top of page

Phishing Incident Response Plan: Recovery stage

In the recovery stage your MSP should work with the client to remediate the situation and move forward with a plan to avoid similar incidents in the future.

1. Launch business continuity/disaster recovery plan(s). If the compromise involved business outages: consider migration to alternate operating locations, fail-over sites, and backup systems.

2. Reinforce training programs. Ensure your client’s security awareness training program is running effectively and consider increasing or targeting specific departments with increased training.

  • Share common signs of phishing emails with the team. Ensure that key suspicious indicators are understood by your client’s end users:

    • Misspellings in the message or subject

    • Phony-seeming sender names, including mismatches between display name and email address

    • Personal email addresses for official business (e.g., Microsoft, Gmail emails from business colleagues)

    • Subject lines marked "[EXTERNAL]" on emails that appear to be internal

    • Malicious or suspicious links

    • Receiving an email or attachment they were not expecting but from someone, they know (contact the sender before opening it)

    • reporting suspicious activity to IT or security

  • Update education. Ensure that your client’s IT and security staff are up to date on modern phishing techniques.

3. Review your response. Determine if any controls failed leading to an end user falling victim to an attack and rectify them.

Following the recovery stage, it’s a good idea to review your client’s overarching phishing incident response plan and general phishing response plan to ensure you’ve covered everything necessary. This is an opportunity to make updates to their process based on your experience and ensure that the plan is able to be implemented fully for future incidents.

Building a comprehensive Phishing Incident Response plan with your clients can save both you and your client valuable time. Download the Phishing Incident Response workbook, to create each of your client’s unique phishing incident response plan.

We’ll guide you through the four stages of phishing incident response: investigation, recovery, communication and remediation and provide helpful resources that give you the information you and your clients need to respond to a phishing incident.


Learn more about HacWare: MSP partners can decrease the likelihood their end users will click on a phishing email by 60%. Let us help you empower your client's end users with automated, AI-driven phishing simulations and under three-minute micro-trainings to build them into your client's first line of defense against cyber attacks.

Learn more about our partner program and how we can support your MSP's growth!

bottom of page