What to Do in the First Hour After a Phishing Attack
Essential steps to take immediately after a phishing attack hits your business. Practical guidance for London creative agencies and professional services.
The Clock Is Ticking: Your First Hour Response Plan
Your heart sinks as you realise what's happened. Someone in your team has clicked that malicious link or downloaded that seemingly innocent attachment. A phishing attack has just hit your business, and the next hour could determine whether you're looking at a minor incident or a major data breach.
For London's creative agencies and professional services firms, where client data and intellectual property are your lifeblood, acting fast isn't just important. It's critical. Here's exactly what you need to do in that crucial first hour.
Minute 1 to 5: Immediate Containment
Isolate the affected device immediately. Don't shut it down yet, but disconnect it from your network. Unplug the ethernet cable or turn off WiFi. This stops any malware from spreading to other systems or sending data to attackers.
If the phishing attack came through email, tell the affected employee to leave their email open on screen. You'll need to see exactly what they clicked and when. This information becomes crucial for understanding the scope of the attack.
Alert your IT support team or managed IT provider straight away. Every minute counts, and you need technical expertise on your side immediately. If you don't have dedicated IT support, designate your most technically capable team member to lead the response.
Minute 5 to 15: Assess the Damage
Document everything you can see. Take photos of any suspicious pop ups, error messages, or unusual behaviour on the affected device. Note the time the incident occurred and get a clear account from the employee about what they clicked and what happened next.
Check for immediate signs of compromise. Look for files being encrypted (a sign of ransomware), unusual network activity, or new programs running that shouldn't be there. Your task manager can show you what processes are currently running.
Identify what data might be at risk. What client files, financial information, or sensitive business data could the attacker access from this device? Make a quick list. This helps you understand your potential exposure and what you might need to report to clients or authorities later.
Minute 15 to 30: Secure Your Accounts
Change passwords immediately. Start with the email account that received the phishing message, then move to any business critical accounts the affected employee has access to. This includes cloud storage, financial systems, and client portals.
If you're using Microsoft 365 or Google Workspace, check the account's sign in activity. Look for logins from unusual locations or at odd times. You can find this in the security settings of most business email platforms.
Enable two factor authentication on all critical accounts if you haven't already. Yes, even in the middle of an incident. This adds an extra layer of protection that can stop attackers who might have stolen passwords.
Revoke access tokens and sessions. In your email admin panel, you can force the user to sign out of all devices and sessions. This kicks out any attackers who might have gained access to the account.
Minute 30 to 45: Protect the Rest of Your Business
Scan all devices on your network. Run antivirus scans on every computer that shares your network. Many modern threats try to spread laterally through businesses, moving from one device to another.
Check your email security logs. Look for other similar phishing emails that might have reached your team. Attackers often send the same malicious emails to multiple people in an organisation. Your email provider's security console should show you recent threats.
Warn your team immediately. Send out an urgent message describing the phishing email and telling everyone not to click similar messages. Include specific details about the sender, subject line, and content so people know what to look for.
Monitor your network traffic. If you have the capability, watch for unusual outbound connections. Malware often tries to communicate with command and control servers, and blocking these connections can limit the damage.
Minute 45 to 60: Plan Your Next Steps
Contact relevant authorities if needed. Depending on your industry and the type of data involved, you might need to report the incident to the Information Commissioner's Office (ICO) or other regulators. In the UK, GDPR requires reporting certain data breaches within 72 hours.
Prepare client communications. If client data might be affected, start drafting communications. You don't need to send them yet, but having clear, honest messages ready saves precious time later. Clients appreciate transparency and quick communication about potential issues.
Document your response. Keep detailed records of everything you did and when. This helps with any regulatory requirements and makes it easier to improve your response procedures for next time.
Plan your recovery. Once you've contained the immediate threat, you'll need to rebuild any compromised systems, restore data from backups if needed, and strengthen your defences to prevent similar attacks.
Building Better Defences
Once you've dealt with the immediate crisis, it's time to prevent the next one. Regular employee training on spotting phishing emails makes a huge difference. People are often your strongest defence when they know what to look for.
Invest in email security tools that can catch phishing attempts before they reach your team. Modern email security solutions use artificial intelligence to spot suspicious messages and can quarantine them automatically.
Regular backups become your safety net. If ransomware does encrypt your files, having recent, clean backups means you can restore your data without paying criminals.
Consider cyber insurance tailored to businesses like yours. Creative agencies and professional services firms face unique risks, and the right insurance can provide financial protection and expert incident response support.
Don't Wait for the Next Attack
Phishing attacks are getting more sophisticated every year, and small to medium businesses are increasingly in the crosshairs. The good news is that with the right preparation and response plan, you can minimise the damage and get back to serving your clients quickly.
Take action today by reviewing your current IT security setup. How quickly could you respond to an incident right now? Do you have the right tools and procedures in place?
If you're not confident in your current security posture, WaveIT Solutions offers a free IT security health check that can identify vulnerabilities in your systems before attackers do. You can access this tool at waveitsolutions.co.uk/tools/health-check and get personalised recommendations for strengthening your defences.