What is clone phishing?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get an email you recognize. Same sender, same format, same subject line you saw last week. But this time something's slightly off, and you can't quite put your finger on it. That's clone phishing doing exactly what it's designed to do.
Clone phishing is when an attacker takes a real, legitimate email you've already received and creates a near-identical copy of it. They swap out the original links or attachments for malicious ones, then send it again with a thin excuse like "updated link" or "resent due to an error." The copy is often so close to the original that your brain just fills in the gaps and trusts it.
That familiarity is the whole point. Most phishing attacks have to build trust from scratch. Clone phishing borrows trust that already exists. You've seen this email before, so you assume it's safe. Your guard drops before you've even read a word.
To pull it off, attackers need access to a real email you received. That can come from a compromised inbox, a data breach, or even public sources if the original email was forwarded or leaked. Sometimes they target business email accounts specifically because corporate inboxes get predictable recurring messages like invoices, IT notifications, and vendor updates, all of which make perfect cloning material.
Here's what to actually look for:
- The "try again" excuse. Phrases like "the link in our previous email wasn't working" or "please use this updated version" are red flags. Legitimate senders rarely need to re-send with new links on short notice.
- Hover before you click. The email might look identical, but the URL behind a link rarely does. Hover over any link and check the actual destination before clicking.
- Sender address drift. The display name might match perfectly, but the actual sending address might be captain@deepcurrent.io.phishingdomain.net instead of captain@deepcurrent.io. Check the full address, not just the name.
- Timing feels off. Clone phishing emails often arrive unexpectedly, not in response to anything you actually did. An invoice "resent" when you weren't expecting one is worth a second look.
It's also worth knowing that email authentication (SPF, DKIM, DMARC) won't always catch clone phishing. If the attacker has access to a real compromised account or spoofs a lookalike domain convincingly, some of those checks can pass. Authentication is still critical for your own domain's protection, but it's not a complete defense for recipients.
If you're on a security team training people to spot this, the most useful habit to build is one simple pause before clicking any resent or "updated" email: go back to the original, compare the links, and if something changed, verify through a separate channel before acting.
Want to check how your own domain looks to potential attackers? Our free email header analyzer can help you understand what information is visible in your outbound email and whether your authentication setup is giving the right signals.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.