The phishing response playbook

Ravi Das
August 11, 2018 by
Ravi Das

As we know, phishing remains one of the most well-known forms of social engineering. Although this form of threat has been in existence for a long time, the social engineer of today has become very stealthy in their approaches. There are different variants of a phishing attack, but in general, it can be defined as follows:

"Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking, and credit card details, and passwords.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

The information is then used to access important accounts and can result in identity theft and financial loss."

Either the victim is sent a malicious attachment (such as a .XLS or .DOC file extension), or a malicious link to click on. It is important to note here that phishing attacks have also become highly specialized, such as those of spearphishing and Business email Compromise (BEC). In these instances, a certain individual, or groups of individuals are specifically targeted.

However, whomever the target is, once the damage is done, efforts need to be taken to mitigate the damage and try to find ways so that these types of attacks don't happen again. This 'Playbook" outlines the steps that a business or a corporation needs to take in such situations.

The playbook


  • This is the first step in responding to a phishing attack. At this stage, an alert is "sounded" of an impending phishing attack, and it must be further investigated into. It is important to collect as much information and data about the phishing email, and the following items should be captured:
    • The email address of the sender
    • The intended recipient of the email
    • The subject line of the particular email
  • Carefully examine the email message, and if there is an attachment with it, make sure that you use the appropriate protocols to download it safely, make sure you store it in a separate folder (or even a zip file), and that it is also password-protected so that only the appropriate IT personnel can access it.
  • If there is a suspicious link as well, which takes the recipient to a potential spoofed website, this will also have to be investigated. However, for these purposes, it is important to use a dedicated computer solely for just these purposes. Do not use any other server, workstation, or wireless device for this, as the potentially spoofed website could contain malware that could download itself rapidly.


If the above investigation discovers that an actual phishing attack is underway, then the following steps must be accomplished:

  • The specific kind of phishing email it is. For example, is it a:
    • BEC (Business Email Compromise)
    • Spearphishing (where one particular individual or individuals are targeted)
    • Clone phishing (where an original email message has been transformed into a malicious one)
    • Whaling (this is similar to BEC, but primarily C-Level executives are specifically targeted)
    • Link manipulation (this where a spoofed website is involved)
    • Website forgery (this is where JavaScript code is used to alter the URL bar maliciously)
    • Covert redirect (this when a website address looks genuine and authentic, but the victim is taken to a spoofed website)
    • Social engineering (this occurs typically in a business environment where lower-ranking employees [such as administrative assistants] are targeted and conned to give out corporate secrets)
    • SMS (in these instances, wireless devices, primarily Smartphones are targeted, and malicious text messages are sent instead)
  • Once the above has been determined, then determine the priority level (this will be on a scale that you have determined, for instance, low priority to medium priority to high priority [this would be considered to be a "Severe" type of ranking]). From there, then notify the IT staff, primarily those involved with the Security aspects of the organization, that an attack is underway if they are not aware of the situation already.


At this phase, the actual email message and its contents need to examined carefully, the and degree of damage needs to be ascertained. Regarding the former, the following must be looked into:

  • Analysis of the email Header:
    • The from field: This will contain the name of the sender
    • X-authenticated user: This will contain the email address of the sender (such as
    • The mail server IP address: This will contain the actual TCP/IP address of the email server from where the phishing email was sent. It is important to keep in mind as well that the physical location of the email server does not necessarily imply that the cyberattacker is located in that geographic as well. Many times, they will be in a separate location from that of the email server.
  • Analysis of the email message:
    • At this phase, the actual contents of the email message need to be examined carefully, as there are many telltale signs which can be difficult to spot at first glance.
  • Analysis of the domain link:
    • If the phishing email contains a suspicious link, as stated before, carefully examine the spoofed website, and determine where the data on the website is actually posted (such as determining the TCP/IP address of the Web server that hosts the spoofed website, etc.).
  • With regards to the latter point in this part, the level and/or severity of the damage needs to be ascertained and ultimately determined. Examples of this include the following:
    • The total number of impacted employees
    • What actions were carried out by the employees with regards to the phishing email, for instance: Did they download an attachment or did they go to a spoofed website and unknowingly submitted their personal information (or even sensitive business login information).
    • What was impacted: servers, workstations, wireless devices, the network infrastructure, other aspects of the IT infrastructure.


This is deemed to be one of the most critical phases; as this is where the damage of the phishing attack will be contained. This will involve the following:

  • After determining whom the impacted employees are, immediately change their usernames and passwords
  • After determining the impacted points in the IT Infrastructure, also immediately change login credentials of the people who have access to those particular resources as well
  • If the impacted points include Smartphones, immediately execute the "Remote Wipe" command to those affected Smartphones, so that any sort of sensitive information/data that resides on them will be deleted and cannot be accessed. In these instances, have your employees return the affected Smartphones back, and issue new ones with usernames and passwords
  • Continue to monitor all systems within your IT Infrastructure and all User Accounts for any misuse, or for any unusual anomalies that may be occurring. If any of these are happening, they you may want to consider shutting down those systems to conduct a more detailed investigation as to what is happening. However, this should be done with careful planning, as this could cause downtime in normal business operations.

Risk avoidance

Once the damage has been contained, and all impacted points within the business or the corporation have been remedied, the final stage is to determine how to avoid this kind of cyberattack (or for that matter, any other kind) from happening again. Some areas that should be considered are as follows:

  • Consider hiring an outside cybersecurity firm to assist you in conducting a deep analysis of what really transpired. They can offer solutions that are specific to your situation, and even conduct various Penetration Testing techniques to determine if they are other unknown Security vulnerabilities in your organization.
  • Always make sure that you are on a regular schedule of deploying software upgrades/patches on all of your servers, workstations, and wireless devices. This includes making sure that the Web browsers across all workstations, wireless devices, and servers are up to date as well as making sure that you are making use of the latest antispyware/antiphishing/antimalware software packages.
  • In a phishing attack, in the end, it is always individuals that are impacted first, then the IT Infrastructure after the login data has been hijacked by the Cyber attacker. Therefore, the greatest emphasis must be placed on this area, which is employee awareness. In this consider the following:
  • Conduct training programs at regular intervals (at a minimum at least once a quarter) with your employees. Teach them the following:
  • What the signs of a phishing email look like, paying careful attention to phony looking Sender names, sender domains, and in particular, any misspellings in either the subject line or the content of the email message.
  • How to determine if a link is malicious, by explaining how to hover over the link in question to see if the domain on that matches up to what is displayed. If they do not match up, then the link is a malicious one.
  • If they receive an email or an attachment that they were not expecting, but it comes from somebody they know, to contact that particular sender first to determine if they really sent it or not. If not, they should be instructed to forward that email message to the IT Security staff; then it should be deleted from the inbox.
  • Always instruct them to trust their instincts, and if anything looks suspicious, to report it, and again, delete the message from the inbox.
  • Instruct them how to verify the authenticity of any website that they may be using, especially paying attention to the "HTTPS" in the URL bar.
  • Also, instruct them to never click on any type or kind of pop messages that they may receive on their work-related devices.
  • At random intervals, have the IT staff launch phony, phishing emails to see if they are picking up what you are teaching them. If they open up that email message, then they should be immediately notified that they fell prey to a phishing email and will require further training.
  • Have your IT Staff, especially your Network Administrator, stay on top of the latest phishing techniques.
  • Install Ani-phishing toolbars on all servers, workstations, and wireless devices. These packages run checks on the websites that your employees are using against various databases of known phishing websites.
  • Make sure that your Network Infrastructure is up to date as well, by routinely testing your firewalls, network intrusion devices, and routers. Once again, a Cybersecurity firm can help you establish the appropriate protocols in conducting these tasks.
  • Determine what controls have failed and take the necessary steps to either rectify them or implement new ones instead.
  • Implement a special hotline where employees can get into direct contact with the appropriate IT staff in case they see or witness anything suspicious that is associated with a phishing attack (of course, they should also be able to report any other Security issues as well).


Overall, this playbook has reviewed the necessary steps that you need to take in case your business or corporation is impacted by a phishing attack. The biggest takeaway is that avoiding such types of threats in the future takes a combination of both making sure that your Security technology is up to date, and that your employees are taught how to have a proactive mindset in keeping their guard up for any suspicious types and kinds of activity and to report them immediately.

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.


Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at (or; and contact Ravi at