Phishing Incident Response: Get Started in 3 Steps

Share Now


So, you want to improve your response to phishing threats? Smart idea. PhishMe®’s recent report on phishing response trends shows that phishing is the #1 security concern, but almost half of organizations say they’re not ready for an attack.

Here’s how to get your phish together, in three basic steps.

  1. Disabuse the “abuse box.”

The abuse box is the inbox where companies forward suspicious emails. Sometimes it’s managed by the helpdesk, sometimes by specialized security teams.

Nearly always it’s cluttered, stuffed with everything from social media invites to legitimately dangerous malware.

That’s why the abuse box usually sucks. Whoever has the unlucky task of combing through all those emails wastes a lot of precious time. They manually deal with helpdesk tickets, change requests and site blocks. If they have other things to do (imagine), they might even ignore the abuse box.

Also, to find real threats, abuse box managers might manually test links and malware, which requires specialized skills they may or may not have. Done wrong, this can have disastrous effects.

In other words, the traditional abuse box isn’t working. It’s time to replace it with a better approach.

  1. Get organized to find real threats.

First, if you haven’t already, consolidate all those emails. It’s not unusual for organizations to send sketchy emails to more than one place. You need a central repository, one place where everyone knows to look. This simple tip can add up big in saved time.

Real-life example: PhishMe Simulator™ Enterprise and PhishMe Triage™ customers can send emails to a dedicated inbox with one click of a button. All emails that hoist red flags go to the same place.

Next, you’ll need to identify types of phishing attacks. For instance, business email compromise (BEC) attacks contain no links or attachments, just urgent pleas for money from a “trusted” source.

Other emails come with malicious links. You can hover over the links to see where they go. Whatever you do, never, ever click on an email link. Use a site like Virus Total to test for malicious behavior. But remember, just because an external site like Virus Total doesn’t recognize links doesn’t mean they’re okay.

Again, just don’t click.

As for attachments, submit them to an external site that uses anti-virus to detect foul play. This tip comes with the same caveat as above—none of these sites are foolproof, so proceed with caution. Also, consider setting up a Cuckoo sandbox to detonate and observe malware characteristics safely.

  1. Turn your employees into human sensors.

Despite your security defenses, most if not all technological, phishing attacks still get through. If that weren’t true, you wouldn’t be reading this blog.

It’s critical to get your employees trained and involved in the fight against phishing. They are, after all, the targets of attackers. With the right conditioning and education, they can also become your last line of defense.

PhishMe’s approach is simple: change risky behavior through practice, practice, practice. Let employees learn by reacting to simulated phishes, real-world scenarios based on the latest phishing threats.

The right response (report, don’t click) gets a pat on the back. The wrong response gets a quick tutorial on phishing do’s and don’ts. Soon enough, your human sensors are prepared to detect and report all types of phishing. That helps your incident responders do their job.

These 3 steps can launch your program. For more background on phishing response, read PhishMe’s new report, “Phishing Response Trends: It’s a Cluster.”




Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.