Building a Phishing Response Plan
Building a Phishing Response Plan

Photo by Wolfgang Weiser on Pexels
Even with training and technical defenses, someone will eventually click a phishing link or open a malicious attachment. This is not a failure — it is a statistical certainty. What determines the outcome is not whether the click happens but how quickly and effectively your organization responds. A phishing response plan turns panic into a structured, effective process.
The First 15 Minutes: Immediate Actions
When an employee reports a suspected phishing click, the clock is ticking. The first 15 minutes are critical for containing the damage.
Step 1: Isolate the device. If an employee clicked a link or opened an attachment, disconnect their computer from the network immediately. Unplug the network cable or turn off Wi-Fi. Do not shut down the computer — volatile memory may contain evidence and active malware. Isolation prevents lateral movement if malware was installed.
Step 2: Do not delete the email. The phishing email is evidence. It contains headers, links, and attachment metadata that help identify the attack and determine its scope. Instruct the employee to leave it in place and not interact with it further.
Step 3: Change passwords. If credentials were entered on a fake login page, the attacker has them now. Change the compromised password immediately, and change it on any other service where the same password was reused. Use a different device to make these changes.
Step 4: Enable multi-factor authentication. If MFA was not already enabled on the compromised account, enable it now. Even if the attacker has the password, they cannot access an MFA-protected account without the second factor.
The First Hour: Investigation
Step 5: Determine the scope. Did the phishing email go to other employees? Search your email system for the same sender, subject line, or link. Notify all recipients who also received it. Check whether others clicked or entered credentials.
Step 6: Analyze the link or attachment. Use VirusTotal, URLscan.io, or Any.Run to safely analyze the phishing URL or attachment without opening it on a production machine. Determine what the attack was designed to do — steal credentials, install ransomware, or harvest email contacts.
Step 7: Block the threat. Add the sender's domain and link URLs to your email filter block list. If using a web filter, block the malicious URLs at the network level. This prevents other employees from reaching the same phishing site.
The First Day: Remediation
Step 8: Scan and clean. Run a full antivirus and anti-malware scan on the affected device. Use tools like Malwarebytes (free version) or Microsoft Defender Offline. If malware is found and cannot be cleaned, wipe the device and restore from a known-good backup.
Step 9: Monitor for follow-up attacks. Attackers who have stolen credentials or installed malware often return. Monitor the compromised account for unusual activity — logins from unexpected locations, mass email deletion, new forwarding rules, or unauthorized file access. Check for email forwarding rules the attacker may have set up to intercept future communications.
Step 10: Document and report. Record what happened, the timeline, actions taken, and lessons learned. If sensitive data was exposed, determine whether you are legally required to report the breach to affected parties, regulators, or your cyber insurance provider.
The Ongoing Plan: Prevention
After the incident, update your phishing response plan with what you learned. Was the email missed by your filter? Adjust filter rules. Did the employee not recognize the phishing? Reinforce training. Did the response take too long? Streamline the reporting process. Every phishing incident — whether successful or caught early — is a training opportunity that improves your defenses.
Free and Low-Cost Incident Response Tools
- Have I Been Pwned (haveibeenpwned.com) — Check if compromised email addresses appear in known breach databases
- CISA Incident Response Guides (cisa.gov) — Free, detailed guides for responding to phishing and other cyber incidents
- NIST Cybersecurity Framework — Free framework for structuring your overall incident response program
Key Takeaways
- Phishing clicks are inevitable; a response plan is what contains the damage
- The first 15 minutes — isolate, preserve evidence, change passwords, enable MFA — are critical
- Investigation, blocking, and monitoring continue through the first day
- Document every incident and use it to improve training and technical defenses
Common Questions: Building a Phishing Response Plan
Q: What is the first thing an organization should do after a phishing incident?
The immediate priority is containment: disable any compromised accounts, isolate affected devices from the network, and force password resets for any accounts that may have had credentials exposed. Simultaneously, begin preserving evidence—email logs, system logs, and the phishing email itself. Do not delete the phishing email; it may be needed for forensic analysis. Then assess the scope: who else received the same email? Who clicked? What data or systems were accessed?
Q: What free incident response templates are available?
CISA provides a free Incident Response Plan template at cisa.gov. NIST SP 800-61 provides the gold-standard framework for computer security incident handling, available for free. SANS offers free incident response checklists and templates. IRST (Incident Response Social Toolkit) provides free playbooks. These resources give you a structured starting point that you can customize for your organization's specific needs and resources.
Q: What happens if we don't have a response plan when phishing hits?
Without a plan, response time increases dramatically. Employees may not know who to contact, leading to delayed reporting. IT may respond reactively rather than systematically, missing critical steps like preserving evidence or checking for lateral movement. The average cost of a data breach increases by over $2 million when incident response is ad hoc rather than planned. Even a simple, one-page response plan—listing contacts, initial steps, and escalation procedures—dramatically improves outcomes.
Q: How do we conduct a post-incident review?
After every phishing incident, hold a blameless post-mortem within one week. Document: what happened (timeline), how it was detected, what worked in the response, what didn't work, and what changes are needed. Update your response plan based on findings. If an employee clicked, focus on systemic improvements rather than blame—was the training adequate? Did the filter miss it? Was the email particularly sophisticated? Use each incident as a learning opportunity to strengthen the organization's overall security posture.
Building a Phishing Response Plan

Photo by Wolfgang Weiser on Pexels
Even with training and technical defenses, someone will eventually click a phishing link or open a malicious attachment. This is not a failure — it is a statistical certainty. What determines the outcome is not whether the click happens but how quickly and effectively your organization responds. A phishing response plan turns panic into a structured, effective process.
The First 15 Minutes: Immediate Actions
When an employee reports a suspected phishing click, the clock is ticking. The first 15 minutes are critical for containing the damage.
Step 1: Isolate the device. If an employee clicked a link or opened an attachment, disconnect their computer from the network immediately. Unplug the network cable or turn off Wi-Fi. Do not shut down the computer — volatile memory may contain evidence and active malware. Isolation prevents lateral movement if malware was installed.
Step 2: Do not delete the email. The phishing email is evidence. It contains headers, links, and attachment metadata that help identify the attack and determine its scope. Instruct the employee to leave it in place and not interact with it further.
Step 3: Change passwords. If credentials were entered on a fake login page, the attacker has them now. Change the compromised password immediately, and change it on any other service where the same password was reused. Use a different device to make these changes.
Step 4: Enable multi-factor authentication. If MFA was not already enabled on the compromised account, enable it now. Even if the attacker has the password, they cannot access an MFA-protected account without the second factor.
The First Hour: Investigation
Step 5: Determine the scope. Did the phishing email go to other employees? Search your email system for the same sender, subject line, or link. Notify all recipients who also received it. Check whether others clicked or entered credentials.
Step 6: Analyze the link or attachment. Use VirusTotal, URLscan.io, or Any.Run to safely analyze the phishing URL or attachment without opening it on a production machine. Determine what the attack was designed to do — steal credentials, install ransomware, or harvest email contacts.
Step 7: Block the threat. Add the sender's domain and link URLs to your email filter block list. If using a web filter, block the malicious URLs at the network level. This prevents other employees from reaching the same phishing site.
The First Day: Remediation
Step 8: Scan and clean. Run a full antivirus and anti-malware scan on the affected device. Use tools like Malwarebytes (free version) or Microsoft Defender Offline. If malware is found and cannot be cleaned, wipe the device and restore from a known-good backup.
Step 9: Monitor for follow-up attacks. Attackers who have stolen credentials or installed malware often return. Monitor the compromised account for unusual activity — logins from unexpected locations, mass email deletion, new forwarding rules, or unauthorized file access. Check for email forwarding rules the attacker may have set up to intercept future communications.
Step 10: Document and report. Record what happened, the timeline, actions taken, and lessons learned. If sensitive data was exposed, determine whether you are legally required to report the breach to affected parties, regulators, or your cyber insurance provider.
The Ongoing Plan: Prevention
After the incident, update your phishing response plan with what you learned. Was the email missed by your filter? Adjust filter rules. Did the employee not recognize the phishing? Reinforce training. Did the response take too long? Streamline the reporting process. Every phishing incident — whether successful or caught early — is a training opportunity that improves your defenses.
Free and Low-Cost Incident Response Tools
- Have I Been Pwned (haveibeenpwned.com) — Check if compromised email addresses appear in known breach databases
- CISA Incident Response Guides (cisa.gov) — Free, detailed guides for responding to phishing and other cyber incidents
- NIST Cybersecurity Framework — Free framework for structuring your overall incident response program
Key Takeaways
- Phishing clicks are inevitable; a response plan is what contains the damage
- The first 15 minutes — isolate, preserve evidence, change passwords, enable MFA — are critical
- Investigation, blocking, and monitoring continue through the first day
- Document every incident and use it to improve training and technical defenses
There are no comments for now.