Watch Out For This Tricky New Tactic Called Clone Phishing

New Tactic Clone PhishingResearchers at Vade Secure describe a type of phishing attack dubbed “clone phishing,” in which attackers follow up a legitimate email from a trusted sender with a replica, claiming that they forgot to include a link or attachment.

“Imagine receiving a legitimate email from a brand you know and trust,” the researchers write. “Later you receive the same email again, only this time the sender explains they forgot to include additional recipients or information. Without knowing the obvious signs of clone phishing, you trust the email as authentic and accept the sender’s reasoning without a second guess. After all, the email’s content and context give you no reason for suspicion. It turns out, however, that this second email isn’t legitimate, but a clone of the original message, intended to deceive you into clicking a malicious link or downloading a harmful attachment.”

In these attacks, the attackers have access to a compromised email account within the organization, and then use this access to send malicious emails to other employees.

“Hackers intercept an email from a trusted sender, replace links or attachments with malicious content, and then resend the email to the same recipients,” the researchers write. “To avoid suspicion, hackers justify the purpose of the duplicate message with a simple and believable reason. They also use common phishing techniques to give the appearance of legitimacy, including spoofing display names.”

Vade concludes that a defense-in-depth strategy which includes a combination of technical defenses and employee awareness training is the best way to thwart phishing attacks.

“As with any cyberthreat, protecting against clone phishing starts with embracing a comprehensive cybersecurity strategy,” the researchers write. “This includes both technology that can safeguard against modern threats and best practices that can transform your users from a cybersecurity weakness into a strength.”

We created a Knowledge Base article that shows how KnowBe4 Customers can use the platform to mimic a clone phishing attack. New article here:

New-school security awareness training can give your employees a healthy sense of suspicion by teaching them how to recognize social engineering tactics.

Vade Secure has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews