CIVRA Get Started
Guides

A Simple Phishing Incident Response Plan for Small Teams

May 12, 2026 4 min read The CIVRA Team
The short answer

A phishing incident response plan tells your team exactly what to do when someone clicks a bad link or replies to a scam. The core steps are to disconnect and contain, change passwords, check for fraudulent activity, and report it, all without blaming the person who clicked.

A phishing incident response plan is a short, written set of steps your team follows the moment someone suspects they clicked a malicious link or got tricked. The goal is simple. Move fast, contain the damage, and avoid blame so people report problems early instead of hiding them.

Why small teams need a plan in advance

When something goes wrong, panic and guesswork waste the minutes that matter most. A plan removes the guesswork.

You do not need an IT department to have one. You need a one-page document everyone can find, a few clear roles, and the confidence that reporting a mistake is the right move. Small teams are targeted often because attackers assume there is no plan at all.

Step one — contain it immediately

The first job is to stop the spread before you investigate anything.

  1. Disconnect the affected device from Wi-Fi or unplug the network cable. This limits any malware from spreading or calling home.
  2. Do not delete the email. You will need it as evidence and to warn others.
  3. Tell one designated person right away. Everyone should know who that is before an incident ever happens.

Speed beats perfection here. It is fine to contain first and understand the details later.

Step two — change credentials and lock accounts

If the person entered a password on a fake page, assume that password is now in the wrong hands.

  • Reset the password for any account that may have been exposed, from a different, clean device.
  • Sign out all active sessions in the account settings so an attacker is kicked out.
  • Turn on multi-factor authentication if it was not already enabled. This is the single best protection against a stolen password.
  • Reuse warning. If that password was used anywhere else, change it there too.

Step three — check for damage

Once accounts are secured, look for what the attacker may have already done.

  • Inbox rules and forwarding. Attackers often create hidden rules that secretly forward or delete mail. Check the account's filter and forwarding settings.
  • Sent items. Look for messages the attacker sent in the user's name, especially payment requests.
  • Financial activity. If any payment or banking detail was touched, contact your bank immediately. Our guide on verifying payment requests explains how these scams turn into wire fraud.

Step four — warn the people who might be next

A phishing email rarely hits one person. The same lure is often sent across your team and to your contacts.

  • Alert your whole team about the specific email so nobody else clicks.
  • If the attacker emailed your contacts from a compromised account, tell those contacts not to act on anything suspicious.
  • Keep the warning calm and factual. The aim is awareness, not alarm.

Step five — report and record

Reporting protects you and helps others.

  1. Report to your email provider using its built-in phishing report button so similar messages get filtered.
  2. Report financial fraud to your bank and, where relevant, to local authorities or a national fraud reporting service.
  3. Write down what happened. A few notes on the timeline and what you did will help you respond faster next time.

Step six — learn without blaming

The person who clicked is not the problem. Attackers are skilled, and anyone can be caught on a bad day.

After things settle, review what made the email convincing and what would catch it next time. Reinforce how to spot a phishing email, and ask whether a verification step or an extra security layer would have helped.

CIVRA fits here as prevention. It analyzes sender identity, look-alike domains, attachments, and the intent of a message, so the targeted emails that get past spam filters are caught before anyone has to make a split-second decision.

FAQ

What is the first thing to do after clicking a phishing link?

Disconnect the device from the network to contain any spread, then tell your designated contact. Do not delete the email, because you will need it as evidence and to warn your team.

Should I delete the phishing email right away?

No. Keep it so you can report it and warn others. Deleting it removes the evidence and the details that help everyone else avoid the same trap.

How do I know if an attacker is still in an account?

Check for unfamiliar inbox forwarding rules or filters, review the sent folder for messages you did not write, and sign out all active sessions. Then reset the password and enable multi-factor authentication.

Who should handle incident response in a small business with no IT team?

Name one person in advance as the point of contact and write a one-page plan everyone can follow. The plan matters more than technical expertise, because the early steps are simple and time-sensitive.

Want to stop most phishing before it ever needs a response plan? Compare CIVRA plans or get started in the app.

Stop the email that gets through.

CIVRA catches the targeted phishing and business email compromise your filter misses — built for small teams without a security department.

Start free →

← All posts