Clone phishing is a type of phishing attack in which attackers create a convincing replica of a legitimate email that the victim has previously received. The attacker compromises or impersonates the original sender and uses the cloned email to deceive victims into entering login credentials, paying an invoice, downloading malware, or sharing sensitive data. These emails are often nearly identical to a previous legitimate email the victim received, except a malicious attachment or link replaces the original legitimate one.
How clone phishing works
The attacker obtains a copy of a legitimate email—either through account compromise, interception, or by receiving the same email as an intended recipient in a targeted organization.
The attacker clones the email, replicating the format, content, branding, and apparent sender, but replaces legitimate links or attachments with malicious ones.
The attacker sends the cloned email to the original recipient(s), often claiming it is a resend due to a technical issue with the original message, an updated version, or a corrected attachment.
The victim, recognizing the email as familiar and legitimate, is more likely to interact with the malicious link or attachment without suspicion.
Clone phishing is particularly effective because it exploits existing trust. The victim has already interacted with a version of this email and expects it to be safe. Common targets include invoice emails, shipping notifications, security alerts, and software update notifications.
Unlike mass phishing attacks, clone phishing can be highly targeted and may be difficult to detect using standard security tools since the email content largely mirrors legitimate communications. Protection requires behavioral analysis that goes beyond content inspection.
Pangratis detects clone phishing by analyzing email metadata, link behavior, attachment characteristics, and sender authentication signals to identify cloned messages even when their content appears legitimate.