What to Do When You’ve Been Phished?

There are plenty of ways you can do to identify and reduce the impact of a successful phishing attack. Like other information security threats, you can’t entirely eliminate the risk. It becomes important to proactively prepare an effective response strategy and react to a phishing attempt in a way that protects yourself and your colleagues.

14 things to do after a Phishing Attack

When you suspect or notice there was a successful phishing attack against your organization, what will you do in this situation? Here are 14 things you need to do when you get phished.

  1. Activate IR procedures is a right way, you must do to test how smoothly things are working according to your incident response tabletop.
  2. Make sure you obtain a copy of the email message with full headers showing routine details, etc. and any original attachments. Also note down the IP address of the received email.
  3. Mine the web for threat intelligence. Take care and be alert of the malicious sites which is pretty dangerous.
  4. The simple step is don’t sidestep the user instead ask to the clicker(s) what happened before or after interacting with the phish.
  5. Black listing based on a regex is a short term solution to hamper other users from falling victim to the same attack by modifying perimeter email filters to block similar messages.
  6. Start searching your system firewall logs to find out suspicious IPs, URLs, etc., from the email, URL, attachment, etc. to see if there was any traffic leaving your network going to those IPs. As the attacker often change their IPs, so you need to search your DNS logs and see any host on your network did a look up on them.
  7. Review if you use proxy like WebSense, BlueCoat or outbound web logs and check the IP of the server that the site is running on.
  8. Review mail server logs to see which users received the message by searching your mail server logs.
  9. Reviewing DNS logs can help you to know which all hosts did a lookup on any malicious domains you find.
  10. Ensure logs are retained. According to how things go, you require to save these logs and it should be addressed in your IR plan.
  11. Dealing with a successful phishing attack and use that event as an opportunity to raise awareness among management and your users could be a great example.
  12. You need to periodically change the affected users’ passwords because an attacker could come back and use legitimate access methods like OWA or the VPN.
  13. Check for active sessions of affected users, ensure that there aren’t any current connections that shouldn’t be active.
  14. Train your users to be “smart skeptics” and it’s a skill that you passively built up over time.