Clone PhishingHow Fraudsters Weaponize Trusted Business Communications

Is Your Business at Risk for Clone Phishing? Here’s How to Detect, Prevent, & Respond to Attacks

Imagine getting an email from one of your favorite brands. Or worse, one of your vendors. It mostly looks right, but the content feels slightly… off, somehow.

There are a couple of  typos. There’s also a pushy call to action, prompting you to click on a soon-to-expire link. Digging deeper, you realize the sender's address is not the one you're familiar with. And, the link directs you to an unfamiliar, unsecured site, rather than the retailer’s homepage.

Could this be a scam? Probably.

Impersonating trusted brands to deceive and extract information is called clone phishing. According to the Anti-Phishing Working Group, millions of phishing pages are detected annually, and roughly 90% involve some type of impersonation.

In this post, I dissect how clone phishing works, show how to identify an attack, and offer some tips to protect your business from these sneaky fraudulent ambushes.

What is Clone Phishing?

Clone Phishing

[noun]/klōn • fiSH • iNG/

Clone phishing is a phishing tactic where a scammer impersonates a well-known brand, then sends emails or other messages in that brand’s name. The aim is to trick victims into taking some action that will install malware or compromise their identity in some way.

Clone phishing starts with genuine emails and landing pages.The crooks capture a legitimate message from a trusted party, like a bank or a vendor you deal with all the time. They copy the email style, voice, and graphics used by the real brand to make a convincing forgery.  

But there’s a catch: the copied email has been subtly altered. The scammer has slipped a hazardous attachment or link into the text. Then, the bogus email then gets blasted out to potential victims, often in bulk. Recipients then open the email, not realizing it’s a scam, and end up clicking the malicious link.

People get fooled by clone phishing emails because the imitations are so similar to the real deal. Which is the whole point: if the email looks routine, it feels safe. Click that link, though, and you roll out the red carpet for the scammer. And once they gain entrance, you stand to lose a lot.

How Clone Phishing Differs From Other Phishing Tactics

When you think of phishing, your mind might go to those obviously fake “your account has been compromised” emails with bad grammar and a sketchy link. Well, you’re not wrong; that’s a pretty standard example of phishing: mass-distributed, generic, and honestly, pretty easy to spot if you’re at all aware of what to look for.

But, not all phishing is created equal. With clone phishing, the scammer duplicates a genuine email from a trusted sender. They’ll recreate the real layout, using the same colors, the same fonts, and so on. After swapping out a link or attachment, they’ll send the doctored message from a lookalike URL or compromised account that appears as real as possible.

Typically, there are no immediate tell-tale giveaways. The camouflaged email feels completely normal because you’ve seen it before. If the fraudsters are real pros, you could respond to the message without even giving it a second thought. That’s what makes clone phishing unique: it doesn’t rely on fooling you with something made from scratch. Instead, it relies on trust in a familiar brand, and a lack of due diligence on the victim’s part.

How a Clone Phishing Attack Works

Clone phishers count on the fact that most of us have a zillion emails waiting in our inbox. Combing through each one carefully would take forever; it’s human nature to look for the ones we can handle quickly and easily first.

You know what I'm talking about. Emails from a familiar vendor needing something simple, like a PO number, or asking you to click a link to approve an order. What you don’t realize is that you might be walking into a trap; one set long before you received the message. Here’s one way it could go down:

Once you respond the way the scammer hopes, it’s all over. There’s no end to the damage they can do with your data.

Clone Phishing Examples: Real Attacks on Businesses

Clone phishing isn’t just anecdotal. There’s plenty of evidence to demonstrate the danger: real business scenarios where everything looked completely legitimate… right up until the moment it wasn’t. Just a few clone phishing examples:

In 2019, attackers imitated a legitimate business partner of Toyota Boshoku and sent emails requesting a change in payment details. The message looked routine, and the request simple: the company updated info and transferred funds. They later discovered the account had been controlled by fraudsters.

Ubiquiti lost $46 million after attackers posed as executives and vendors in email communications with employees. The messages referenced real business processes, instructing staff to wire funds. Because the emails mimicked internal communications, the requests didn’t raise immediate suspicion.

Attackers impersonated Quanta Computer, a real hardware supplier to Facebook & Google, for over two years. They sent authentic-looking invoices with branding and formatting similar to prior communications. Over $100 million in payments were made to phony accounts before the scheme was uncovered.

Those are just a few high-profile examples. But, a quick look at Reddit shows that this kind of thing happens all the time:

Why Merchants Are Prime Targets for Clone Phishing

Clone phishing could happen to anyone, but it’s easy to see why merchants make ideal targets. 

Think about invoice volume alone. When you’re processing a steady stream of invoices, approvals, and payment requests, everything starts to blend together, making it harder to weed out suspicious messages.

It’s the same story with vendor relationships. Over time, predictable patterns form: same contacts, same formats, same types of requests. Attackers study those patterns, then slip in a cloned message that fits naturally into the flow. No red flags are triggered, so there’s no reason to question it.

Your customer communications are fair game, too. Things you send to your customers (order confirmations, shipping updates, account notices, coupons, etc.) are typically pretty easy to replicate, which makes them good vectors for close phising. It’s like the more trust that customers have in your brand, the easier it is to turn your brand into a weapon against you.

And, just when you thought the stakes couldn’t get any higher, think about employee access to payment systems and customer data. One convincing email in the right inbox can move money or expose sensitive information.

The Downstream Impact of Clone Phishing on Merchants

This part doesn’t get talked about enough: damage from clone phishing rarely stops at the initial hit.

For example, say a customer or employee receives what looks like a legitimate invoice. They pay it, but the funds go straight to a fraudulent account. At that point, recovery is unlikely. The money’s gone.

And, once attackers get the credentials, access, or trust they’re after, they’ll probably attempt to reuse it for subsequent attacks; think account takeovers, additional fraud attempts, or even new phishing campaigns.

If your customers get malicious clones of your emails or messages, they won’t be blaming some anonymous scammer. They’ll look right at you. Missed orders, compromised accounts, unauthorized charges… all the confusion and frustration lands directly on your brand. That kind of damage isn’t always immediate, but it sticks, and it adds up over time.

How to Detect Clone Phishing

So how do you know if an email is an actual clone phishing attempt? I’ve pulled together a quick list of some of the clues that you should know to look for:

Look closely at the sender address, as scammers may try to replace characters with other, visually similar ones. “rn” can imitate “m,” zeroes can be “O,” and a lowercase “l” could be a capital “I” or a 1.

Before clicking a link, be sure the destination URL matches what you expect it to be. Even something like “Click here to unsubscribe” can be fake. Don’t trust the text alone; preview where it’s going.

Emails claiming to contain an “updated attachment” or “corrected link” are designed to make you click first and ask questions later. Pause and verify before taking any action.

Say you get a message asking you to perform a software update, but you just did an update a few days earlier. Go through official channels to confirm alleged updates for software or  licenses.

Scammers use mind tricks to make you act without thinking. Creating a sense of urgency is one of the easiest ways to do this. “We’re on hold until we get your OK,” for example. Be suspicious.

Financial arrangements are rarely done via email. If a provider asks you to send money to a new account, confirm by phone — using the official phone number that you know to be correct — before you send anything over.

SPF, DKIM, and DMARC are email authentication protocols that can help verify a message actually comes from the sender it claims. Most email clients let you peek at message headers, and there are online tools to check a domain’s records. If email validation fails or isn’t present, consider it a red flag.

Sadly, many folks only catch on to a scam after the fact, which highlights one of the main hiccups of clone detection: you probably won’t look for clues unless you already suspect a problem. And, given the volume of email most of us get, trying to check every one is problematic, at best.

So if you want to protect yourself from clone phishers, start by making your company less of an easy target.

How to Protect Your Business From Clone Phishing

It’s unrealistic to think you’re going to catch every fake email manually. You can, however, make it much harder for attackers to succeed. With layers of verification, smart automation, and trained staff, most clone phishing attempts fail before they hit critical systems.

Let me suggest some proactive measures:

Email gateways and security tools can flag suspicious messages before they hit inboxes. Watch for failed authentications, unusual links, or messages that match known phishing patterns.

Protect endpoints with security software and attachment scanners that can review risk posed by devices and attachments. Think of it as a safety net, stopping malicious files from spreading across your systems.

Sensitive systems and operations should be restricted to those who truly need access. Limit who can approve payments, update accounts, or access confidential data. Fewer touchpoints mean fewer opportunities for attackers to exploit.

Get a second set of eyes for any change in payment details. A quick phone call or multi-person approval (using pre-established contacts) can help stymie fraud.

Provide ongoing employee training on spotting character swaps, urgent language, and “revised” attachments. Tell customers what you won’t do in an email, like ask for financial info.

Defending against clone phishing isn’t a one-person job. Since phishing attacks are often used to target employees, you need to get everyone on board. Build a culture that makes learning and vigilance the norm.

New Threats Develop Every Day

Remember: fraud isn’t static.

Staying informed about the latest phishing techniques helps you keep one step ahead of scammers. Unfortunately, doing so could be a full-time job in itself. And, even if you’re aware of new fraud types, that doesn’t always mean you know how to fight them.

There’s no such thing as a “one-size-fits-all” solution to fraud or the resulting chargebacks. But at Chargebacks911®, we specialize in guiding merchants through the challenges of a rapidly shifting fraud landscape. That includes keeping on top of new threats as they develop.

To get the most from your fraud prevention investments, your defenses need to be flexible and dynamic, capable of addressing threats from every angle. To learn how we can help you with that, talk to one of our chargeback professionals today.

Next Chapter

Phishing: Statistics & Financial Impact

Read More