--- title: "Phishing Incident Response Guide: What to Do After an Attack | Phish Protection" description: "Step-by-step phishing incident response guide for IT teams. Covers immediate containment, investigation, recovery, reporting obligations, and prevention measures after a phishing attack." image: "https://phishprotection.com/images/og-default.png" canonical: "https://phishprotection.com/phishing-incident-response-guide/" --- # Phishing Incident Response Guide: What to Do After an Attack Your email security failed. An employee clicked. Credentials were entered on a fake login page. Or a BEC email convinced someone in accounting to wire $87,000 to a new account. It happens to well-defended organizations, and it happens to organizations that thought they were well-defended. What matters now is how fast and how effectively your team responds. The [IBM 2024 Cost of a Data Breach Report](https://www.ibm.com/reports/data-breach) found that organizations that contained a breach in under 200 days saved an average of $1.02 million compared to those that took longer. In phishing incidents, the critical window is often measured in minutes, not days. This guide provides a structured incident response framework for phishing attacks. It is designed for IT administrators and security teams at small and midsize businesses - organizations that may not have a dedicated security operations center but still need a professional-grade response capability. --- ### Before the Incident: Preparation The time to build your incident response capability is before you need it. If you are reading this after an attack has already occurred, skip to the next section - but come back here once the immediate crisis is resolved. #### Build Your Response Team Define who is involved in phishing incident response and their roles: - **Incident Commander** \- Owns the response process and makes decisions. Typically the IT director or CISO. - **Technical Lead** \- Executes containment and investigation tasks. Typically a senior system administrator or security engineer. - **Communications Lead** \- Manages internal and external communications. Typically someone from legal or executive leadership. - **Legal Counsel** \- Advises on regulatory obligations, breach notification requirements, and evidence preservation. For small organizations, one or two people may fill multiple roles. That is fine - what matters is that responsibilities are defined before an incident occurs. #### Document Your Environment Maintain a current inventory of: - Email platform and configuration (Microsoft 365, Google Workspace, on-premises Exchange) - Email security tools and their admin interfaces - Authentication systems (SSO, MFA providers) - Critical systems and data repositories - Network segmentation architecture - Backup systems and recovery procedures - Contact information for key vendors and service providers #### Establish Communication Channels During an active incident, you cannot rely on the communication channels that may be compromised. Establish: - An out-of-band communication channel (dedicated Slack workspace, Signal group, or phone bridge) that does not depend on corporate email - Escalation paths for after-hours incidents - Templates for internal communications and external notifications --- ### Phase 1: Detection and Initial Assessment #### How Phishing Incidents Are Typically Detected Phishing incidents come to light through several channels: - **Employee reports** \- A user recognizes a suspicious email or realizes they clicked something they should not have - **Security tool alerts** \- Email security platforms flag suspicious activity - **Unusual account behavior** \- Login from unexpected locations, mail forwarding rule creation, mass email sending - **Financial anomalies** \- Accounting discovers unauthorized wire transfers or payment redirects - **External notification** \- A partner, customer, or law enforcement notifies you of compromise The detection method influences your initial response. An employee who voluntarily reports clicking a suspicious link is a very different starting point than discovering unauthorized wire transfers three weeks after the fact. #### Initial Triage Questions Within the first 15 minutes, establish: 1. **What happened?** Did the user click a link, open an attachment, enter credentials, or respond to a BEC email? 2. **When did it happen?** Exact time if possible. This determines how long the attacker may have had access. 3. **Who is affected?** Which user accounts, systems, or data may be compromised? 4. **What access does the compromised account have?** Email only, or also file shares, financial systems, VPN, admin consoles? 5. **Is this ongoing?** Is the attacker still active in the environment? --- ### Phase 2: Containment Containment stops the bleeding. The goal is to prevent the attacker from expanding their access or causing additional damage. Speed is critical here - every minute of delay increases the blast radius. #### Immediate Actions (First 30 Minutes) **For credential compromise (user entered credentials on a phishing page):** 1. **Reset the compromised account password immediately.** Do not wait for investigation. Reset now, investigate later. 2. **Revoke all active sessions.** In Microsoft 365: Entra ID > Users > Revoke sessions. In Google Workspace: Admin console > User > Security > Sign out. 3. **Disable forwarding rules.** Attackers frequently create mail forwarding rules to maintain access even after a password reset. Check for: - Inbox rules that forward or redirect email - Server-side forwarding rules - Delegate access grants - Connected applications and OAuth consents 4. **Enable or verify MFA.** If MFA was not enabled, enable it now. If MFA was enabled and the attacker bypassed it, investigate how (session token theft, MFA fatigue, SIM swap). 5. **Check for lateral movement.** Review whether the compromised account was used to send phishing emails internally or to external contacts. **For malware or ransomware delivery:** 1. **Isolate the affected device from the network.** Disconnect the ethernet cable or disable Wi-Fi. Do not power off the device - that may destroy forensic evidence. 2. **Identify other recipients.** Use email logs to determine whether other employees received the same malicious email. Quarantine undelivered copies. 3. **Block the malicious indicators.** Add the sender address, domain, URL, and file hash to your email security block lists. 4. **Scan for additional infections.** Run endpoint detection across all devices that may have received the malicious email. **For BEC wire fraud:** 1. **Contact your bank immediately.** Request a wire recall. For domestic transfers over $20,000, the FBI’s Financial Fraud Kill Chain (FFKC) process can freeze funds within 72 hours if reported quickly. 2. **Contact the receiving bank.** Request a hold on the account. 3. **Preserve all communication.** Save the fraudulent emails with full headers. Screenshot any relevant conversations. 4. **Do not alert the attacker.** If the attacker is monitoring the compromised email account, avoid discussing the incident through that channel. For more on BEC-specific response procedures, see our [Business Email Compromise Guide](/content/business-email-compromise-guide/). #### Secondary Containment (Hours 1-4) 1. **Audit all accounts with similar access.** If the compromised user had admin rights, check all admin accounts for signs of compromise. 2. **Review authentication logs.** Look for logins from unusual IP addresses, geographic locations, or user agents - both for the compromised account and related accounts. 3. **Check for data exfiltration.** Review file access logs, SharePoint/OneDrive activity, and email sending history for evidence that data was copied out. 4. **Notify internal stakeholders.** Alert leadership, legal, and HR as appropriate. Use your out-of-band communication channel. --- ### Phase 3: Investigation With containment measures in place, shift to understanding the full scope of the incident. #### Email Analysis - **Examine the phishing email.** Full headers, sender IP, reply-to address, URL destinations, attachment hashes. - **Identify the campaign.** Search your email logs for other instances of the same sender, domain, URL, or subject line. - **Map the timeline.** When was the email sent? When was it opened? When were credentials entered? When did the attacker first use the stolen credentials? #### Account Forensics - **Audit log review.** Pull complete sign-in and activity logs for the compromised account. - **Mail rule inspection.** Document any forwarding rules, inbox rules, or delegate permissions the attacker created. - **OAuth/app review.** Check for unauthorized applications granted access to the account. - **Sent items and deleted items.** Review what the attacker sent from the compromised account. Check both sent items and deleted items (attackers often delete sent items to cover their tracks). #### Scope Assessment - **Downstream exposure.** If the attacker sent phishing emails from the compromised account, identify all recipients and assess whether any of them also fell for the secondary attack. - **Data exposure.** Determine what data the attacker had access to and whether there is evidence of access or exfiltration. - **System exposure.** If the compromised credentials provided access to systems beyond email, assess whether those systems were accessed. #### Evidence Preservation - Export and archive all relevant logs, emails, and forensic data - Maintain chain of custody documentation - Do not modify or delete evidence - Consider engaging a third-party forensics firm for incidents involving significant financial loss, data exposure, or potential litigation --- ### Phase 4: Eradication Eradication removes the attacker’s access and any artifacts they left behind. #### Account Remediation - Confirm password resets are complete for all affected accounts - Remove all unauthorized forwarding rules, inbox rules, and delegate access - Revoke unauthorized OAuth application consents - Re-verify MFA enrollment for affected accounts - Review and remove any attacker-created accounts #### System Remediation - Remove malware from affected endpoints using validated clean tools - Rebuild compromised systems from known-good backups or images if malware persistence is suspected - Update endpoint protection signatures - Patch any vulnerabilities exploited during the attack #### Infrastructure Hardening - Block all identified indicators of compromise (IOCs) across email, web proxy, and firewall - Update email security rules based on the attack technique observed - Add the attack domain and sender patterns to your [anti-phishing](/content/anti-phishing-solutions/) block lists --- ### Phase 5: Recovery Recovery restores normal operations while maintaining heightened monitoring. #### Service Restoration - Re-enable affected accounts with verified security controls - Restore data from backups if necessary (verify backup integrity before restoring) - Resume normal email flow with enhanced monitoring - Communicate restoration status to affected users #### Heightened Monitoring Period For at least 30 days following an incident: - Monitor compromised accounts for unusual activity - Watch for follow-up attacks targeting the same users - Track authentication logs for signs of persistent access - Monitor dark web sources for exposed credentials --- ### Phase 6: Reporting #### Internal Reporting Document the incident with: - **Timeline** from initial compromise to full containment - **Scope** of affected accounts, systems, and data - **Root cause** \- How did the phishing email bypass existing controls? - **Response actions** taken at each phase - **Impact** \- Financial loss, data exposure, operational disruption - **Recommendations** for preventing similar incidents #### External Reporting Depending on the nature and scope of the incident: - **FBI IC3** \- File a complaint at [ic3.gov](https://www.ic3.gov/) for all BEC and significant phishing incidents - **State attorneys general** \- Many states require breach notification within 30-72 days if personal data was exposed - **Industry regulators** \- HIPAA (healthcare), PCI DSS (payment cards), SOX (public companies) may have additional reporting requirements - **Affected individuals** \- If personal data was exposed, notification to affected individuals may be legally required - **Cyber insurance carrier** \- Notify your insurer promptly. Late notification may affect coverage. #### Regulatory Notification Timelines | Regulation | Notification Deadline | Trigger | | ------------------------------ | ---------------------------- | ----------------------------------------------- | | GDPR | 72 hours | Personal data of EU residents exposed | | HIPAA | 60 days | Protected health information exposed | | State breach notification laws | 30-90 days (varies by state) | Personal information of state residents exposed | | SEC (public companies) | 4 business days | Material cybersecurity incident | | PCI DSS | Immediately | Payment card data exposed | --- ### Phase 7: Post-Incident Review #### Lessons Learned Meeting Within two weeks of incident closure, hold a post-incident review with all responders. Address: 1. **What went well?** Which parts of the response were effective? 2. **What failed?** Where did the response break down or take too long? 3. **What was missing?** What tools, access, or procedures would have improved the response? 4. **What changes are needed?** Specific action items with owners and deadlines. #### Prevention Improvements Based on the incident, evaluate: - **Email security controls.** Did the phishing email bypass detection? Why? Does your [anti-phishing software](/content/anti-phishing-software/) need tuning or replacement? - **Authentication.** Was MFA enabled and enforced? Was conditional access configured? - **Training.** Did the affected user recognize the phishing attempt? What training gaps exist? - **Process controls.** For BEC incidents - were financial verification procedures in place and followed? - **Detection.** How was the incident detected? Can detection time be reduced? --- ### Phishing Incident Response Checklist Use this checklist during an active incident: **Immediate (0-30 minutes):** - Reset compromised account passwords - Revoke all active sessions - Check and remove mail forwarding rules - Isolate infected devices from network - For wire fraud: contact bank immediately - Identify other recipients of the phishing email **Short-term (1-4 hours):** - Audit related accounts for compromise - Review authentication and activity logs - Block attacker indicators (domains, IPs, hashes) - Notify internal stakeholders via out-of-band channel - Engage legal counsel if data exposure is suspected - Quarantine copies of phishing email from other inboxes **Medium-term (1-7 days):** - Complete investigation and scope assessment - Remove all attacker artifacts and persistence mechanisms - Restore affected systems and accounts - File FBI IC3 report if applicable - Determine regulatory notification obligations - Begin heightened monitoring period **Long-term (2-4 weeks):** - Conduct post-incident review - Update incident response procedures - Implement prevention improvements - Update training program based on lessons learned - Close incident with full documentation --- ### Prevention: Reducing Future Incident Likelihood The best incident response is one you never have to execute. Invest in prevention: - **Pre-delivery email scanning** \- Block threats before they reach the inbox. See our [anti-phishing solutions](/content/anti-phishing-solutions/) overview. - **Multi-engine detection** \- No single engine catches everything. [Phish Protection uses 5 concurrent engines](/content/anti-phishing-software/). - **Time-of-click URL protection** \- Catch delayed-weaponization attacks. - **Email authentication** \- Implement SPF, DKIM, and DMARC at enforcement. - **Regular phishing simulations** \- Test employee resilience quarterly. - **Financial verification procedures** \- Out-of-band confirmation for all wire transfers and payment changes. - **Ongoing monitoring** \- Review email security logs and threat intelligence feeds regularly. For an overview of how these prevention layers work together, see our [Email Security Complete Guide](/content/email-security-complete-guide/). --- ### Further Reading - [Business Email Compromise Guide](/content/business-email-compromise-guide/) \- Response procedures specific to BEC - [Lessons from the Past: 5 Substantial Phishing Attacks and Data Breaches](/blog/lessons-from-the-past-5-substantial-phishing-attacks-data-breaches-of-the-21st-century/) \- Case studies - [Data Breaches: How They Impact Small Businesses](/blog/data-breaches-how-they-impact-small-businesses/) \- Financial and operational impact - [Data Breaches and Phishing Attacks: How Third-Party Vendors Jeopardize Organizations](/blog/data-breaches-and-phishing-attacks-how-third-party-vendors-jeopardize-organization/) \- Supply chain risk - [How to Deal with Ransomware Attacks](/content/how-to-deal-with-ransomware-attacks/) \- Ransomware-specific response - [Ransomware Attack Solutions](/content/ransomware-attack-solutions/) \- Recovery and remediation --- ### Enterprise-Class Email Protection Without the Enterprise Price The best incident response starts with prevention. Phish Protection’s integrated email security solution blocks phishing, BEC, malware, and ransomware before they reach your inbox. 24x7\. On any device. - Pre-delivery scanning with 5 concurrent detection engines - Time-of-click URL protection - BEC and impersonation detection - Real-time alerts to users and administrators - Setup in under 5 minutes [Start your 60-day free trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) \- no credit card required. ## Protect your inbox from phishing attacks Start your 60-day free trial - no credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"21","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/phish-protection/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"Article","headline":"Phishing Incident Response Guide: What to Do After an Attack","description":"Step-by-step phishing incident response guide for IT teams. Covers immediate containment, investigation, recovery, reporting obligations, and prevention measures after a phishing attack.","url":"https://phishprotection.com/phishing-incident-response-guide/","dateModified":"2026-04-23T00:00:00.000Z","author":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection"},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/phishprotection-logo.png"},"description":"Enterprise-grade email security that protects businesses from phishing, ransomware, and email fraud with real-time threat detection and multi-layered protection.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://phishprotection.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897912","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Ransomware Protection","Business Email Compromise","Time of Click Protection","Advanced Threat Defense","Email Fraud Prevention","Phishing Awareness Training","Office 365 Email Security"]},"image":"https://media.mailhop.org/phishprotection/images/og-default.png"} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Phishing Incident Response Guide","item":"https://phishprotection.com/phishing-incident-response-guide/"}]} ```