What to Do After a Phishing Attack: A Step-by-Step Response Guide

An employee clicked a phishing link or gave up credentials. Here's exactly what to do in the next 60 minutes to contain the damage.

Someone on your team just clicked a link they shouldn't have. Maybe they entered their password on a fake login page. Maybe they opened an attachment that turned out to be malware. Maybe they wired money to what they thought was a vendor.

Whatever happened, the clock is running. Here's what to do right now.

Immediate Response (First 30 Minutes)

1. Don't Punish — Collect Information

The person who clicked needs to tell you exactly what happened: what they clicked, what they entered, what they downloaded, when it happened. If they're afraid of getting fired, they'll minimize or delay reporting. Make it clear that reporting fast matters more than blame.

Ask these specific questions:

What did the email say? (Screenshot it if possible — don't click anything else in it)
Did you enter any credentials? Which ones — email, VPN, banking?
Did you download or open any files?
What device were you on? Work laptop, phone, personal device?
How long ago did this happen?

2. Isolate the Affected Account

If credentials were entered on a phishing page:

Change the password immediately. Not from the compromised device — use a different, known-clean device. Change the password for the specific account that was phished, and any other account that uses the same password (yes, people reuse passwords — deal with reality, not policy).

Revoke active sessions. Changing a password doesn't kill existing sessions. In Microsoft 365, go to the user's admin page and click "Sign out of all sessions." In Google Workspace, go to the user's security settings and revoke access. For other services, check their admin panel for session management.

Enable or re-verify MFA. If MFA was already enabled, check whether the attacker registered a new MFA device during the window when they had access. Remove any unrecognized devices. If MFA wasn't enabled, enable it now.

3. Isolate the Affected Device

If a file was downloaded or opened:

Disconnect the device from the network. Turn off WiFi, unplug ethernet, disable Bluetooth. Don't power it off — that can destroy forensic evidence. Just sever its network connection.

Don't try to "clean" it yourself by running antivirus or deleting suspicious files. You may destroy evidence that's needed to understand the scope of the compromise.

If you have an IT team or managed service provider, contact them immediately. If you don't, keep the device isolated and proceed with the other steps.

Containment (First 2 Hours)

4. Check for Unauthorized Access

Now that the immediate account and device are contained, check for signs that the attacker actually used the stolen credentials:

Email: Check sent items, deleted items, and email forwarding rules. Attackers commonly set up forwarding rules to silently copy incoming email to an external address. In Microsoft 365, check Outlook rules AND transport rules. In Google, check filters and forwarding settings.

File access: Review recent file access logs in your cloud storage (OneDrive, Google Drive, SharePoint). Did the attacker access or download sensitive documents?

Email rules created: This is the most commonly missed step. Attackers create inbox rules that automatically delete security notifications, move password reset emails to trash, or forward specific messages. Check all mailbox rules for the compromised account.

Admin actions: If the compromised account had admin privileges, review the admin audit log for changes made during the exposure window — new accounts created, permissions changed, security settings modified.

5. Determine the Blast Radius

The attacker had access to the compromised account from the moment credentials were entered until you locked them out. Everything that account could access during that window is potentially compromised.

Map it out:

What systems does this account have access to?
What data could they have reached?
Could they have pivoted to other accounts or systems?
Did they send emails from the compromised account (internal phishing to spread the attack)?

If the compromised account sent phishing emails to other employees or business contacts, you have a spreading incident. Alert those recipients immediately.

6. Notify Your IT Provider or Security Team

If you have a managed service provider, IT team, or security vendor, loop them in now if you haven't already. Give them the timeline, the affected accounts, and what you've found so far. They can run deeper analysis — checking authentication logs, correlating events across systems, and scanning for indicators of compromise beyond what's visible in the admin panel.

Assessment and Reporting (First 24 Hours)

7. Determine Whether Data Was Compromised

This matters for legal and regulatory obligations. If the attacker accessed or exfiltrated personal data (customer records, employee information, financial data), you may have breach notification obligations under state and federal law.

Key questions:

Did the compromised account have access to personally identifiable information (PII)?
Did access logs show the attacker viewing or downloading that data?
Was the compromised email account receiving sensitive information (invoices, tax documents, medical records)?

If the answer to any of these is yes, or if you can't definitively say no, consult with legal counsel about notification obligations. Most states have breach notification laws with specific timelines — often 30-60 days from discovery.

8. Report to Relevant Parties

FBI's IC3 (ic3.gov) — Report the phishing attack, especially if financial loss occurred.

Your cyber insurance carrier — Notify them promptly. Most policies require notification within a specific timeframe. Even if you're not sure you have a claim, early notification preserves your options.

Affected clients or partners — If the attacker sent emails from the compromised account to your clients, or if client data was potentially exposed, notification is both ethically required and legally likely required.

Prevention (The Week After)

9. Conduct a Post-Incident Review

Once the fire is out, understand how it happened:

How did the phishing email get through your email security?
Why did the employee click? Was the email unusually convincing, or was there a training gap?
How long elapsed between the click and the report? Can you shorten that window?
Were your detection and response procedures adequate?

Document what happened and what you're changing. This isn't bureaucracy — it's how you avoid repeating the same incident.

10. Implement Prevention Measures

Based on what you learned:

Phishing simulations. Regular simulated phishing campaigns train employees to recognize and report suspicious emails. The goal isn't to catch people — it's to build the reflex of pausing before clicking.

Conditional access policies. Require MFA for all external access, block legacy authentication protocols, restrict access from unmanaged devices.

Email authentication. Implement DMARC at enforcement (p=reject) to prevent attackers from spoofing your domain in emails to your employees and clients.

Incident response playbook. Write down what you just did — the steps, the contacts, the tools — so the next time (there's always a next time) you move faster.

The Uncomfortable Truth

Phishing works because it exploits human psychology, not technical vulnerabilities. No amount of technology completely eliminates the risk. The goal is reducing the frequency (through training and email security) and minimizing the damage when it happens (through MFA, monitoring, and fast response).

If you want to test your organization's resilience before a real attacker does, we run realistic phishing simulations that show you exactly where your vulnerabilities are — and train your team to close them.