top of page

Phishing Incident Response Plan: Communication stage

Communicating about the incident is a key step in the response process. As you modify this plan for your clients you may consider adding names or titles for who should be contacted at each stage. Wide communication of the attack and potential repercussions is often necessary and may be legally required depending on the situation.

1. Escalate the incident. If your MSP is aware of a phishing incident, communicate what you’ve learned to the client’s leadership or designated security response team. This stage should also include details on how an end user should escalate the incident internally.

2. Document and report the incident. Work with your client’s response team per the incident response procedures you have in place. Report the incident through CISA’s reporting site (US users), and other sites as required by each organization’s compliance requirements, industry, etc.

3. Talk to legal. Communicate with both your MSP’s internal and external legal counsel per procedures in place in your incident response plan and your client’s. Include a discussion of the implications and follow up requirements that may come up from compliance, risk exposure, liability, law enforcement contact, etc.

4. Communicate with internal users

  • Following the advice from your and your client’s legal teams, communicate any incident response plan updates or other procedure changes that will be put into place following the attack.

  • Communicate about the impact of the incident and the incident response actions taking place. This could mean explaining to your client’s end users why file sharing is down, or why they can’t access a particular site.

  • Reiterate your existing requirements and process for reporting incidents to the client. This may include a discussion of your security awareness training process, how to use the Phish Reporter button and how end users should report an attack they’ve interacted with.

5. Communicate with customers

  • If customer data was impacted, work with your client’s legal team to focus communications on those whose data was affected.

  • Generate required notifications based on applicable regulations, particularly those that may consider phishing a data breach or where notification is required. You may need to expand these requirements and procedures for your clients’ applicable regulations or compliance requirements.

6. Contact insurance provider(s)

  • Discuss what resources your or your client’s insurance company can make available including tools and vendors they may support or pay for.

  • Ensure that you and your client are complying with each insurance provider’s reporting and claims requirements to protect eligibility

  • Update this phishing incident response and your and your client’s general incident response plan to include the most up-to-date contact information for insurance providers and other necessary contacts, to save time in the future.

7. Consider notifying and involving law enforcement. Work with your or your client’s legal team to determine where to report attacks. Include links for where to report attacks to local, state, regional, federal or national law enforcement in the phishing incident response plan. Following this incident, take time to update the incident response plan(s) to include the contact information for these groups, to save time on future incidents.

8. Talk to your customer about their need to notify your MSP of incidents

  • If your customer did not inform their contact at your MSP immediately, discuss the procedures in place for notification.

  • If you or your client has incident response consultants, ensure that they are notified and collaborate with them per procedure.

  • Consider creating a general template for how these emails should be communicated for future incidents.

Communicating the incident to appropriate teams is an important part of the phishing response. While communication is key across each stage of the plan, this stage should ensure that your team is covering all of their bases of communication. Next is the recovery stage.

Building a comprehensive Phishing Incident Response plan with your clients can save both you and your client valuable time. Download the Phishing Incident Response template, to create each of your client’s unique phishing incident response plan.

We’ll guide you through the four stages of phishing incident response: investigation, recovery, communication and remediation and provide helpful resources that give you the information you and your clients need to respond to a phishing incident.


Learn more about HacWare: MSP partners can decrease the likelihood their end users will click on a phishing email by 60%. Let us help you empower your client's end users with automated, AI-driven phishing simulations and under three-minute micro-trainings to build them into your client's first line of defense against cyber attacks.

Learn more about our partner program and how we can support your MSP's growth!

bottom of page