What clone phishing actually is

Clone phishing is a phishing email built from an email you already received. The attacker copies a real message - an invoice, a shipment notification, a password reset, a calendar invite - subject line, body, logo, signature, threading all match. One element gets changed: the link points to a credential page, the PDF attachment carries malware, or the bank account number on the wire instructions has one digit different. The cloned message is then sent from a lookalike domain (acme-logistics.co versus acmelogistics.com), or, far more dangerously, from the original sender's compromised mailbox. Because it is a copy of a message you trusted, every pattern recognition shortcut in your brain says safe.

How the attacker gets the original

Cloning needs source material. Four routes get it, and three of the four do not involve compromising your own mailbox.

1. Compromised supplier or vendor mailbox

The most common route. A supplier's AR clerk hands over credentials to a generic phishing email. The attacker logs in, reads the sent folder, picks the highest-value customer, copies the most recent invoice verbatim, and sends the cloned version from that same mailbox. DKIM passes, DMARC passes, the From header is genuinely the real sender, and reply rules quietly route responses back to the attacker.

2. Email forwarding rules in your own account via AiTM

An adversary-in-the-middle kit captures your session cookie and silently installs an inbox rule that auto-forwards every email matching invoice, wire, or payment to an external address, then deletes the copy. The attacker watches your real conversations for weeks, then clones one. See how AiTM bypasses 2FA for the session-cookie theft mechanic.

3. Sender's email service breach

Mass breaches of email service providers, marketing platforms, and CRM tools leak years of stored messages. Every leaked invoice becomes a clone template, no mailbox compromise required.

4. Public sharing and forwarded chains

Invoices get forwarded into long threads, attached to support tickets, or accidentally posted on file-share links. One leaked PDF on a misconfigured bucket gives the attacker brand, layout, account format, project codes, and the exact phrasing of the supplier's payment terms.

The 4 most damaging clone phishing patterns

Four patterns drive the bulk of recorded losses.

Invoice clone with bank account swap

The headline B2B fraud. Attacker clones a real recurring invoice, changes the IBAN or routing number, sends from the compromised supplier mailbox. AP pays. The money lands in a mule account and is gone in 48 hours. FBI IC3 attributes the largest share of BEC losses to this exact pattern.

Shipping notification clone with malware attachment

The attacker clones a UPS, FedEx, DHL, or Amazon shipment notification you actually received last week. The tracking link is replaced with a redirector that drops a malicious ISO, HTML smuggling file, or password-protected ZIP. Verizon's 2026 DBIR ranks this a top-three initial-access vector for ransomware affiliates.

Calendar invite clone with replaced link

The original Teams or Google Meet invite is forwarded, the join link swapped for a credential-harvest page styled like the real meeting client. You join two minutes before the call, get prompted to sign in again, and the cloned page captures the password. This pattern surged in 2024 and 2025 alongside AiTM kits.

Internal HR or payroll clone

An HR mailbox gets compromised; attackers clone the W-2 distribution email or the direct-deposit-change reminder and send the tampered version to all employees. The IRS placed the W-2 variant on its Dirty Dozen list every year from 2022 through 2024.

Real verifiable cases

  • Operation Pacific Hawks (2020). The FBI and DOJ announced a multi-agency BEC takedown across dozens of cases, the majority involving cloned vendor invoices with swapped account numbers. Charging documents listed compromised supplier mailboxes as the primary initial access.
  • Mattel ($3M loss). Covered in our whaling and CEO wire transfer scam writeup. A finance executive wired $3 million to a Bank of China account after a routine-looking clone of a senior leader's prior wire instruction. The original was real; the clone rerouted the funds.
  • 2024 tax season W-2 clones. The IRS placed cloned payroll and W-2 emails on its 2024 Dirty Dozen list, citing a surge in HR-mailbox compromises distributing tampered direct-deposit-change forms during filing season.
  • Sustained 2025 growth. Proofpoint's 2026 State of the Phish reported supplier and vendor impersonation as the fastest-growing BEC subtype, median per-incident loss above $130,000.

Why clone phishing bypasses everything

The defense stack you bought assumes the email is novel. A clone is the opposite of novel - it is an email you already approved at least once.

  • DKIM and DMARC pass. A clone sent from the supplier's compromised mailbox authenticates against the supplier's real DKIM key. Authentication confirms the domain, not the honesty of the human at the keyboard.
  • Sender reputation passes. The supplier has emailed you for years. Their domain has top reputation in your gateway.
  • Visual style matches. The cloned email looks identical because it is identical, copy-pasted from the original.
  • The conversation thread is real. Attackers often hit Reply on the legitimate prior thread. Every threading-based trust cue says safe.
  • The relationship is real. You actually do owe this supplier money. The invoice amount matches the work performed. Only the destination of the wire is different.

The 3 verification rules for any high-stakes email

You will not catch a well-built clone by inspecting the email. You catch it by enforcing a process that does not trust the email.

  1. Bank account changes verify on a second channel, always. Any change of payment instructions - new IBAN, routing number, beneficiary, SWIFT, wallet address - requires a phone call to a contact number you had on file before this email arrived. Never the number in the email signature. Pre-existing contact only.
  2. Attachments from familiar senders still get scanned. Familiarity is not proof of safety. The mailbox you have known for five years may have been compromised this morning. Run the attachment through your email gateway sandbox or VirusTotal before opening.
  3. New attachments or links in an existing thread are a red flag. A thread that has been pure text for months suddenly carrying a PDF or link should be treated as if it came from a stranger. Threads get hijacked precisely because the trust cue is so strong.

Organizational defenses

Individual vigilance helps; the durable controls are organizational.

  • DMARC enforcement at p=reject. Most of your own domain spoofing risk disappears when DMARC is enforced.
  • Supplier change-of-account workflow. Any new banking detail triggers a documented callback to a verified contact, written confirmation on supplier letterhead, and two-person approval before the master vendor file gets updated.
  • Segregation of duties on wires over $10,000. The person who initiates is never the person who approves. Both verify the payee on the second channel. This single control would have prevented Mattel and most published BEC cases.
  • Clone-phishing-specific training. Generic "do not click suspicious links" content does not transfer. Train against real cloned invoices, real lookalike domains beside real ones, real bank-account-swap examples.

If you already paid an invoice to the wrong account

Speed is the only thing that matters. The FBI's Financial Fraud Kill Chain protocol gives your bank roughly 72 hours to recall an international wire before mule networks disperse it. Recovery rates for cases filed inside that window hover near 50% per IC3; outside it, they drop sharply.

  1. Call your bank's wire desk within the hour. Use the phrase "Financial Fraud Kill Chain." It escalates to recovery rather than dispute.
  2. File at ic3.gov the same day. The FBI Recovery Asset Team coordinates with receiving banks. Reports filed inside 72 hours sit on a faster queue.
  3. Notify the real supplier on a verified channel. Their mailbox may still be compromised. They need to reset credentials and warn their other customers.
  4. Loop in IT and security. Hunt for hidden inbox rules, foreign sign-ins, and OAuth grants. Treat the incident as a compromise of your AP workflow until proven otherwise.
  5. File the cyber-insurance claim. Most BEC policies require notification within 24 to 72 hours of discovery. Late filing voids coverage.

Where browser-layer defense fits

The cloned email itself often cannot be blocked - the sender authenticates, the content reads clean. The defense that holds up sits at the link destination. When a cloned invoice or shipment notification carries a phishing URL and the recipient clicks, a browser-layer scanner can check the destination against the impersonated brand and stop the page before any credentials are typed. SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before render, using a 550+ brand database, JavaScript signatures for credential-harvesting kits, and AI content analysis for fresh lookalikes. Pair the install with the second-channel verification workflow above - the extension catches the link, the workflow catches the bank-account swap. Install SafeBrowz free.

Frequently asked questions

How is clone phishing different from spear phishing?

Spear phishing is a new email written from scratch for one target. Clone phishing is a copy of an email the target already received, with one element changed. The two overlap inside BEC, and many investigations classify cloned vendor invoices as both.

If the email passes DKIM and DMARC, isn't it safe?

No. Authentication verifies that the sender's domain authorized the message, not that the human is honest. A compromised supplier mailbox sends fully authenticated mail. A lookalike domain sets up its own valid DKIM record and also passes. Verify the request on a second channel.

How can I tell if my mailbox has been compromised for clone-phishing prep?

Check inbox rules. The most common trick is an auto-forward rule on keywords like invoice, wire, or payment that ships matching emails to an external address and deletes the copy. In Outlook check Settings, Mail, Rules. In Gmail check Settings, Filters and Blocked Addresses. Anything you did not create is a red flag.

What is the single best control against invoice clone phishing?

Mandatory callback verification on any change to a supplier's banking details, using a phone number you had on file before the request arrived. Not the number in the email. Pre-existing contact only. This blocks the bank-account-swap pattern that drives most BEC losses per FBI IC3.

I paid a cloned invoice three days ago. Is recovery still possible?

Possibly. Recovery rates drop sharply after 72 hours, but domestic wires can sometimes be recalled later if funds have not moved through mule accounts. Call your bank's wire desk and file at ic3.gov today regardless.

Does cyber insurance cover BEC losses from clone phishing?

Most policies cover BEC under a Social Engineering Fraud rider, but only if the insured followed required callback-verification procedures. Many denied claims trace to AP staff who skipped the callback. Read your policy carefully and file the claim the same day as the IC3 report.

Related reading

Bottom line: Clone phishing wins because it copies an email you already approved. DKIM, DMARC, sender reputation, and thread context all confirm the wrong thing - that the message authenticates - not the right thing, which is that the request is honest. Build second-channel verification into the AP workflow in writing, train against real cloned-invoice examples, and put SafeBrowz on every browser as the backstop for the link that slips past.