What is clone phishing and how to detect it?

clone phishing

Last modified on December 12th, 2023

In 2016, Crelan Bank in Belgium became the victim of a clone phishing scam that cost them around $75 million. A version of business email compromise, the scammer targeted employees to transfer funds into an account controlled by the criminal. Read on to find out all there is to know about clone phishing.

Trustpair can block the financial effects of clone phishing attacks thanks to ongoing account validation. Suspect transactions are flagged and can be blocked even if the attacker has the passwords and means to transfer money to their account. Request a demo to learn more!

New call-to-action

Clone phishing: how does it work?

Clone phishing is an impersonation scam using fake emails, websites, etc. The perpetrator sends malicious emails and messages, very similar to those from a legitimate account or person. Often, the email is based on a previously intercepted email or data that users will replicate. Via this message, the scammers want to gain the victim’s trust. They want the target to take action by clicking a link to a fake website, downloading malware, investing in a business, or sending money.

This can be done over email or text. Sometimes, it could be over social media and websites can be copied too. With clone phishing, it can be very hard to detect the differences between a cloned email and a legitimate email. That’s why it’s especially important to raise awareness among company employees: anyone can be targeted by attackers and be the source of a data breach without realizing it.


Clone phishing: the red flags

Grammar errors

Be wary of emails that are plagued with errors – this is a red flag of malicious clone phishing emails. One sign may be spelling errors. The scammer may not be a native speaker and might not have access to a system to check the grammar of their message.

Also, if the sender is supposed to be from a reputable business, they would be unlikely to send an email littered with errors. If when you read an email it just doesn’t sound quite right, then it might be just that: not right.

However, these days, scammers are getting more sophisticated when it comes to cloned emails and phishing messages (read more about how to spot a phishing email here) They have access to AI-generated tools and create malicious messages that are almost undetectable without the right security software. Scam emails littered with errors and full of poor-quality content aren’t the standard anymore.


The cybercriminal’s aim is for the victim to feel rushed: this is also used for other scams like CEO fraud. Be cautious. Often, scammers describe a situation that needs immediate action. The reason is that if the attackers can stop you from thinking rationally, you are more likely to fall into the trap of a scam.
If you wonder why is clone phishing effective’? This is one of the reasons.

Email warning

Upon opening some emails, you may recall finding a warning about the legitimacy of the email and or sender. This type of message is usually sent by the security tools and firewalls in place. Don’t just ignore these, take a look and read the domain to ensure the sender is legitimate and not malicious. As Google Mail’s notification says, avoid clicking on links, downloading items, or giving personal information if you suspect the email has been cloned.

Bad image quality

Let’s say a scammer is impersonating a CEO in an email and uses a company logo at the end of the email. If this logo is poor quality, distorted, or doesn’t look like the original, raise your suspicions: it might be a malicious email. Sometimes it can just be that it hasn’t loaded properly. But in other cases, it is a fraud image that has been cloned. Therefore, it isn’t the high-quality version you would expect from an established business and any links should not be clicked on.

Overall the same goes for any email or text message: established organizations wouldn’t send anything that could impact their company image or reputation.


Examples of clone phishing schemes

Sacramento County

Five Sacramento County employees were victims of phishing in June 2021. They received emails with a link to a malicious domain run by cybercriminals. The workers provided their login credentials (usernames and passwords) on the false login page.

Unfortunately, the attackers were successful and there was a data breach. The health records of 2,096 people were exposed and the personal identification information of 816 people. The clone phishing attack came to light five months later following an internal audit of the company users email inboxes.

Crelan Bank

This clone phishing attack cost the bank approximately $75.8 million. The phisher compromised the CEO’s account and told staff to transfer money into an account that they had control of. The clone phishing scam was discovered following an internal audit. With luck, the organization could absorb the loss thanks to its internal reserves. However, the scammers were never caught.


A final clone phishing example involved FACC. The Austrian manufacturer of aircraft components also fell victim to a clone phishing attack in the form of a business email compromise. In 2015, the company had a phisher pretend to be the CEO. The scammer, posing as the CEO, told an accounting employee to send $61 million to an account run by the attacker.

In attacks like these. This is where the cloning comes in.
This is an example of one of the forms of spear phishing – whaling phishing. Whaling- is targeted at organization’s leaders such as chief executive officers like in this example or chief financial officers.

It is often mistaken for spear phishing. When looking at clone phishing vs spear phishing, the main difference is that the latter surrounds attackers targeting high-profile people in a company, like executives or managers. This is also known as executive phishing.

Invoice fraud attack

An example of a clone phishing attack is how it was used to commit invoice fraud. A perpetrator got access to the email addresses of five different vendors and attacked 15 individuals over five customer companies.

Once they had access to the emails, the cybercriminal sent email messages asking to switch outstanding and further invoices to a different account. The cloning comes in as the message included content and words that they would commonly use in original emails with vendors. Also, the attacker used a legitimate domain as the emails were sent from the respective vendor accounts.

Learn more about types of payment fraud in our latest fraud report!

fraud study us

How to prevent clone phishing

Use your instinct

Take a minute to think about it if you notice something suspicious in the way words are used or spelled or if you are being rushed. If your gut is telling you that something is fake or dodgy, reassess the email or text. You can always contact your bank or IT department to see if it is legitimate.

Invest in cybersecurity

Putting email security in place is a great anti-phishing method and will help you put a stop to fake emails. Get a system that stops fraudulent and phishing emails from hitting the inbox. Your employees will appreciate the company investing in the tools to help prevent some clone phishing scams from occurring.

Educate and train

Security awareness is vital in a business. Educate employees about the latest phishing scams and offer awareness training so they know what to look out for. Advise on the best practices to take when receiving emails that may be scams so there is a unified approach across the company.

Don’t ignore email warnings

Email warnings are a good indicator that there could be something suspicious about the email. Sometimes it can be false. However, if you get a warning, take a good look at the content, the sender, and the intention before taking more action.

Explore fraud detection and prevention solutions

Another anti-clone phishing method is to explore ways to prevent the effects of fraud. These solutions will help add security to your business thanks to preventive and detective controls. Working with a platform like Trustpair means the financial implications of clone phishing will be blocked. Trustpair’s services flag suspect transactions and the transaction can be blocked too. This is the case even if the attacker has the correct password and installs malware.

Even if a fake email – with its malicious links and dodgy designs – makes it through staff scrutiny and if a scammer obtains a bank account password, the transaction will be blocked and sensitive data protected. On top of that, user experience is always a key focus: we provide dashboards, workflows, live warnings, and smooth design.

Clone phishing is a dangerous method of fraud that can strip companies of millions of pounds. Be wary of the red flags such as poor grammar and urgency. To prevent it, use your instinct, explore fraud detection solutions, and get training staff about it. Trustpair can block the financial impacts of clone phishing if you fall victim to it.


A famous example of phishing involves Crelan Bank. The bank in Brussels, Belgium, was the victim of a phishing attack that cost them more than $75 million. The cyberattacker compromised the account of an executive and directed staff to send money into an account that the scammers controlled.

Trustpair blocks the financial effects of clone phishing attacks. This is done by the platform flagging and blocking transactions. It can block the financial effects even if attackers steal passwords and try to transfer money to their own accounts. It adds a layer of security against all cyber-attacks and protects sensitive vendor data. Even if company employees don’t spot fake addresses, dodgy links, or designs, you’ll still be protected from attackers and any data breach will be avoided.

Our anti-fraud software offers many benefits. Indeed, users also have access to extensive fraud analytics dashboards and customized workflows. Our services also include specialized customer support and the user experience is smooth.

Manage the risks related to corporate treasury.

Receive our latest news

Subscribe to the Trustpair Newsletter and receive advice every week…
Thanks ! Your subscription to the Trustpair newsletter has been taken into account.

        By clicking on “Subscribe”, you agree to receive the Trustpair newsletter to be informed of news or important information about our services. By subscribing, you agree to our Privacy Policy.

Related Articles