SkipToMainContent

Online Scams

Clone phishing: What it is and how to prevent it

A woman researches clone phishing on her laptop.

September 13, 2022

You just got a new email from a brand that you love, but something feels off about the message. You notice several typos and are being urged to click a link that will expire shortly.   

Upon closer inspection, you notice that the sender's address is different than usual, and the link sends you to an  unsecure domain. You ask yourself, “Is this a scam?”  

Over 75% of online scams start with an email just like this. When scammers pretend to be a trusted brand to steal  information from you, it’s called clone phishing. These scams contain malicious links and attachments that  threaten your cybersecurity.

What is clone phishing? 

Clone phishing is a type of cyberattack that replicates notification emails from trusted organizations to scam users into sharing sensitive information like usernames and passwords.   

Watch out for common clone phishing scam elements like limited-time offers and claims of being an updated  message. Do you have proof of the original conversation with the sender? If not, the message might contain malicious links and attachments. 

This type of phishing attack preys on users who frequently use digital services like online banking or shop at  online marketplaces like Amazon. Be mindful of what branded emails look like from online retailers that you interact with often.  

If a few design details are slightly off or the sender’s address is spelled differently, the message might be a clone  containing potentially harmful links and files.

A graphic illustrates what a clone phishing email looks like

Clone phishing vs. spear phishing: What’s the difference?

Unlike regular phishing scams that feature an original composition, clone phishing replaces safe links and  attachments from a replicated email with malware and fake domains that are intended to steal your login credentials. 

Clone phishing scams take advantage of branded messages that are sent to many recipients. These messages  might refer to you as “user” rather than your registered account name.   

Spear phishing scams, however, send targeted messages to a single person or organization. A spear phishing scam  might include the following unique details: 

  • Addressing you personally
  • Referencing a coworker
  • Alluding to a new payment 
  • Writing with a casual tone
  • Mentioning your business name 

Both clone phishing and spear phishing can be difficult to detect. Knowing how these scams operate can help  enhance your cybersecurity. 

How clone phishing works

Scammers have developed a variety of phishing attacks to lure sensitive information from everyday internet users. Here is a detailed look at how clone phishing works:       

  1. Scammers impersonate a well-known company. They create a similar web address and even go as far as  creating a fake website. The website is meant to build trust with users and make them feel like they are  interacting with a familiar digital environment.
  2. The scammer sends a fake email to a large email list impersonating the brand. The message does not  address you personally and is meant to be opened by hundreds of people.
  3. Some unsuspecting recipients open the email and follow the instructions, assuming it's coming from a  trusted brand that they interact with frequently. They are led to a fake website or are encouraged to download a malicious attachment.
  4. The recipient is prompted to log in to their account after opening the link, releasing their information to the scammer. The fake website will be under an unsecure domain lacking an “HTTPS” prefix.      
  5. The scammer steals the recipient’s private information and can now log in into any account that shares the same login credentials. Now users must quickly change their passwords and report the security breach. 

Sketchy websites and suspicious links aren’t the only signs of a clone phishing scam. With a trained eye, there are several ways to detect fraudulent behavior. 

Signs of clone phishing

Clever clone phishers make it almost impossible to sniff out their scam. Here are a few clone phishing red flags to be aware of:         

  • Spelling and grammatical errors: Keep an eye out for typos. Popular brands almost always compose  messages that are free of errors. This is because they can afford to employ a team of editors. Scammers, however, might be working with limited resources, experience a language barrier, or use other  tactics to lure information out of you while composing a clone phishing campaign.
  • Different domain extensions: Is the brand that’s claiming to contact you associated with a “.com” web  address? If any link within the email wants to send you to a different domain extension like “.net” or “.io,” it could be a scam.        
  • Ineffective password managers: Do you normally sign into this brand’s account with a password manager?  If you clicked on a link inside of a clone phishing scam, you will be directed to a familiar yet dangerous portal. If the link is malicious, then your password manager will not auto-fill your login.     
  • Urgent language: Making you feel rushed is one of the ways that scammers hope to lure personal  information out of you. Always check that your domain is secure before entering a password and preview attachments before downloading them to your computer. 
  • Requests for personal information: If a trusted brand is asking you to verify information due to a security  threat, you will be led to a secure domain that features an “HTTPS” prefix and will often undergo a two- factor authentication process. If these elements are not there, then it is most likely a cyberattack.  

Becoming familiar with these warning signs can help you see through convincing lies. There are a few different  scenarios that scammers tend to gravitate toward. All of them, however, are intended to make you panic and make rushed decisions.

Clone phishing examples

There are a variety of clone phishing templates that scammers utilize to gain sensitive information. The scams will  mimic a brand’s tone to convince recipients that they are trustworthy representatives.  

Scammers study the messages that trusted brands send to customers when there is a security breach or urgent  update. Below are some of the most common clone phishing examples to watch out for 

1. Customer support scams

A graphic illustrates an example of a customer support scam, a popular type of clone phishing.

In this scenario, scammers send recipients a fake email from one of their registered social media accounts. The  message will urge recipients to log into their accounts to verify user activity.  

For example, let’s say you receive an email from Instagram support alerting you that your account is in danger. It  asks you to log in to secure your account by clicking the provided link.   

Users might feel like their account information is vulnerable, so they quickly click a malicious link that ultimately  steals their username and password.

2. Fake virus scams

A graphic illustrates an example of a fake virus scam, a popular type of clone phishing.


Fake virus alerts are often used in clone phishing scams because they make recipients think that their entire  computer is at risk of being attacked (as opposed to a single shopping or social media account).  

In this example, say you receive an email from Microsoft or Apple alerting you that you have a virus and must click a link to download an antivirus to fix your device.  

Unbeknownst to you, the downloadable content is actually malware that can comb your hard drive for sensitive  information. Scammers take advantage of the fact that most email platforms make it easy to download attachments without previewing their content.

3. Refund scams

A graphic illustrates an example of a refund scam, a popular type of clone phishing.

Refund scams prey on registered users of popular digital marketplaces. Scammers will replicate the writing style of a brand and compose an original message about an eligible refund.  

In this scenario, let’s say you receive an email from an online store, airline, or tax service saying you are eligible for  a refund or free gift. To get your reward, however, you must submit personal or banking information. 

This scam takes advantage of the recipient’s opportunity to earn a reward. Thinking that clicking the link will earn  them money, the recipient clicks on it without hesitation. 

How to prevent clone phishing: 8 cybersecurity tips

A graphic lists eight clone phishing protection tips you can use to stay safe online.

Although clone phishing can be difficult to detect, there are several cybersecurity tips that can help keep your  personal information protected from scammers: 

  • Review the sender’s address: Illegitimate email addresses might appear identical to official email addresses on the surface. Take a closer look, and you might notice that a few characters are different from the official address.        
  • Preview links before opening them: Most internet browsers give you the option to preview a link by  hovering over it. If the preview looks suspicious, do not open it and report the sender. ·        
  • Use a password manager: Password managers can help you detect replicated websites. If your manager  does not auto-fill your login like it usually would, then you might be entering your information into a fake website.       
  • Investigate spoofed replies: Some clone phishing scams format their message to look like a reply from an  earlier conversation. Pay close attention and you will notice that there was never an original thread  between you and the scammer.         
  • Double-check URL addresses: If you already clicked a suspicious link, double-check the URL address of the  “company’s” website. Does it look different than the official domain address? If so, it might be a scam.  
  • Check for “HTTPS”: Secure URL addresses are normally preceded by “HTTPS://” — this prefix indicates that you are interacting with a secured connection. If the prefix is not there, then your sensitive information could be at risk.·        
  • Contact a trusted source for help: If you receive a suspicious message from a trusted brand, contact their  official customer support line to verify the email.
  • Remain calm: Most clone phishing scams involve a sense of urgency. Targeted rhetoric is used to make  recipients panic and irrationally click or download something. Stay calm and verify time-sensitive  messages before you continue.

Checking your email accounts regularly is one of the easiest ways to avoid a clone phishing scam. Becoming  familiar with how businesses normally communicate with you will help you spot the subtle differences of a scam. 

If you believe that you’ve been targeted by a clone phishing scam and use the same login information as your  bank account, immediately change your passwords and alert your credit card provider as soon as possible.

86% of people say they may have experienced a phishing incident.

Meet Norton AntiVirus Basic. It does more than seek out and destroy viruses: It warns you of identity-stealing sites, safeguards your online transactions, and catches bogus email links.

Be prepared for tomorrow’s threats.


Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.