How to respond to phishing reports

Prepare your IT and Security teams to triage and respond to phishing reports from your team members.

Below are some tips to get your teams thinking about how they will respond to a phishing attempt. If you don't have a process for your team members to report suspicious emails yet, see Setting up reporting for suspicious emails.

  1. Plan in advance. CERTNZ have useful resources on Phishing and Spear Phishing as well as creating an incident response plan. The more prepared you are, the easier it will be to respond quickly and positively to a potential security incident.
  2. Look after the team member that reported the issue. People are the most important part of your company. Remember that there is no shame in having completed a phishing attempt. You're there to help, and together you will have a much better response to an incident.
  3. Determine if the reported email is actually a phishing attempt. Look at email headers from the original message (you may need team members to send these to you). Is the email sent from a domain you trust? Can you verify with the sender of the email by phone (not using a number in the email)?
  4. Respond to an incident. Stay calm, use your incident response plan. For example, you may need to change the team members passwords, remove malware or re-image their computer. Investigate any interactions with the malicious third party. In the case of financial fraud you may need to contact your bank, so keep those details handy and in your incident response plan.
  5. Ask for help. We are always here to help you — reach us at But did you know CERTNZ is also able to help individuals and businesses respond to cyber security threats? See their guide on what to do after you've identified a cyber security incident.