Clone Phishing: How Scammers Copy Real Emails
Last month, a marketing manager at a SaaS company received an email from a colleague sharing a Google Docs link — the same document they had actually shared two days earlier. The subject line was identical. The body was identical. The only difference: the link pointed to a credential-harvesting page instead of Google Docs. The marketing manager clicked without hesitation because she had already received and trusted the original.
Clone phishing is the practice of taking a legitimate, previously delivered email and creating a near-identical copy with malicious links or attachments swapped in. It is among the hardest phishing variants to detect because the victim has already seen and trusted the original message.
How Clone Phishing Works
Step 1: Intercept or obtain a real email. Attackers gain access to a legitimate email through compromised accounts, email forwarding rules set during prior breaches, or by simply being CC'd on a thread. In corporate environments, a single compromised mailbox provides templates for thousands of clone attacks.
Step 2: Clone the message. The attacker copies the email's subject line, body text, formatting, images, and apparent sender. Modern phishing kits automate this process — some can clone an email in seconds.
Step 3: Replace the payload. Links are swapped to point to phishing pages. Attachments are replaced with malware-laden files. Everything else remains identical. The attacker may send from a spoofed address or from the compromised account itself.
Step 4: Add a pretext for re-sending. The clone often includes a brief note explaining why it is being sent again:
"Resending this — the link in my previous email was broken. Here's the updated version."
"Updated the attachment with the latest numbers. Please use this version instead."
"Sorry, sent the wrong file earlier. This is the correct one."
These pretexts are brilliant because re-sending emails with corrections is a completely normal workplace behavior. Nobody suspects it.
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
Why Clone Phishing Is So Effective
Trust carryover. Your brain already classified the original email as safe. When a near-identical copy arrives, your brain reuses that classification instead of evaluating the new message independently. Psychologists call this "anchoring" — the original email sets an anchor of trust that the clone inherits.
Perfect formatting. Since the email is cloned from a real message, it has perfect grammar, correct branding, proper formatting, and a natural writing style. All the red flags that normally expose phishing — awkward phrasing, mismatched logos, broken formatting — are absent.
Contextual relevance. The cloned email relates to a real conversation, a real project, or a real transaction. It arrives in the context of existing work, making it invisible among legitimate messages.
Compromised sender accounts amplify the threat. When the clone comes from the actual sender's compromised account, even the email address is legitimate. Email authentication (SPF, DKIM, DMARC) all pass because the email genuinely originates from the sender's infrastructure.
Clone Phishing in the Wild
Clone phishing has been used in several major breaches. In one 2025 incident, attackers compromised a law firm's email system and cloned actual client communications, replacing document links with malware droppers. The firm's clients — banks, insurance companies, and real estate firms — opened the attachments without question because they were expecting those exact documents.
Another campaign targeted university researchers by cloning journal acceptance notification emails. Researchers who had recently submitted papers received cloned "acceptance" emails with malicious links, achieving a reported 60% click rate.
How to Detect Clone Phishing
Be suspicious of "resent" emails. If someone re-sends an email you already received — especially with updated links or attachments — verify with the sender through a separate channel before clicking anything.
Compare URLs carefully. Hover over links and compare them to the original email. If the domain has changed even slightly, do not click. Legitimate re-sends from the same person will use the same link infrastructure.
Check the sender address character by character. Even when the display name matches, the actual email address may differ. On mobile, tap the sender name to reveal the full address.
Watch for subtle timestamp anomalies. A cloned email may have a timestamp that does not match when the sender would normally be active, or it may arrive from a different time zone than usual.
Question the pretext. "The link was broken" or "I sent the wrong file" are common clone phishing pretexts. If you were able to access the original link or file without issues, the re-send is suspicious.
Use automated detection. Forward suspicious re-sends to IsThisAScam for link and attachment analysis. Automated tools can compare link destinations between the original and the clone to flag discrepancies.
Organizational Defenses
Organizations should implement email gateway rules that flag messages with subjects matching recently delivered emails but containing different link destinations. Advanced threat protection solutions from Microsoft, Google, and third-party vendors offer this capability.
Monitor for email forwarding rules in compromised accounts — attackers often set auto-forwarding to an external address so they can clone future emails in real time. Regular audits of mailbox rules across the organization catch this.
Clone phishing thrives on trust. The defense is simple in principle but hard in practice: treat every email as a new message, regardless of how familiar it looks. The moment you rely on "I already saw this" as your security check, the clone wins.
Received something suspicious? Check it now for free →