BEC and EAC

What to Do After Responding to a Phishing Email

The likelihood that a user might accidently respond to a phishing email is becoming inevitable. Phishing attacks are rampant, with spear-phishing identified as one of the top tactics employed by attackers today. In this environment, the need for email security can’t be overemphasized. End users must know what to do, and how to act fast, if they respond to a phishing email.

Phishing emails can target anyone within an organization. So, it’s critical to establish best practices that all users can apply. These guidelines should be incorporated into an organization’s comprehensive security awareness training program.

Before we establish the appropriate actions to take after an employee is tricked by a phishing email, it’s essential to point out that these scams can be delivered not only through traditional emails but also text messages. Attackers who use the latter method will impersonate a legitimate existing entity, such as a user’s bank.  

The steps outlined below for responding to a phishing attack require cooperation from multiple responsible parties within an organization to be effective. There should be coordination among respective entities—the person who responded to the email, the security analysts, and the information security manager. In the case of individual users, the steps outlined below also apply, provided the affected party engages the appropriate law enforcement agency.

1. Change account passwords

Over the years, phishing attacks have become increasingly more advanced and stealthier. They can be deployed in multiple ways, but their main objective—harvesting login usernames and passwords—has generally remained consistent.

In many cases, responding to a phishing email may include providing login credentials to an application that the attacker has set up to pose as an existing familiar app. The attacker can then acquire the phishing victim’s login credentials and use them to perpetrate other cyber crimes such as email fraud. Given the likelihood of this type of attack, it’s crucial that a compromised user immediately changes the password for the respective account(s) that could have been comprised.

Spear-phishing attackers usually deploy thorough information-gathering processes on their targets once they’ve been compromised. After the attacker ties the phishing attack victim to a particular account, they will try to use similar credentials on the user’s other known accounts. So, it’s crucial to change passwords not only for the expected compromised account but also for other associated user accounts. In many cases, phishing victims use a single password across various accounts.

In short, changing passwords for all online accounts is recommended. Email passwords must be changed immediately, and new passwords must be validated against set email password policies to ensure they meet password complexity requirements.  

2. Report the phishing incident 

Phishing attacks are often deployed on a large scale, targeting many victims at once. In most cases, the phishing attack will target employees within the same organization. Timely reporting of the incident can help ensure other employees who might have received the same phishing email, but may have not yet responded to it, don’t also fall victim to the attack.

Phishing incidents should be reported via the IT service desk or in accordance with the organization’s cyber incident response procedures (CIRP). At this stage, the report is meant to initiate an internal investigation concerning the phishing attack.

Well-timed reporting of an incident—that is, as soon as a user realizes they’ve responded to a phishing email—allows information security technical staff to launch crucial information-gathering about the attack. Proofpoint’s phishing email reporting analysis and remediation tool, PhishAlarm allows for timely reporting of suspected phishing emails to security teams and subsequently allows incident response teams to launch timely responsive activities.

3. Investigate the phishing attack

Responding to a phishing scam can have detrimental effects on individual users as well as the whole organization. The risks of responding to phishing emails may include email account compromise, unauthorized access to the organization’s networks and systems, and the introduction of malware into the phishing victim’s computer and network.

That’s why it’s crucial to initiate a preliminary investigation of the phishing incident upon report via the IT service desk. The objective of this investigation is to gather relevant information about the phishing attack and assess the attack’s impact.

Some pivotal processes to perform at this stage include identifying the phishing emails that users engaged with, locating other messages from the same sender or that have the same link, determining who else in the organization may have received the same email to understand how widespread the attack may be, and pulling those messages out of users’ inboxes.  

Endpoint analysis must also be initiated to identify any malicious software that could have been introduced on the phishing attack victim’s computer or the associated network. Phishing attack victims need to be on the lookout for identity theft.

Also, when necessary, the compromised account should be blocked. A user could ask their bank, for instance, to block their online banking account if it’s been directly compromised by a phishing attack.

Upon notification, the owners of the spoofed email should also launch investigative procedures to check for anomalous activities. For example, a financial institution should monitor the account of a customer who is a phishing attack victim.  

4. Engage relevant regulatory authorities and law enforcement 

Several industry standards or government regulations require an organization to report phishing incidents within a stipulated period following the first time the incident is identified. For organizations operating in the healthcare sector, an incident involving a response to a phishing email must be handled in a way that ensures continued compliance with Health Insurance Portability and Accountability Act (HIPAA) requirements.

Besides ensuring compliance with industry standards and regulations, there’s a strong need to file a case with the appropriate law enforcement agencies. Filing a report with law enforcement may sometimes be dependent on the extent of the damage that the phishing incident would have caused.

5. Implement remediation strategies and safeguard against future attacks 

As a first line of defense, users must be well-informed about the phishing attack vectors that attackers are currently employing. To help ensure that happens organizations must conduct comprehensive user security education and training.

Internal simulations of phishing scams are an effective strategy to help users avoid falling victim to phishing emails. Simulations expose users to real-world examples of phishing attacks so they can better spot a phishing email.

In addition to educating and training the workforce about the threat of phishing scams, organizations need to implement appropriate technical controls. These controls include, but aren’t limited to, blocking phishing emails through the application of email security techniques such as email filtering , sandboxing, machine learning models and browser isolation.

Threat Response Auto-Pull

Proofpoint Threat Response Auto-Pull (TRAP) enables your messaging and security administrators to streamline this phishing incident response process when someone does reply to a phishing attack. When the malicious email is detected, TRAP will analyze emails and automatically remove any malicious messages. It automatically moves unwanted emails to quarantine that have reached end user inboxes, including forwarded mail and distribution lists, creating an auditable activity trail. With TRAP, you get a powerful solution to phishing attacks that exponentially reduces the time needed to clean up malicious email threats.

Learn More 

Phishing attacks can target anyone in organizations of all sizes across industries. Therefore, all organizations should establish guidelines to ensure their users know exactly what to do in case they’re tricked by a phishing scam.

To better understand the consequences of accidently responding to phishing scams and how these attacks can be orchestrated, refer to our previous article on the basic attack vectors and associated risks of phishing.

Subscribe to the Proofpoint Blog