardware tokens, and biometric authentication to protect your accounts.

Real-Life Examples of Clone Phishing Attacks

Notable instances of successful clone phishing campaigns

In 2016, FACC (an Austrian-based airplane component manufacturer) lost close to $60 million in a phishing attack. A fraudulent email purportedly sent by then CEO Walter Stephan requested a $56 million transfer for a supposed acquisition project.  

The fallout from the phishing campaign led to the ouster of Stephan and CFO Minfen Gu. 

Meanwhile, AI-driven phishing attacks are on the increase, and Microsoft is the world’s most imitated brand. Almost 45% of phishing attempts target it. 

Proofpoint’s 2024 State of the Phish report notes that Office 365 is the most abused Microsoft product in malicious emails, with over 20 million emails sent in phishing campaigns mimicking legitimate communications from the tech giant. 

Lessons learned from high-profile clone phishing incidents

The above high-profile clone phishing incidents provide valuable lessons for businesses. They include: 

• The importance of employee training and awareness. Negligent or careless employees account for 56% of breaches, and remediation costs can reach up to $6.6 million annually. A survey of 330 remote workers revealed that employees ignored security policies due to an overriding desire to accomplish workplace tasks more quickly and efficiently. 
• Multi-factor authentication (MFA) as a critical defense. MFA could have mitigated the impact of the phishing attack on FACC. Ultimately, MFA adds a critical layer of defense due to its additional verification steps. 
• The case for advanced email security solutions. Email filtering and anti-phishing tools can be a gamechanger for organizations. Additionally, implementing email authentication protocols like DKIM and DMARC can help verify that emails are coming from legitimate sources. 

Impacts and consequences of falling victim to clone phishing

Impact refers to the severity of the damage that results when a risk materializes. In cybersecurity, it’s the outcome of a threat actor successfully exploiting a vulnerability. Impact can be measured in several ways: 

• Financial losses. On average, businesses lost more than $18 million in 2023 due to phishing scams. Cyber-attacks such as clone phishing cost publicly traded companies an average decline of 7.5% in their stock values that same year. 
• Inflationary spikes. 60% of businesses have little choice but to pass on the costs to consumers in the form of higher prices. 
• Damaged brand reputations. Successful phishing campaigns can destroy consumer trust. In 2017, Google and Facebook fell victim to a $100 million email phishing scam perpetrated by 48-year-old Evaldas Rimasauskas, a Lithuanian man. This led users to question the effectiveness of platform security measures. Today, a whopping 64% of Americans lack trust in social media sites. 
• Legal impact: Businesses can incur penalties for falling afoul of privacy regulations. 
• Operational impact: Disruption to business operations can affect productivity and service delivery.

How to Protect Yourself from Clone Phishing

Best practices for securing your online accounts

Securing online accounts involves a combination of employee training, technology, and best practices. This includes: 

Robust internal security training. Deploy phishing simulations and train employees on how to recognize a clone phishing email – and be aware of the pros and cons of phishing awareness training. 

Comprehensive network security: Combine firewalls, intrusion detection systems, intrusion prevention systems, XDR solutions, and privileged access management for multi-layered protection.  

Centralized incident response. Create clear procedures so employees can easily report suspected phishing attempts to the IT department. An incident response plan should also include steps for mitigating successful phishing attempts. 

Implementing multi-factor authentication (MFA)

Phishing-resistant MFA methods that are FIDO2 compliant use robust authentication methods to protect your business data. 

Here are key aspects of a FIDO2-compliant phishing resistant MFA: 

• Fido2/WebAuthn protocol: This method of authentication is based on the FIDO2/Webauthn protocol, a W3C standard that provides a secure approach to authentication. 
• Resistance to advanced phishing attacks. FIDO2 MFA protects against the most virulent phishing threats such as man-in-the-middle and replay attacks. 
• Cryptographic attestation: This is a method to prove that an application or device is trustworthy. FIDO2 authenticators will only unlock private keys after user presence is verified, greatly reducing the risk of phishing attacks. 
• Biometric integration: Many FIDO2-compliant solutions incorporate biometric verification for an added layer of security.

Choosing a reliable password manager like LastPass

A reliable password manager protects against clone phishing through several mechanisms: 

• Strong password generation: password managers like LastPass can generate unique, complex passwords for each site. 
• Domain matching: reliable password managers match the URL of the requested resource with the stored URL for the credential. If the URL doesn’t match, the password manager won’t autofill the credentials, preventing users from accidentally entering their credentials on a phishing site. 
• Passwords stored in encrypted format. Even if a password manager is compromised, your passwords are still protected. Learn how LastPass does this below.

Preventing Clone Phishing with LastPass

How LastPass helps protect against clone phishing

LastPass offers your business comprehensive protections from advanced phishing attacks. Here’s how: 

• Because of its zero-knowledge approach, LastPass never asks you for your master password, whether by email, phone, or text. 
• LastPass protects you from fraudulent phishing sites by only filling in your credentials to actual, legitimate sites. 
• LastPass notifies you of suspicious attempted or failed logins. 
• LastPass complies with top global security certifications such as SOC2 Type II, SOC3, ISO 27001, and Truste. These certifications highlight the proven ability of LastPass to protect your intellectual property and employee info. 
• Finally, LastPass offers you phishing-resistant MFA based on the FIDO standard. 

Features and tools to enhance your online security

• LastPass has a zero-knowledge encryption model that prevents hackers from decrypting your master password.  
• Your master password and vault are accessible only to you. Thus, only you can decrypt the key to your vault. LastPass uses PBKDF2-SHA256 with 600,000 iterations to derive your encryption key -- the same encryption used by financial institutions and the military. 
• You can enjoy passwordless logins to your vault via the LastPass authenticator, FIDO2-certified authentication, and FIDO-2 certified hardware keys. 
• Your admin dashboard gives you a 360-degree view of identity and privilege access in your organization.

Steps to safeguard your passwords and sensitive information

Overwhelmed by phishing campaigns and the multitude of advice on security solutions? 

Start with these four easy steps to safeguard your passwords and sensitive information: 

• Enable two-factor authentication on all corporate devices. 
• Enforce NIST guidelines for protecting sensitive information. 
• Adopt phishing awareness training tools based on value for money. 
• Choose a password manager with a strong security culture. Features you’ll want to see are public key cryptography, SSO, phishing-resistant MFA, auto-fill only on legitimate sites, and Dark Web monitoring. 

Protect your business from clone phishing. Start your LastPass trial today.