Once an attack is suspected, your help desk team should spring into action. Look for common signs of a phishing attack and communicate with the reporting end user. You’ll need to know if they interacted with the message and what occurred. The response of the reporting user as well as the response of the help desk team can make a huge impact on the outcome of a potential breach.
1. Stay calm, and take a deep breath. This is not the time to lecture the victim or panic about a potential breach. Consider your team’s plan for responding to incidents and begin to act.
2. Document the incident. Open a ticket to document the incident, per your team’s procedure. You may want to create a template of the questions listed below in the note-taking section.
3. Ask the user to document the incident. Ask the reporting or victimized user to take pictures of their screen with a separate device showing the things they noticed in the phishing message. It may be helpful to provide questions, such as:
What did you notice?
Why did you think it was a problem?
What were you doing at the time you detected it?
When did it first occur, and how often since?
What networks are involved? (office/home/shop, wired/wireless, with/without VPN, etc.)
What systems are involved? (operating system, hostname, etc.)
What data is involved? (paths, file types, file shares, databases, software, etc.)
What users and accounts are involved? (active directory, SaaS, SSO, service accounts, etc.)
What data do the involved users typically access?
Who else have you contacted about this incident, and what did you tell them?
4. Take your own notes on the incident. Do this using pen and paper or your smartphone to avoid losing notes if your device is compromised.
5. Ask follow-up questions as necessary. As the incident responder you’re responsible for gathering as much information as possible. Ask the end user(s) questions to fully understand the situation, what happened and why.
6. Get contact information. Ensure the contact information you have for the user is accurate. If their email is breached, you’ll need to have a secondary email, phone number or other contact form.
7. Add details to your ticket. Record all of the information you’ve learned and generated yourself in the ticket you created. Include details from your hand-written and voice notes as well as the information from the affected user.
8. Quarantine affected users and systems. Your team’s incident response plan may include steps on your team’s process for quarantining affected users and systems. Follow these procedures.
9. Contact your security team. Stand by to participate in the response as directed: investigation, remediation, communication, and recovery.
When your help desk team is familiar with the procedures and incident response plan in place for detected phishing threats, they will be better able to react appropriately. Share this action plan for end users reporting a phishing attack to your wider team to ensure everyone knows how to best react and report incidents.
Building a comprehensive Phishing Incident Response plan with your clients can save both you and your client valuable time. Download the Phishing Incident Response workbook, to create each of your client’s unique phishing incident response plan.
We’ll guide you through the four stages of phishing incident response: investigation, recovery, communication and remediation and provide helpful resources that give you the information you and your clients need to respond to a phishing incident.
Learn more about HacWare: MSP partners can decrease the likelihood their end users will click on a phishing email by 60%. Let us help you empower your client's end users with automated, AI-driven phishing simulations and under three-minute micro-trainings to build them into your client's first line of defense against cyber attacks.
Learn more about our partner program and how we can support your MSP's growth!