Clone Phishing
An attack where a legitimate email previously delivered to the victim is duplicated with malicious links or attachments substituted for the originals.
Also known as: email cloning attack
Last reviewed: 10 June 2026
In a clone phishing attack, criminals intercept or obtain a copy of a real email — such as a shipping notification, invoice, or password reset — and create a near-identical replica. The only change is that genuine links or attachments are replaced with malicious ones. The clone is then sent from a spoofed or compromised address to the original recipient.
Because the victim has already received and expects a message of that type, their guard is lower. The attacker often adds a note like 'Resending due to a technical issue' to justify the duplicate.
Always hover over links before clicking to verify the destination, and access services directly through official websites rather than email links.
Examples
- A consumer receives what looks like a resent courier tracking email; the embedded link points to a credential-harvesting site instead of the real courier portal.