What is
clone phishing?

  • Clone phishing copies real emails to make scams harder to spot.

  • Attackers often change the link, attachment, or reply address.

  • These scams can steal passwords, payments, or account access.

  • Careful checks and Mac security tools can reduce the risk.

What is clone phishing?

Clone phishing is a type of phishing attack where scammers copy a real or familiar-looking email and send a changed version with a fake link, malicious attachment, or altered reply address. The email usually looks almost identical to the original, making it seem trustworthy at first glance.

Because the message appears familiar and often comes from someone or a company you recognize, it's easier to believe it's legitimate. If you click the link, open the attachment, or follow the instructions, you could end up installing malware, giving away personal information, or handing over your login details.

Cloned brand emails

Scammers copy emails from well-known brands, then change the link so it leads to a fake login, payment, or account-verification page.

Cloned work emails

A copied work message may look like an updated file, missed attachment, or resent instruction from someone the recipient already knows.

Cloned invoice emails

Attackers may copy a real billing format and replace the payment link or banking details with their own.

Cloned file alerts

An email asking you to open a shared file or document may take you to a fake website or download malware onto your Mac instead of opening the file.

How does clone phishing work?

Clone phishing works because it makes a scam email look like a real message you recognize. Instead of creating a brand-new message from scratch, the scammer copies a real or familiar-looking email and changes the part that tricks you into clicking.

01

A real or familiar email is copied

The attacker starts with a message that you already recognize, such as a receipt, invoice, document share, delivery update, or account alert.

02

A risky change is made

They replace the original link, attachment, or reply address with one that leads to a fake website, downloads malware, or sends your reply to them.

03

The email is resent

The attacker resends the copied email, often with a message saying there's an updated file, a corrected version, or a new link you should use.

04

The person trusts it

The email looks familiar, so you may click the link or open the attachment without realizing anything has changed.

05

The scam succeeds

If you follow the instructions, the attacker may steal your password, collect your payment details, install malware on your Mac, or gain access to your account.

How does clone phishing show up in real-world attacks?

Clone phishing often overlaps with brand impersonation, fake login pages, invoice fraud, and account takeover. The examples below show how attackers copy familiar email formats or trusted business messages, even when the public reports do not always label the incident as clone phishing.

DocuSign-style invoice and signing scams

Scammers often copy the look of DocuSign emails to make fake signing requests, invoices, or document alerts seem official. These messages may lead to a fake page, ask for payment details, or include an unsafe attachment. DocuSign has warned users about fake invoice phishing scams and says signing-request emails do not ask users to open Office documents or ZIP files.

Microsoft 365 fake login lures

Attackers often copy Microsoft 365-style emails, such as Teams notifications, voicemail alerts, shared documents, or file-sharing requests. Because people receive these messages often, they can look routine. The link may lead to a fake Microsoft login page designed to steal the username and password instead.

Google Docs phishing attack

In 2017, Google users received emails that appeared to invite them to open a shared Google Doc. The link led to a fake Google Docs app that asked for account permissions, giving attackers access to the victim's Gmail account and helping the scam spread to more people. This was not a pure clone phishing case, but it shows how attackers use familiar file-sharing emails to make malicious links look routine.

What are the risks and
impacts of clone phishing?

Clone phishing can affect both accounts and devices. The damage depends on what the cloned email is trying to make the person do.

Stolen passwords

A cloned email may lead to a fake login page that captures the username and password for an email, banking, cloud, or work account.

Account takeover

If an attacker gets into your account, they can read your private information, change your password, lock you out, or use your account to scam other people.

Malware infection

Opening a fake attachment or clicking a harmful download link can install malware on your Mac that steals your information, spies on what you do, or damages your files.

Payment fraud

A cloned invoice or payment request can trick you into sending money to the scammer or entering your payment details on a fake website instead of the real one.

Who is most at risk
from clone phishing?

Anyone can receive a cloned email, but some people are more likely to act on one because of the type or volume of messages they receive and the work they do.

How can you protect yourself from clone phishing?

The best way to avoid clone phishing is to slow down before you click a link, open an attachment, sign in, or make a payment, especially if the email looks like one you've already received.

Check the sender carefully

Don't rely on the display name alone. Check the full email address, reply-to address, and the domain for anything that looks unusual or misspelled.

Be careful with updated emails

If a familiar email suddenly includes a new link, different attachment, or asks you to use an updated version, take a moment to make sure the change is genuine.

Preview links first

Move your mouse over a link to see where it really goes, or press and hold the link on your phone to preview the destination before opening it.

Verify unusual requests separately

If an email asks you to sign in, pay an invoice, or open a file you weren't expecting, contact the sender using a trusted phone number or website to confirm it's real.

Scan suspicious downloads

If you download a file or app from an email, scan it with trusted Mac security software before opening it to help catch malware that may have slipped through.

How Intego helps protect your Mac after risky clicks

Clone phishing is mainly an email and account-trust problem, but it can still put your Mac at risk if the cloned message leads to a malicious attachment, fake installer, or unsafe download. Intego Antivirus for Mac helps detect known threats and gives you another layer of protection if a suspicious email leads to a dangerous file.

Mac malware detection

Helps detect known Mac malware that may arrive through unsafe attachments, fake updates, or malicious downloads.

Download scanning

Intego checks downloaded files for known malware before you open them, helping you avoid installing something harmful by mistake.

Real-time protection

Intego keeps checking your Mac as you use it, helping catch known threats before they have a chance to do damage.

Post-click support

If you clicked a suspicious link or downloaded a file, you can run an Intego scan to check whether anything harmful made its way onto your Mac.

Frequently asked questions

Intego

Trusted. Proven. Powerful.

Driven by innovation for over 25 years, Intego has provided advanced cybersecurity solutions built to protect what matters most — your data, your privacy, and your devices.

With award-winning antivirus, firewall, VPN, and system optimization tools, Intego combines powerful defense with the simplicity and reliability Mac and PC users expect.

Money Back Guarantee Image

Get total protection and peak performance for your computer