Researchers at Vade Secure describe a type of phishing attack dubbed “clone phishing,” in which attackers follow up a legitimate email from a trusted sender with a replica, claiming that they forgot to include a link or attachment.
“Imagine receiving a legitimate email from a brand you know and trust,” the researchers write. “Later you receive the same email again, only this time the sender explains they forgot to include additional recipients or information. Without knowing the obvious signs of clone phishing, you trust the email as authentic and accept the sender’s reasoning without a second guess. After all, the email’s content and context give you no reason for suspicion. It turns out, however, that this second email isn’t legitimate, but a clone of the original message, intended to deceive you into clicking a malicious link or downloading a harmful attachment.”
In these attacks, the attackers have access to a compromised email account within the organization, and then use this access to send malicious emails to other employees.
“Hackers intercept an email from a trusted sender, replace links or attachments with malicious content, and then resend the email to the same recipients,” the researchers write. “To avoid suspicion, hackers justify the purpose of the duplicate message with a simple and believable reason. They also use common phishing techniques to give the appearance of legitimacy, including spoofing display names.”
Vade concludes that a defense-in-depth strategy which includes a combination of technical defenses and employee awareness training is the best way to thwart phishing attacks.
“As with any cyberthreat, protecting against clone phishing starts with embracing a comprehensive cybersecurity strategy,” the researchers write. “This includes both technology that can safeguard against modern threats and best practices that can transform your users from a cybersecurity weakness into a strength.”
We created a Knowledge Base article that shows how KnowBe4 Customers can use the platform to mimic a clone phishing attack. New article here: https://support.knowbe4.com/hc/en-us/articles/11457524666387
New-school security awareness training can give your employees a healthy sense of suspicion by teaching them how to recognize social engineering tactics.
Vade Secure has the story.
Here's how it works:
