Your accounts manager receives an email from a supplier — the same supplier they have exchanged dozens of messages with over the past year. The email references a real invoice, uses the supplier's actual email template, and includes a familiar attachment name. There is just one small addition: a note saying the previous version of the attached document had an error and this is the corrected file. The accounts manager opens the attachment without hesitation. After all, they recognise the sender, the context, and the formatting. Everything looks exactly as it should.

TL;DR — Key Takeaways

  • Understand how clone phishing works by copying real emails with malicious modifications, why it is so effective, and how to detect and defend against it
  • Explore what Makes Clone Phishing Different
  • Learn about how Attackers Obtain the Original Emails

Visual Overview

flowchart LR
    A["Original Legit Email"] --> B["Attacker Clones It"]
    B --> C["Swaps Links or Files"]
    C --> D["Resends to Victim"]
    D --> E["Victim Trusts Sender"]
    E --> F["Malware Delivered"]

This is clone phishing — one of the most insidious forms of phishing because it weaponises the trust that has already been established through genuine communication. Unlike generic phishing campaigns that cast a wide net with fabricated pretexts, clone phishing takes real, legitimate emails and creates near-identical copies with one critical modification: a safe link is replaced with a malicious one, or a harmless attachment is swapped for an infected file.

For small businesses, clone phishing is particularly dangerous because it exploits the existing relationships and communication patterns that are the foundation of daily operations. This article explains exactly how clone phishing works, what makes it so effective, and how your organisation can build defences against it.

What Makes Clone Phishing Different

To understand the threat clone phishing poses, it helps to distinguish it from other forms of phishing. Standard phishing emails are crafted from scratch — the attacker invents a pretext (your account has been suspended, you have a package to collect, your password is expiring) and creates a message designed to trick the recipient into clicking a link or opening an attachment. These emails may be convincing, but they have no connection to any real communication the recipient has previously received.

Spear phishing takes this a step further by targeting specific individuals with personalised content — using the recipient's name, job title, company details, and current projects to make the email feel relevant and urgent. However, spear phishing emails are still fabricated messages, even if they are well-researched ones.

Clone phishing operates on an entirely different principle. Rather than creating a new message, the attacker obtains a copy of a real email that was genuinely sent and received, then creates an almost identical clone with subtle but critical modifications. The recipient sees an email that matches something they have actually received before — same sender, same subject, same formatting, same context — making it extraordinarily difficult to identify as malicious.

How Attackers Obtain the Original Emails

For a clone phishing attack to work, the attacker needs access to genuine emails. There are several ways this happens, and understanding these methods helps explain why clone phishing often occurs as a secondary attack after an initial compromise:

  • Compromised email accounts: The most common source. When an attacker gains access to an email account — whether through a previous phishing attack, credential stuffing, or a data breach — they gain access to the entire email history. They can browse sent and received messages, identify the most promising emails to clone, and use the compromised account to send the cloned versions.
  • Compromised email servers or gateways: In more sophisticated attacks, gaining access to mail servers or security gateways provides the attacker with copies of emails flowing through the entire organisation.
  • Man-in-the-middle interception: Attackers positioned to intercept network traffic can capture emails in transit, though this is less common due to the widespread adoption of transport encryption.
  • Insider access: A malicious or compromised insider can provide copies of legitimate business emails to external attackers.
  • Public or semi-public communications: Some clone phishing attacks are based on emails that are widely distributed — newsletter templates, service notifications, or automated alerts whose format and content are predictable or publicly viewable.

The implication for small businesses is significant: a clone phishing attack against your organisation may indicate that someone's email account — either within your organisation or at one of your partners — has already been compromised. The cloned phishing email is often the second stage of a broader attack.

What Gets Changed: The Anatomy of a Cloned Email

The power of clone phishing lies in how little is changed. The attacker keeps as much of the original email intact as possible and makes only the minimum modifications needed to achieve their objective. The most common modifications include:

Link Replacement

The original email contained a legitimate link — perhaps to a shared document, a payment portal, or an account settings page. In the cloned version, this link is replaced with one that leads to a credential harvesting page, a malware download, or an attacker-controlled server. The displayed text of the link often remains unchanged; only the underlying URL is different. For example, the link text might still read "View Invoice" while the actual URL now points to a malicious domain.

Attachment Swapping

If the original email included an attachment — a PDF invoice, a Word document, a spreadsheet — the cloned version replaces it with an identical-looking file that contains malware, embedded macros, or exploit code. The filename, file size, and apparent content are kept as similar as possible to the original.

Contextual Additions

The attacker adds a brief, plausible explanation for why the email is being resent. Common additions include a note that the previous version of the document had an error and this is the corrected version, a message stating that the link in the original email has expired and this is an updated link, a request to review a revised version of a document, or a follow-up indicating that the recipient did not respond to the original and this is a reminder.

These additions serve two purposes: they provide a reason for the recipient to receive what appears to be a duplicate email, and they create a subtle urgency to open the new attachment or click the new link rather than referring back to the original.

Why Clone Phishing Is Especially Effective

Clone phishing exploits several psychological principles that make it one of the hardest forms of phishing for humans to detect:

Familiarity breeds trust. When we receive an email that looks exactly like something we have seen before — from a sender we know, about a topic we recognise, in a format we are accustomed to — our brain takes a shortcut. Rather than analysing the email critically, we rely on pattern recognition and past experience to judge it as safe. This is the same reason why we might walk through a door we have walked through a thousand times without checking whether the hallway behind it has changed.

Context reduces suspicion. Because the cloned email references a real transaction, project, or conversation, it slots seamlessly into the recipient's existing mental model of their work. There is no incongruity to trigger suspicion — no unexpected request from an unknown sender, no topic that seems out of place.

The explanation feels reasonable. Everyone has experienced receiving a corrected document or an updated link. The attacker's added context — "the previous version had an error" — is so ordinary that it does not register as unusual.

Technical detection is harder. Because the cloned email closely mirrors a legitimate email in structure, formatting, and content, email security filters have a more difficult time distinguishing it from genuine correspondence. If the clone is sent from a compromised legitimate account, it may even pass email authentication checks (SPF, DKIM, DMARC) because it genuinely originates from the expected domain.

How to Detect Clone Phishing Attempts

While clone phishing is difficult to detect, it is not impossible. Training your team to recognise the following indicators can make the difference between a caught attempt and a successful breach:

  • Unexpected resends: Any email that claims to be a corrected or updated version of something previously sent should be treated with caution. Before opening any attachments or clicking any links, verify with the sender through a separate communication channel (a phone call, a new email — not a reply to the suspicious one, or an instant message) that they actually sent the update.
  • Hover over links before clicking: Even if the email looks familiar, hover over any links to reveal the actual destination URL. Compare it to the URL in the original email. If the domain is different, do not click. As we cover in our guide to spotting phishing emails, URL inspection remains one of the most effective detection techniques.
  • Check the sender address carefully: Verify that the sender's email address exactly matches the address used in the original correspondence. Look for subtle differences such as character substitutions, added numbers, or domain variations.
  • Compare with the original: If you still have the original email, compare it side by side with the suspected clone. Look for differences in headers, formatting, timestamps, and any discrepancies in the body text.
  • Watch for timing anomalies: If you receive an "updated document" weeks or months after the original transaction was completed, this is suspicious. Legitimate corrections are typically sent promptly.
  • Trust your password manager: If a link takes you to a login page and your password manager does not offer to autofill your credentials, this is a strong signal that the domain does not match the legitimate service.

Organisational Defences Against Clone Phishing

Defending against clone phishing requires a combination of technical controls, process safeguards, and employee training:

Technical Controls

  • AI-powered email security: Deploy email security solutions that use machine learning to analyse behavioural patterns rather than relying solely on signature matching. These systems can detect subtle anomalies — such as a link domain that differs from previous emails in a conversation thread — that human eyes might miss.
  • URL rewriting and time-of-click scanning: Configure your email security gateway to rewrite URLs in incoming emails and scan them at the moment of click, not just at delivery. This catches malicious links that may not appear in threat databases at the time the email arrives but are flagged later.
  • Attachment sandboxing: Route all email attachments through a sandboxing solution that executes them in an isolated environment to detect malicious behaviour before the file reaches the recipient.
  • Email authentication enforcement: Implement strict DMARC policies (p=reject or p=quarantine) to prevent attackers from sending cloned emails using spoofed versions of your domain. Encourage your key business partners and suppliers to do the same.

Process Safeguards

  • Out-of-band verification: Establish a policy that any request to open an updated document, click a new link, or process a revised invoice must be verified with the sender through a different communication channel before action is taken.
  • Standardised document sharing: Use a consistent, secure method for sharing business documents — such as a shared cloud platform with access controls — rather than sending documents as email attachments. If your organisation normally shares files through SharePoint or Google Drive, an emailed attachment claiming to be a corrected version should immediately raise suspicion.
  • Reporting culture: Create an environment where employees feel comfortable reporting suspicious emails, even if they turn out to be legitimate. A quick report that results in a false positive is infinitely preferable to a clone phishing attack that goes unreported.

Training and Awareness

  • Include clone phishing in awareness training: Ensure your security awareness programme specifically covers clone phishing as a distinct technique. Many employees who can identify a generic phishing email will be caught off guard by a well-crafted clone.
  • Use realistic simulations: Include clone phishing scenarios in your phishing simulation programme. Simulations that mimic real internal communications — such as a cloned version of a routine company-wide email with a modified link — provide the most valuable training experience.
  • Emphasise verification over visual inspection: Train employees to understand that visual inspection alone is insufficient for detecting clone phishing. The key defence is verification — confirming with the sender that they actually sent the message.

Clone phishing succeeds because it turns your established business relationships and communication patterns against you. The emails you trust most — from colleagues, partners, and suppliers you interact with regularly — become the very emails that pose the greatest risk when cloned. By combining technical defences that scrutinise email content at a level beyond human perception with a culture of verification that treats unexpected resends with healthy scepticism, your organisation can defend against this sophisticated threat without disrupting the trusted communications that your business depends on.