What Are Clone Phishing, Spear Phishing & Whaling?

Robert MacDonald

Clone phishing is a dangerous attack that can easily make it into any of your employees’ inboxes. So what can you do to protect against it?

What is clone phishing? Clone phishing is a type of phishing attack that replicates a legitimate-looking email to entice the reader to click the link or open the attachment to allow the hacker to gain access to their account.

What Are the Different Types of Phishing?

“Phishing” is a cyberattack where the attacker uses fake communications to deceive individuals into providing information or access. The most common form of phishing is through email. Still, modern innovations in communication technology have seen a parallel expansion of phishing into areas like phone calls, video call software, and SMS texting. 

We often like to see ourselves as a well-educated and aware digital natives. However, the reality is that with the right combination of tools, lies, and luck an attacker can successfully fool a significant number of people and reap huge rewards. Phishing is so successful that a Cisco study reported that with 86% of respondents at least one person in their organization clicked a link in a malicious email. 

And it only takes one click to expose an entire system.

Phishing attacks revolve around a standard set of tactics, and as such, there are a few primary forms of phishing that transcend technology:

  • Traditional Phishing: Traditional mass-communication phishing involves the attacker creating a fake message (typically an email) to fool users into providing authentication credentials or clicking links that steal that information.

These attacks are often the crudest form of phishing and target hundreds or thousands of users—which means that even with a success rate of 1% or less, they still end up with something to show for it. 

  • Spear Phishing: Spear phishing is a form of phishing where the attacker targets high-profile users, like managers and executives. 

These managers aren’t impervious to attack, and sufficiently sophisticated messages can convince them to provide system access to company resources. 

Spear phishing attacks have been the root of many major hacks, including the hack on the Democratic National Committee email servers during the 2016 U.S. presidential election.

  • Whale Phishing: The next step up in the phishing hierarchy is whale phishing, a form of spear phishing that targets the highest executives in an organization, often chief executive officers or chief financial officers. Whale phishing has cost enterprises millions of dollars due to executives sending money or other resources to hackers under false pretenses.

Businesses must understand that phishing is an issue that can affect an organization at any level. Phishing is the biggest threat most enterprises face in modern cybersecurity.

How Does Clone Phishing Differ from Other Forms of Phishing?

The previous examples of phishing differentiate themselves based on their targeting approach. Phishing types also break down across technologies. For example, “Smishing,” or SMS phishing, uses SMS texts to entice users to click links. “Vishing,” or voice phishing, uses digital voice or video conferencing software to trick users. Video software phishing on platforms like Zoom is quite common due to the apps’ prevalence in the COVID-19 pandemic.

By and large, however, email is still the biggest platform for phishing attacks and where advanced techniques like clone phishing come into play. This is for a few reasons:

  • Cost: Email is cheap, simple, and easy to set up. Hackers can send thousands of emails with the touch of a button. 
  • Ubiquity: Everyone uses email. Even people who rarely actually email have an email to manage accounts, and most business correspondence happens via email. 
  • Spoofing: Email is relatively easy to spoof. First, the sender address and link URLs are relatively easy to obfuscate to prevent detection under a cursory inspection. Second, many people simply don’t pay close attention to emails. 

Clone phishing leverages these facts to send sophisticated fake emails to users. 

Consider business email. When employees receive messages from internal parties, most do not investigate those messages. They assume they are from who they say they are from. In many cases, however, business emails are harder to falsify—they require an understanding of company personnel or access to an internal email account to spam users directly. 

However, if the attacker has a copy of an email sent by someone in a business, they can copy that email and use it for phishing.

This is clone phishing. This attacker gains access to an official email using special formatting, branding, letterheads, or other official designations. They then change something about the email, like an attachment or a link, and resend it from a spoofed email account as an error correction. 

Recipients who get the second email assume it’s identical to the first, other than some small changes, and trust it (along with any links or attachments included). This is the danger of cloned emails: they bypass some of the red flags we might see in other phishing attempts by using something we’ve already seen, a legitimate email, as a smokescreen.

Clone phishing is different from compromised business emails because a clone phishing email will still be sent from an outside location. With business email compromise, the attacker can send emails directly from a compromised account, so there isn’t a need to clone an email. That doesn’t make clone phishing any less dangerous, however. 

While they may be hard to detect, some characteristics of clone phishing emails may include:

  • Link URLs to non-professional or unknown websites.
  • New attachments added to emails that previously had none.
  • Broken image links for references lost during a copy and paste job. 
  • Email addresses that don’t match the original sender.
  • Added text with extensive typos.

How You Can Protect Your Organization Against Clone Phishing

Phishing prevention is one of the most critical security undertakings many organizations will take. Such security requires coordination of technology, training, and people. While clone phishing emails are much more sophisticated than spray-and-pray email phishing campaigns, many of these preventative approaches can mitigate them in the same way.

Below are a few critical steps that can prepare your organization for clone phishing attacks:

  • Phishing Awareness Training: Always have training programs and resources for employees to understand what a phishing email looks like. Users often need training on how to check email addresses (and not just those in the “From” field), use on-hover previews to check links, and recognize red flags like typos or bad copy-and-paste jobs.
  • Visual Email Alerts: Email filters are only so good at keeping spam out of a business network. Additional measures, like adding visual warnings that denote email from external email addresses, can signal users to pay attention to the email and its details. 
  • Strong Multi-Factor Authentication: Hackers are usually looking for login credentials. In systems that rely on passwords or PINs, it’s much easier to steal that information. Strong MFA, like SMS tokens or, even better, strong biometrics, can make phishing attempts unable to gain access to a system. 
  • Passwordless Authentication: As a step beyond MFA, you can use a passwordless system that doesn’t require that users maintain credentials. Instead, they can use dedicated authentication apps and device biometrics to access systems. A hacker can’t phish biometrics from users of a passwordless system. 

Harden Your System Security with 1Kosmos and BlockID

Unfortunately, hackers don’t often rely on brute-force password spraying or fanciful hacking attempts to undermine system security. They rely on the trusting nature of people.

The key to mitigating these kinds of email attacks is removing the user vulnerabilities. By eliminating passwords, relying on biometrics, and streamlining the authentication process for user devices, you can effectively mitigate many phishing attacks.

While authentication systems won’t protect you 100% from clone phishing attacks that use attachments to deliver virus payloads, a technology like 1Kosmos BlockID, combined with proper email controls and training, can shore up your phishing prevention approach.

1Kosmos BlockID provides the following features:

  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Streamlined User Experience: 1Kosmos provides simple user onboarding and convenient access anywhere, anytime and on any device. The experience can be delivered via the BlockID app or integrated via our SDK into your custom app.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out of the box integrations or via API/SDK.

Read more on how to Secure Your Distributed Workforce when you go passwordless, and sign up for the 1Kosmos newsletter to stay on top of our new products and services. 

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Robert MacDonald

Vice President of Product Marketing

Robert is the Vice President of Product Marketing at 1Kosmos. He is a highly influential senior global marketer with more than 15 years of marketing experience in B2B and B2C software in the biometric authentication space. Prior to 1Kosmos, Rob managed product strategy and vision for the Identity and Access Management portfolio at Micro Focus, leading a team of product marketers to drive sales and support the channel. Earlier in his career he set the foundation for content planning, sales enablement and GTM activities for ForgeRock. He has also held senior marketing positions at Entrust, Dell, Quest and Corel Corporation.