What is a clone phishing email and how do I spot one?
Clone phishing exactly copies a real email you may have received before, replacing links or attachments with malicious ones. It is one of the hardest phishing types to spot.
Last reviewed: 1 June 2026
Explanation
Clone phishing takes a legitimate email — such as a shipping notification, bank statement, or invoice — that you actually received at some point and produces an almost identical copy. The sender address is spoofed to match the original, the branding is identical, and the only change is that real links are replaced with phishing URLs or the attachment is swapped for a malware file. Because the email closely resembles something you trust and have seen before, it bypasses the scepticism you might apply to a novel approach. The tell-tale sign is that the link destination differs from the legitimate domain — hover over any link before clicking to verify the URL. If in doubt, navigate to the service directly through your browser rather than through any link in an email.
Common red flags
- Email looks nearly identical to a real message you received previously
- Subject line is 'Resend' or 'Updated' version of a prior email
- Hovering over links reveals a different domain from the real company
- Attachment has a new or different filename from the original
What to do now
- Hover over links to verify the destination before clicking
- Navigate to the service directly rather than through email links
- Report the email to the impersonated organisation's phishing address
- Mark as phishing in your email client to train spam filters
Frequently asked questions
How did the scammer get a copy of the original email?
Clone phishing often follows account compromise — the attacker reads your mailbox and identifies real messages to clone. It can also use publicly available email templates from known services.