Human Firewall Leaders Community Icon

Best Practices for Handling Phishing Incidents in Your Organization | Human Firewall Leaders Community

03_best-practices

Best Practices for Handling Phishing Incidents in Your Organization

·

·

Hi Community, I hope everyone is doing fine. I think I could use the community's help and wanted to ask for your advice/best practices. We had a successful phishing attempt last week, one of our employees clicked on a link to open a document and entered his Microsoft credentials. Lucky enough, the attackers did not cause any major damage, but ‘only’ sent further phishing emails from his email account. Since the whole thing happened on a public holiday in most parts of Germany, and Microsoft quickly detected suspicious activity, blocked the employee's account and deactivated the link in the email, we seem to have got off lightly. However, we realised that we need to work on our emergency plan for such incidents here and there. Among other things, we had the problem that the affected employee did not know how to contact IT to report the incident, as his Microsoft account was blocked and he could no longer access anything. Additionally, we realised that some internal colleagues also received the phishing email from our colleague, but very few reported it and no one recognised the urgency of the situation and tried to contact IT directly (by phone). Are there any ideas or best practices in the community on how to deal with this? How do you ensure that employees know how to contact IT in such situations? We will of course follow up on the incident internally and will ask everyone to save the IT emergency number in their phones, but is that enough or can we do more? And how do you ensure that employees know when it is sufficient to report the email (e.g. via the phishing button) and when they need to contact IT immediately, even if it's a holiday or the weekend? Of course, our IT is worried everyone will call all the time if we stress too much that they should do so in an emergency. How can we strike the right balance here? I would really appreciate your thoughts on this 🙂

Bas v.
·
·
Hi Lea, Thanks for sharing - glad to hear the damage was limited! I work as a cyber behaviour consultant in a cyber security firm, partner of SoSafe. And we have have seen similar challenges in supporting our clients, especially when it comes to striking the right balance - it's often better to have employees be a bit too cautious than not cautious enough. Here are some approaches that have worked well at our clients:
Emergency contact on screensaver paired with a short decision tree on when to call outside of office hours.
Short communication campaign with examples to let employees know what qualifies as a "wake-up" incident.
Depending on the size of your organisation. A meeting of 30 min with IT and high profile employees (those with higher rights or access to more sensitive data). You want at least these employees to be sure that they know when to call!
Happy to share more if helpful!
👍1
🙏1
💛1
Bas v.
·
·
I’m also assuming you don’t have a 24/7 SOC/SIEM/MDR/MXDR solution in place? That could be worth exploring — these setups can detect and respond to threats without relying on employees taking action, especially during off-hours.
💡2
Melissa G.
·
·
Hi Lea K. & Bas v., Thanks so much for sharing your insights - and glad to hear the impact was limited Lea! 🙏 This really highlights a key challenge: making sure employees not only know when and how to escalate, but also feel the urgency to act when it's critical. Saving the IT emergency number is a great step, Lea K. — love that! 🚀 Bas v. the idea of a screensaver paired with a decision tree sounds super creative! Would you be open to sharing a visual or example of how that looks in practice here in the Community? Focusing on high-risk profiles (e.g. senior roles) — ensuring at least they know what to do also feels like a solid move. 👌 Lea K. before the incident happened, did you already have an emergency guide or playbook in place? Thanks again — lots of great insights here! 👏 Constantin Z. Julia K. Gordon S. Markus P. also curious to see what some other members are thinking - do you have something like an "emergency plan" for those situations? How do you deal with the problems/ difficulties Lea shared? 👀
Gordon S.
·
·
Yes I do … I’ll run 😂
😆1
Melissa G.
·
·
Gordon S. 😆 I rephrased my question to make sure we're all talking about the same "emergency plan" haha 😄
😂1
Gordon S.
·
·
I’m sitting in a train right now, So sorry if it doesn’t look as professional as it normally would 😉 My recommendations – straight from real-life experience: 📞 1. Set up an easy-to-remember IT emergency number Choose something simple like 123 123 or 4444 – easy to remember in stressful moments. This should be the go-to number for reporting urgent IT or cybersecurity issues. ⸻ 🧭 2. Integrate this number into key processes • Include it in your onboarding process so every new hire knows it from day one • Place small posters or stickers in central office areas: meeting rooms, printers, coffee stations, elevators, restrooms, smoking areas etc. • Add it to the email signatures of the IT team • Show it on desktop backgrounds or lock screens, ideally with device info (hostname, IP address) and simple guidance for emergencies ⸻ 📱 3. Make sure contacts are available on company phones – even in emergencies • Sync key contacts (IT emergency, support) locally to the phone’s address book so they remain available even if the user’s AD account is locked • Use MDM tools (e.g. Intune) to push those contacts separately if needed ⸻ ✅ 4. Give employees clear instructions for what to do Most people don’t know when something is a real emergency. A simple guide like this helps: What to do in case of a suspicious email or incident: • Suspicious email, but no click: Use the phishing button or report it to abuse@[yourdomain] • Clicked a link, but entered nothing: Use the phishing button and send a quick note to IT • Entered credentials, opened a file, or account got locked: 👉 Call IT immediately! • Suspected malware or strange device behavior: 👉 Call IT immediately and stop using the device Bonus tip: Create a simple “I clicked – now what?” checklist available on paper, the intranet, or in handout format. ⸻ 🎯 5. Raise awareness with creative ideas • Run a phishing escape room or live simulation to make it stick • Organize Cybersecurity Weeks once or twice a year with real cases and interactive sessions • Use practical giveaways like mugs, pens, or stickers with the emergency number or fun slogans like “Don’t feed the phish”
Gordon S.
·
·
Quick correction regarding the lock screen tip: While it can be helpful to show emergency contact information on the lock screen, we don’t recommend displaying sensitive details like the hostname or IP address there. This could unintentionally expose internal information to unauthorized individuals, especially if the device is lost or accessed by someone outside the company. Instead: • ✅ On the desktop background, it’s perfectly fine to include the device name, IP address, and other helpful technical info – as long as the user is already logged in. • 🚫 On the lock screen, it’s best to limit the message to IT emergency numbers or basic guidance only (e.g. “In case of IT emergency, call [number]”). Better safe than sorry when it comes to potential information leaks 😉
Lea K.
·
·
Thank you very much Bas v. and Gordon S. for all your very helpful tips and ideas! A lot of things that we will definitely consider, especially as some of them will be easy to implement in the short term. And for the longer term, we might also look into a 24/7 SOC/SIEM/MDR/MXDR solution. Melissa G. We only had a emergency guide/playbook for our IT Team, but not for our employees. Of course the topic of how to react in an emergency has been brought to the employees in the past, but this incident showed us that we definitely need to make improvements in our communication and to emphasise the importance with other methods. That's why the ideas and tips were so super helpful 🙂
Melissa G.
·
·
Hi everyone ☀️ Gordon S. thanks so much for your insights! Choosing an easy-to-remember number is great - that alone can go a long way in helping employees remember and act quickly when needed. 📞 Super valuable that you addressed the importance of ongoing awareness initiatives as well – that kind of continuous engagement really makes a difference in how likely people are to report incidents. I'm happy that you also referred to the Phishing Reporting Button (PRB) 🔥 Lea K. feel free to check out this webinar recording (in German) – it also includes some practical tips around the PRB. 💡 I'm really glad we were able to spark such a valuable exchange, and I’m looking forward to hearing more insights from the community!