Skip to main content
New Advanced Threat Defense now includes AI-powered URL analysis Learn more → →

Phishing Incident Response Guide: What to Do After an Attack

Your email security failed. An employee clicked. Credentials were entered on a fake login page. Or a BEC email convinced someone in accounting to wire $87,000 to a new account. It happens to well-defended organizations, and it happens to organizations that thought they were well-defended.

What matters now is how fast and how effectively your team responds. The IBM 2024 Cost of a Data Breach Report found that organizations that contained a breach in under 200 days saved an average of $1.02 million compared to those that took longer. In phishing incidents, the critical window is often measured in minutes, not days.

This guide provides a structured incident response framework for phishing attacks. It is designed for IT administrators and security teams at small and midsize businesses - organizations that may not have a dedicated security operations center but still need a professional-grade response capability.

Before the Incident: Preparation

The time to build your incident response capability is before you need it. If you are reading this after an attack has already occurred, skip to the next section - but come back here once the immediate crisis is resolved.

Build Your Response Team

Define who is involved in phishing incident response and their roles:

  • Incident Commander - Owns the response process and makes decisions. Typically the IT director or CISO.
  • Technical Lead - Executes containment and investigation tasks. Typically a senior system administrator or security engineer.
  • Communications Lead - Manages internal and external communications. Typically someone from legal or executive leadership.
  • Legal Counsel - Advises on regulatory obligations, breach notification requirements, and evidence preservation.

For small organizations, one or two people may fill multiple roles. That is fine - what matters is that responsibilities are defined before an incident occurs.

Document Your Environment

Maintain a current inventory of:

  • Email platform and configuration (Microsoft 365, Google Workspace, on-premises Exchange)
  • Email security tools and their admin interfaces
  • Authentication systems (SSO, MFA providers)
  • Critical systems and data repositories
  • Network segmentation architecture
  • Backup systems and recovery procedures
  • Contact information for key vendors and service providers

Establish Communication Channels

During an active incident, you cannot rely on the communication channels that may be compromised. Establish:

  • An out-of-band communication channel (dedicated Slack workspace, Signal group, or phone bridge) that does not depend on corporate email
  • Escalation paths for after-hours incidents
  • Templates for internal communications and external notifications

Phase 1: Detection and Initial Assessment

How Phishing Incidents Are Typically Detected

Phishing incidents come to light through several channels:

  • Employee reports - A user recognizes a suspicious email or realizes they clicked something they should not have
  • Security tool alerts - Email security platforms flag suspicious activity
  • Unusual account behavior - Login from unexpected locations, mail forwarding rule creation, mass email sending
  • Financial anomalies - Accounting discovers unauthorized wire transfers or payment redirects
  • External notification - A partner, customer, or law enforcement notifies you of compromise

The detection method influences your initial response. An employee who voluntarily reports clicking a suspicious link is a very different starting point than discovering unauthorized wire transfers three weeks after the fact.

Initial Triage Questions

Within the first 15 minutes, establish:

  1. What happened? Did the user click a link, open an attachment, enter credentials, or respond to a BEC email?
  2. When did it happen? Exact time if possible. This determines how long the attacker may have had access.
  3. Who is affected? Which user accounts, systems, or data may be compromised?
  4. What access does the compromised account have? Email only, or also file shares, financial systems, VPN, admin consoles?
  5. Is this ongoing? Is the attacker still active in the environment?

Phase 2: Containment

Containment stops the bleeding. The goal is to prevent the attacker from expanding their access or causing additional damage. Speed is critical here - every minute of delay increases the blast radius.

Immediate Actions (First 30 Minutes)

For credential compromise (user entered credentials on a phishing page):

  1. Reset the compromised account password immediately. Do not wait for investigation. Reset now, investigate later.
  2. Revoke all active sessions. In Microsoft 365: Entra ID > Users > Revoke sessions. In Google Workspace: Admin console > User > Security > Sign out.
  3. Disable forwarding rules. Attackers frequently create mail forwarding rules to maintain access even after a password reset. Check for:
    • Inbox rules that forward or redirect email
    • Server-side forwarding rules
    • Delegate access grants
    • Connected applications and OAuth consents
  4. Enable or verify MFA. If MFA was not enabled, enable it now. If MFA was enabled and the attacker bypassed it, investigate how (session token theft, MFA fatigue, SIM swap).
  5. Check for lateral movement. Review whether the compromised account was used to send phishing emails internally or to external contacts.

For malware or ransomware delivery:

  1. Isolate the affected device from the network. Disconnect the ethernet cable or disable Wi-Fi. Do not power off the device - that may destroy forensic evidence.
  2. Identify other recipients. Use email logs to determine whether other employees received the same malicious email. Quarantine undelivered copies.
  3. Block the malicious indicators. Add the sender address, domain, URL, and file hash to your email security block lists.
  4. Scan for additional infections. Run endpoint detection across all devices that may have received the malicious email.

For BEC wire fraud:

  1. Contact your bank immediately. Request a wire recall. For domestic transfers over $20,000, the FBI’s Financial Fraud Kill Chain (FFKC) process can freeze funds within 72 hours if reported quickly.
  2. Contact the receiving bank. Request a hold on the account.
  3. Preserve all communication. Save the fraudulent emails with full headers. Screenshot any relevant conversations.
  4. Do not alert the attacker. If the attacker is monitoring the compromised email account, avoid discussing the incident through that channel.

For more on BEC-specific response procedures, see our Business Email Compromise Guide.

Secondary Containment (Hours 1-4)

  1. Audit all accounts with similar access. If the compromised user had admin rights, check all admin accounts for signs of compromise.
  2. Review authentication logs. Look for logins from unusual IP addresses, geographic locations, or user agents - both for the compromised account and related accounts.
  3. Check for data exfiltration. Review file access logs, SharePoint/OneDrive activity, and email sending history for evidence that data was copied out.
  4. Notify internal stakeholders. Alert leadership, legal, and HR as appropriate. Use your out-of-band communication channel.

Phase 3: Investigation

With containment measures in place, shift to understanding the full scope of the incident.

Email Analysis

  • Examine the phishing email. Full headers, sender IP, reply-to address, URL destinations, attachment hashes.
  • Identify the campaign. Search your email logs for other instances of the same sender, domain, URL, or subject line.
  • Map the timeline. When was the email sent? When was it opened? When were credentials entered? When did the attacker first use the stolen credentials?

Account Forensics

  • Audit log review. Pull complete sign-in and activity logs for the compromised account.
  • Mail rule inspection. Document any forwarding rules, inbox rules, or delegate permissions the attacker created.
  • OAuth/app review. Check for unauthorized applications granted access to the account.
  • Sent items and deleted items. Review what the attacker sent from the compromised account. Check both sent items and deleted items (attackers often delete sent items to cover their tracks).

Scope Assessment

  • Downstream exposure. If the attacker sent phishing emails from the compromised account, identify all recipients and assess whether any of them also fell for the secondary attack.
  • Data exposure. Determine what data the attacker had access to and whether there is evidence of access or exfiltration.
  • System exposure. If the compromised credentials provided access to systems beyond email, assess whether those systems were accessed.

Evidence Preservation

  • Export and archive all relevant logs, emails, and forensic data
  • Maintain chain of custody documentation
  • Do not modify or delete evidence
  • Consider engaging a third-party forensics firm for incidents involving significant financial loss, data exposure, or potential litigation

Phase 4: Eradication

Eradication removes the attacker’s access and any artifacts they left behind.

Account Remediation

  • Confirm password resets are complete for all affected accounts
  • Remove all unauthorized forwarding rules, inbox rules, and delegate access
  • Revoke unauthorized OAuth application consents
  • Re-verify MFA enrollment for affected accounts
  • Review and remove any attacker-created accounts

System Remediation

  • Remove malware from affected endpoints using validated clean tools
  • Rebuild compromised systems from known-good backups or images if malware persistence is suspected
  • Update endpoint protection signatures
  • Patch any vulnerabilities exploited during the attack

Infrastructure Hardening

  • Block all identified indicators of compromise (IOCs) across email, web proxy, and firewall
  • Update email security rules based on the attack technique observed
  • Add the attack domain and sender patterns to your anti-phishing block lists

Phase 5: Recovery

Recovery restores normal operations while maintaining heightened monitoring.

Service Restoration

  • Re-enable affected accounts with verified security controls
  • Restore data from backups if necessary (verify backup integrity before restoring)
  • Resume normal email flow with enhanced monitoring
  • Communicate restoration status to affected users

Heightened Monitoring Period

For at least 30 days following an incident:

  • Monitor compromised accounts for unusual activity
  • Watch for follow-up attacks targeting the same users
  • Track authentication logs for signs of persistent access
  • Monitor dark web sources for exposed credentials

Phase 6: Reporting

Internal Reporting

Document the incident with:

  • Timeline from initial compromise to full containment
  • Scope of affected accounts, systems, and data
  • Root cause - How did the phishing email bypass existing controls?
  • Response actions taken at each phase
  • Impact - Financial loss, data exposure, operational disruption
  • Recommendations for preventing similar incidents

External Reporting

Depending on the nature and scope of the incident:

  • FBI IC3 - File a complaint at ic3.gov for all BEC and significant phishing incidents
  • State attorneys general - Many states require breach notification within 30-72 days if personal data was exposed
  • Industry regulators - HIPAA (healthcare), PCI DSS (payment cards), SOX (public companies) may have additional reporting requirements
  • Affected individuals - If personal data was exposed, notification to affected individuals may be legally required
  • Cyber insurance carrier - Notify your insurer promptly. Late notification may affect coverage.

Regulatory Notification Timelines

RegulationNotification DeadlineTrigger
GDPR72 hoursPersonal data of EU residents exposed
HIPAA60 daysProtected health information exposed
State breach notification laws30-90 days (varies by state)Personal information of state residents exposed
SEC (public companies)4 business daysMaterial cybersecurity incident
PCI DSSImmediatelyPayment card data exposed

Phase 7: Post-Incident Review

Lessons Learned Meeting

Within two weeks of incident closure, hold a post-incident review with all responders. Address:

  1. What went well? Which parts of the response were effective?
  2. What failed? Where did the response break down or take too long?
  3. What was missing? What tools, access, or procedures would have improved the response?
  4. What changes are needed? Specific action items with owners and deadlines.

Prevention Improvements

Based on the incident, evaluate:

  • Email security controls. Did the phishing email bypass detection? Why? Does your anti-phishing software need tuning or replacement?
  • Authentication. Was MFA enabled and enforced? Was conditional access configured?
  • Training. Did the affected user recognize the phishing attempt? What training gaps exist?
  • Process controls. For BEC incidents - were financial verification procedures in place and followed?
  • Detection. How was the incident detected? Can detection time be reduced?

Phishing Incident Response Checklist

Use this checklist during an active incident:

Immediate (0-30 minutes):

  • Reset compromised account passwords
  • Revoke all active sessions
  • Check and remove mail forwarding rules
  • Isolate infected devices from network
  • For wire fraud: contact bank immediately
  • Identify other recipients of the phishing email

Short-term (1-4 hours):

  • Audit related accounts for compromise
  • Review authentication and activity logs
  • Block attacker indicators (domains, IPs, hashes)
  • Notify internal stakeholders via out-of-band channel
  • Engage legal counsel if data exposure is suspected
  • Quarantine copies of phishing email from other inboxes

Medium-term (1-7 days):

  • Complete investigation and scope assessment
  • Remove all attacker artifacts and persistence mechanisms
  • Restore affected systems and accounts
  • File FBI IC3 report if applicable
  • Determine regulatory notification obligations
  • Begin heightened monitoring period

Long-term (2-4 weeks):

  • Conduct post-incident review
  • Update incident response procedures
  • Implement prevention improvements
  • Update training program based on lessons learned
  • Close incident with full documentation

Prevention: Reducing Future Incident Likelihood

The best incident response is one you never have to execute. Invest in prevention:

  • Pre-delivery email scanning - Block threats before they reach the inbox. See our anti-phishing solutions overview.
  • Multi-engine detection - No single engine catches everything. Phish Protection uses 5 concurrent engines.
  • Time-of-click URL protection - Catch delayed-weaponization attacks.
  • Email authentication - Implement SPF, DKIM, and DMARC at enforcement.
  • Regular phishing simulations - Test employee resilience quarterly.
  • Financial verification procedures - Out-of-band confirmation for all wire transfers and payment changes.
  • Ongoing monitoring - Review email security logs and threat intelligence feeds regularly.

For an overview of how these prevention layers work together, see our Email Security Complete Guide.

Further Reading

Enterprise-Class Email Protection Without the Enterprise Price

The best incident response starts with prevention. Phish Protection’s integrated email security solution blocks phishing, BEC, malware, and ransomware before they reach your inbox. 24x7. On any device.

  • Pre-delivery scanning with 5 concurrent detection engines
  • Time-of-click URL protection
  • BEC and impersonation detection
  • Real-time alerts to users and administrators
  • Setup in under 5 minutes

Start your 60-day free trial - no credit card required.

Protect your inbox from phishing attacks

Start your 60-day free trial - no credit card required.

Start Free Trial