Phishing is the most common way attackers get into SMEs. Most clicks lead nowhere; some hand over a password; a few trigger a chain that ends in fraud or ransomware. Run the steps below in order, and assume the worst until proven otherwise.
First 5 minutes — contain
- Isolate the device: disconnect from network. Don't power it off — that destroys memory evidence.
- Tell the employee they did the right thing reporting it. Blame kills future reporting.
First 15 minutes — lock the account
- Reset the password from a different device.
- Revoke active sessions in Microsoft 365 or Google.
- Confirm MFA is enabled. If not, enable it now.
First 30 minutes — find the damage
- Check the mailbox for inbox rules the attacker may have added.
- Check the Sent Items for outbound phishing.
- Look at sign-in logs for unusual locations.
First hour — notify
- Tell your IT supplier.
- If money may have moved — tell your bank immediately.
- If personal data may have been exfiltrated, the 72-hour ICO clock starts now.
Same day — learn
- Save a copy of the email for staff training.
- Forward to report@phishing.gov.uk.
- Report fraud to Action Fraud: 0300 123 2040.
Common mistakes
- Powering off the device.
- Telling no one because “nothing happened”.
- Punishing the employee — the next click becomes the unreported one.