Phishing Email First Response

With many companies working from home, security is top-of-mind for owners and managers. Without domain securities in place and employees using home networks and computers, more vulnerabilities may be present and exploited by hackers and phishers. If a user at your company is compromised, and a spam email is sent from their account, here are some of the first steps you can take to mitigate the damage.

Contact Your IT Provider

The first step is naturally to contact your IT company or tech provider and notify them that there’s been a breach. There are often steps that need to be taken from the administrative side, and the sooner you can begin those the better. Once you notice the spam email come through, give them a call immediately. Once you have done this, move on to the next steps.

Force Sign-Outs

The first step is for an administrator for the domain to force sign-outs on the entire account. Both Office 365 and Google Suite allow for this option. While forcing the sign-out, block the user from new sign-in instances as well. Wait for at least 15 minutes for all sign-ins to be removed, then reset the password for the account as well. Reset the password to something completely new and complicated, never to a generic password you’ve used before!

Login & Check Rules

One of the most common tactics used in phishing is creating rules in your inbox to remove traces of the email. Locate your inbox rules and remove anything that you have not specifically setup. Look for rules that include the title of the email that was sent, or any rules that automatically delete emails, sent them to archive, or have auto-responses. If you see any strange rules, take a screenshot, then delete them. Often-times these rules are named “…” or something similarly minimal.

Track Original Recipients

Once you have removed the rules, your inbox should be populating again with the missed emails. Go into both your archive and your deleted folder to check for emails related to the spam as well, as they may have already been removed. Once you’ve checked those folders, check your sent folder, and move all of the emails related to the spam email to a new folder, so you can track them all easily.

If you can, try to find the original email. This original email will include the recipient list, and provides useful information for your IT provider, such as sending IP and original send time. If you find the original email, flag it so that you can return to it later.

Send Out Notification Email

If you can find the original recipient list, send out a follow-up email to them notifying them that a spam email was sent (including the subject of the email so they can identify it easily), and not to click it. Provide a number for recipients to call if they have concerns, and let them know you are working quickly to resolve the issue.

Once you have completed these steps, the remainder will be up to your IT team. If it hasn’t been setup, using multi-factor authentication for your email accounts is a powerful preventative measure. Talk to your IT provider about setting up Multi-factor authentication for all accounts that you can.


For more tips, check out this article at

1 thought on “Phishing Email First Response”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: