A phishing attack, which typically arrives in the form of an email, is where an adversary poses as a trusted entity in order to trick an unsuspecting victim into clicking on a link to a malicious website or downloading a malicious attachment.
The goal of a phishing campaign is usually to obtain sensitive information, such as payment card details or user account credentials. Phishing attacks have become increasingly more targeted and sophisticated in recent years, and so it’s not worth beating yourself up if you fall for one. However, if you have been the victim of a phishing attack, you must act quickly in order to recover from the phishing attack and minimize the damage it can cause.
Below are some of the key steps that you will need to take to recover from a phishing attack, safeguard your data and prevent any further disruption to your business.
Step 1. Disconnect Your Device from the Internet
In order to reduce the risk of malware propagating throughout your network, the first step to take is to disconnect your device from the network. Either locate your Wi-Fi settings and disconnect from the network or simply unplug the internet cable from your device.
Step 2. Change Your Passwords
If you were redirected to a spoof website and asked to enter your credentials, the first thing you should do is go to the real website and change your passwords. Although not recommended, many people still use the same credentials for multiple accounts. If this is the case, you should change the passwords on all accounts that use the same credentials. It might also be worth changing your password hints and security questions. To be extra careful, you should carry out a company-wide password reset.
Step 3. Scan Your Network for Malware
While your anti-virus software will do its best to inform you if you have been infected, these solutions are not fool-proof. You should conduct a full scan of your network for malware, including all devices, files, applications, servers, etc.
Step 4. Check for Signs of Identify Theft
If you believe that you have been the victim of a phishing scam, you should review all relevant accounts for signs of identity theft. For example, you will need to look at your bank statements for suspicious transactions. In most cases, your bank will alert you of any suspicious account activity. You should also notify the relevant credit reporting agencies. In the United States, the three major credit reporting agencies are TransUnion, Equifax, and Experian.
Step 5. Speak to Employees About What Happened
You will need to ask all relevant personnel about what they saw and when. Did they see anything suspicious? Did they click on a link or download an attachment?
Step 6. Conduct a Forensic Analysis to Determine the Cause of the Incident
This is the point where you scrutinize all relevant logs for signs of compromise, and you must also ensure that your logs are retained for a sufficient period of time. You will need to check your firewall logs for any suspicious network traffic – taking note of any unrecognized URLs and IP addresses. You will also need to review your mail server logs to see who received the phishing email, as well as your DNS logs to determine which users did a lookup on any malicious domains. It’s also a good idea to take a copy of the phishing email, and review the headers and attachments for clues about the nature and purpose of the attack. Finally, if you are using a real-time auditing solution, check the logs for any suspicious activity associated with sensitive data and privileged user accounts.
Step 7: Adjust Spam Filters to Block Similar Emails
Once you have an idea about what happened, you can review your email security settings to ensure that similar messages are blocked.
Step 8: Carry Out a Web Search for More Information About the Attack
Now that you have collected a sufficient amount of information about the nature and purpose of the attack, you should perform a web search to gather more information about what to expect, including any further steps that should be taken to recover from the incident and prevent future attacks.
Step 9: Ensure that All Employees are Made Aware of the Incident
In order to mitigate future attacks, you should ensure that all relevant personnel (including managers) have been informed about the attack and know what to look out for.
Step 10. Contact the Organization that was Spoofed
If the phishing email was pretending to be from a legitimate organization, you should contact the organization and inform them of the incident. That way, the organization in question can send an email to their customers, advising them to be on guard. It’s also a good idea to let the organization know that you have changed your password.
11. Report the Incident to the Federal Trade Commission (FTC)
Residents of the United States should contact the FTC following a phishing attack. They will help you determine what information (if any) was stolen and give you advice about what to do next.
12. Take a Backup and Update Your Software
It’s a good idea to take a backup of your data following a cyber-attack in case any of your data gets erased during the remediation process. You will also need to ensure that all software is patched in a timely manner as many forms of malware will try to exploit software vulnerabilities in order to spread to other parts of the network.