At this point, you’ve probably heard of phishing attacks. In fact, you’ve maybe even heard of the dozens of phishing offshoots that scammers keep coming up with. Scammers are a lot of things (pretty much all bad), but they do seem to have a knack for coming up with creative ways of stealing people’s money and information. The newest way? A phishing alternative known as “Clone phishing.”
Since the best way to avoid getting scammed is to know what the scammers are doing, we’ll be going over what clone phishing is, how it works, how it differs from other phishing, and how you can recognize and protect yourself from a clone phishing attempt.
Let’s get into it.
Who's Calling Me?
Search any phone number to learn more about the owner!
What is Clone Phishing?
For those who would like a quick refresh, phishing is a common cyber-attack that tricks victims into giving up sensitive information (often via some type of impersonation). There are all sorts of specific types of phishing (we’ll touch on the main ones later), but the latest version that is gaining traction is clone phishing.
Clone phishing is an email-based scam that takes legitimate emails from businesses, makes an exact copy (clones it), replaces all of the links and attachments with malicious links and attachments, and then sends it out while pretending to be the original company.
Because these emails look exactly like the legitimate emails you receive from a certain company, scammers are banking on you not taking a second look at who actually sent the email (oftentimes a close, but not quite right variation of the company’s actual email address).
How Does Clone Phishing Work?
Clone phishing works by tricking people into thinking they’re interacting with a familiar email from a trusted company. The process of clone phishing goes as follows:
- Scammers select a mass email that people are likely to interact with (such as a limited-time sale from a popular online retailer). They might also choose something like a tracking email, which might work on somebody who recently ordered something and is expecting tracking information.
- The scammers then swap out all of the links and any attachments with some malicious alternative. It could be a direct virus download, but it often is a link to a fake version of the website that victims are expecting to go to.
- Once the changes have been made, the scammers send out their cloned version in mass, using an email that looks very similar to the actual company email.
- Then, all they have to do is wait for people to accidentally download malware, or enter their credit card information (or other private information) into a website the victim thinks is legitimate.
And just like that, the scammers have access to your important information.
Clone Phishing vs. Other Types of Phishing
Because most phishing scams have the same basic underlying principles, it’s worth taking a look at how clone phishing varies from other popular phishing scams.
Spear Phishing
While clone phishing targets a large group of people within a specific audience (such as customers of a specific online retailer), spear phishing is targeted at specific individuals that scammers believe have more valuable information. These attacks require much more work, as messages and interactions need to be tailored to win a specific person’s trust.
Whaling
Whaling is essentially the same as spear phishing, but is used to refer to phishing attacks that specifically target C-suite executives.
Vishing
While Clone Phishing is an email-based phishing attack, vishing is a voice-based phishing attack (voice + phishing = vishing). Vishing is conducted by calling potential victims in an attempt to get them to reveal private information. This often takes the form of scammers pretending to be from the bank in order to trick you into giving them your financial information.
Smishing
Because email phishing has become fairly common, email services have been able to step up their game and successfully filter out phishing attempts. That’s why scammers have largely moved to smishing. Smishing (SMS + phishing) is a phishing attempt conducted via text messages (SMS).
How to Spot a Clone Phishing Attempt
Because clone phishing involves exact copies of legitimate emails, it’s hard to point to common words or phrases that suggest an email is actually a clone phishing attempt. Instead, you’ll have to look for a few more detail-based signs that the email you just received is actually from a scammer.
Take a Close Look at the Sender’s Email Address
One of the quickest and most effective ways to spot a phishing attempt is by taking a closer look at the sender’s email address. They are often close to, but not the same as the legitimate sender’s address. For example, they might use “cust0merservice@amz0n.co” instead of “customerservice@amazon.com,” the address might end in “.co” instead of “.com,” or any other subtle-but-telling differences.
Pay Attention to the URL Any Links Take You To
Like with the sender’s email address, pay attention to the URL any links take you to by hovering your mouse over each link before clicking it (which will display the full URL in the bottom left-hand corner of your screen). Again, these are usually similar to the legit URL, but end in “.co” or “.io” instead of “.com.”
Don’t Be Fooled by “Urgent” Requests
Scammers know that the quicker you act, the less likely you’ll be to notice red flags. That’s why clone phishing scammers often use urgent-sounding emails, or even alter emails to use more urgent-sounding language. Any email that is pushing you to “Act Now!” should immediately get you into suspicion mode. It could be that your favorite brand really is having a super time-sensitive sale on your favorite product, but it’s more likely that scammers are trying to get you to slip up.
Your Password Manager Isn’t Fooled
With all the different accounts and logins that are required nowadays, lots of people use password managers. Not only do these services conveniently autofill your login information on websites, but they also won’t be tricked by a fake domain. If you’re noticing your username and password aren’t being auto-filled on a website they normally do, take a look and make sure you are where you think you are.
Stay Safe
Phishing attempts are sadly not likely to go away anytime soon. In fact, it’s almost certain that more varieties of crafty tricks will pop up in an attempt to gain access to your private information. The benefit you have is not only knowing about phishing, and thus being more aware, but also the fact that by being informed, you’re more likely to naturally catch any phishing, smishing, vishing, whatever-else-ing attack. Remember, never click links from senders you don’t know, always check that the sender is who they say they are, and always err on the side of caution when it comes to entering sensitive data.
Cyrus Grant is a writer from Southern California with a background in law and dispute resolution. When he isn’t writing he can be found deep-diving into the latest technology trends or simply spending time at the beach.