Skip to content
Back to guides
Guide

What to Do After a Phishing Attack: Complete Incident Response Guide

Complete step-by-step procedure if an employee clicked on a phishing email. Technical containment, GDPR/CNIL legal obligations, ANSSI reporting, internal communication.

Thomas Ferreira46 min read

It's 2:32 PM. Your accountant just entered her Microsoft 365 credentials on a fake login page. She realizes something is wrong when she sees a strange error after submitting. She calls you, panicking.

You have between 5 and 15 minutes to limit the damage. Every minute that passes gives the attacker time to log into the compromised account, read emails, set up automatic forwarding rules, and launch an internal phishing attack targeting all of your accountant's contacts.

This guide gives you the exact procedure, minute by minute, for managing a phishing incident in a French SME. It covers immediate technical containment, legal obligations (GDPR, CNIL, LOPMI), authority reporting, internal communication, insurance claims, and post-incident analysis. Every step is actionable for a company of 10 to 250 people - with or without a dedicated IT team.

Print this page. Post it in the IT manager's office. When an incident happens, you won't have time to search for what to do.

The first 15 minutes: immediate containment

The first reflex is containment. The goal: prevent the attacker from exploiting the stolen credentials, and preserve evidence for the investigation.

1. Disconnect the machine from the network

Turn off Wi-Fi on the affected workstation. If the machine is connected via Ethernet, unplug the cable. Don't just disable the network in settings - use the physical Wi-Fi switch (if one exists) or remove the cable.

Do not turn off the computer. A powered-down machine loses volatile data in memory (running processes, active network connections, temporary encryption keys) that may be useful for forensic analysis. Leave the machine powered on but disconnected from the network.

2. Change compromised passwords: from a different device

Use another computer or a personal phone to immediately change the password for the compromised account. If the employee entered Microsoft 365 credentials, change the Microsoft 365 password. If they entered their business email credentials, change the email password.

From a different device: never from the compromised workstation, which may be infected with a keylogger or malware.

If the same password is used on other services (which is common despite policies), change it everywhere. A company password manager simplifies this task.

3. Revoke active sessions

The attacker may have already used the stolen credentials to log in. Changing the password is not enough - you must revoke all current sessions.

On Microsoft 365 (Entra ID, formerly Azure AD):

  • Log in to the Microsoft 365 admin center (admin.microsoft.com)
  • Go to Users > Active Users > select the compromised user
  • Click "Reset password" AND "Sign out of all sessions"
  • In Entra ID (entra.microsoft.com), go to Identity > Users > select the user > "Revoke sessions"

On Google Workspace:

  • Admin console (admin.google.com) > Directory > Users
  • Select the user > Security > "Reset sign-in cookies"
  • This forces sign-out from all active sessions on all devices

4. Check email forwarding rules

Attackers often set up automatic forwarding rules within minutes of a compromise. These rules silently send a copy of all incoming emails to an external address controlled by the attacker. If you don't remove these rules, the attacker continues receiving emails even after the password change.

On Microsoft 365:

  • Outlook > Settings > Mail > Forwarding: verify no external address is configured
  • Outlook > Settings > Mail > Rules: examine each rule and delete any the user doesn't recognize
  • Exchange admin center > Mail flow > Rules: check transport rules at the organizational level

On Google Workspace:

  • Gmail > Settings > Forwarding and POP/IMAP: check the forwarding address
  • Gmail > Settings > Filters and blocked addresses: examine each filter

5. Alert the IT team or IT service provider

If your company has an IT manager, notify them immediately. If there's no in-house IT team (common in SMEs under 50 people), call your IT service provider. Don't send them an email - call by phone. An email may arrive in an already-compromised inbox.

Provide the following information:

  • Who clicked (name, position, department)
  • What they clicked on (link in an email, attachment, SMS)
  • When (exact time, as precise as possible)
  • What the person entered (credentials, banking information, personal data)
  • Actions already taken (password changed, sessions revoked, machine disconnected)

6. Preserve evidence

Before making any further changes, capture evidence:

  • Screenshots of the phishing email (sender, subject, content, headers if possible)
  • The URL the employee clicked (visible in browser history or in the email)
  • The exact timestamp of the incident
  • The email headers (in Outlook: open the message > File > Properties > Internet Headers; in Gmail: open the message > three-dot menu > "Show original")

Save these elements in a dedicated shared folder for security incidents, accessible only to the crisis management team. This evidence will be needed for the police report, the CNIL notification, and the insurance claim.

The first hour: impact assessment

Containment is in place. The attacker no longer has account access (in principle). Now move to assessment: what exactly happened, and how extensive is the damage?

What type of phishing?

Not all phishing has the same impact. Identify the type of attack to tailor your response.

Credential harvesting: The employee entered their login and password on a fake login page. The attacker has the credentials but has not necessarily installed malware on the workstation. The main risk: access to email, cloud storage, and business applications accessible with those credentials. This is the most common scenario.

Malware download: The employee opened an attachment or downloaded a file from a malicious link. The workstation is potentially infected. The risk: keylogger (keystroke recording), ransomware, remote access for the attacker (RAT), local data exfiltration.

CEO fraud (BEC - Business Email Compromise): The email impersonates a senior executive or vendor and requests a wire transfer or bank detail change. The risk is direct financial loss.

Multi-stage phishing: The first email is just an entry point. The attacker uses the compromised account to send internal phishing to colleagues, clients, and vendors. The risk: propagation across the entire organization and its partners.

What data was exposed?

Quickly inventory the data accessible from the compromised account:

  • Emails: how many months of history? Do they contain client personal data, banking details, contracts, HR information?
  • Cloud files (OneDrive, SharePoint, Google Drive): which folders are accessible? Do they contain confidential documents?
  • Business applications: does the compromised account grant access to a CRM, ERP, accounting software, or client database?
  • Contacts: is the company directory accessible from this account? Can the attacker identify other internal targets?

Has the attacker already exploited the access?

Check the sign-in logs for the compromised account.

On Microsoft 365:

  • Entra ID > Sign-in logs > filter on the compromised user
  • Look for sign-ins from unusual IP addresses, countries where the company has no presence, or abnormal times (3 AM)
  • Look for sign-ins via unusual applications (API, PowerShell, IMAP)

On Google Workspace:

  • Admin console > Reports > Audit > Login
  • Look for the same anomalies: IP, geolocation, client type

Also check the sent items in the email account: did the attacker send emails from the compromised account? If so, to whom? With what content? This is a sign of active compromise, and the response must be escalated.

Classify the incident

At this stage, classify the incident into three levels:

Level 1: Click without data entry. The employee clicked the link but did not enter anything and closed the page. Limited risk (possible silent malware download). Action: antivirus scan of the workstation, enhanced monitoring for 72 hours.

Level 2: Credentials compromised, no exploitation detected. The employee entered credentials, but logs show no suspicious sign-in. The password change and session revocation likely blocked the attacker in time. Action: maintain monitoring, check email rules, audit access for 48 hours.

Level 3: Active exploitation confirmed. Logs show suspicious sign-ins, emails sent from the compromised account, files accessed, or forwarding rules added. The attacker had access to the account. Action: immediate escalation, likely CNIL notification, police report, communication to affected individuals.

Document the timeline now

Start a timeline document from the first hour. Note every action, every discovery, every decision, with the exact time and the name of the person who made it. This document will be your single source of truth for the police report, the CNIL notification, the insurance claim, and the post-mortem.

Recommended format:

TimeActionWhoResult
2:32 PMEmployee enters credentials on phishing pageMarie D. (accounting)Credentials compromised
2:35 PMMarie contacts IT managerMarie D.Alert given
2:38 PMWorkstation disconnected from networkJean L. (IT)Machine isolated
2:40 PMMicrosoft 365 password changed from another workstationJean L. (IT)Old password invalidated
2:42 PMSessions revoked in Entra IDJean L. (IT)All sessions closed
2:45 PMForwarding rules checked: 1 suspicious rule found and removedJean L. (IT)Forward to xxx@gmail.com removed

This timeline will be appended to the police report and insurance claim. The more precise it is, the faster the investigation and compensation will proceed.

The first 24 hours: legal obligations

The technical response is underway. In parallel, activate the legal track. France imposes several legal obligations in case of a cyber incident, with strict deadlines. If your company is subject to the NIS2 directive, additional obligations apply - see our NIS2 guide for SMEs.

GDPR Article 33: CNIL notification within 72 hours

If the incident involves a personal data breach - unauthorized access, disclosure, loss, or destruction of personal data - you must notify CNIL (France's data protection authority) within 72 hours of discovering the incident.

The deadline starts from the moment you became aware of the breach, not from the moment it occurred. If the phishing happened on Monday at 2 PM and you discovered it Tuesday at 9 AM, the 72-hour deadline starts Tuesday at 9 AM.

When to notify? Three response levels based on severity:

  • No risk to individuals (no personal data in the compromised scope): document the incident in your internal breach register. No CNIL notification.
  • Risk to rights and freedoms (personal data was exposed but not yet exploited): notify CNIL within 72 hours. No obligation to inform the affected individuals.
  • High risk (sensitive data compromised - banking data, health data - or confirmed exploitation): notify CNIL within 72 hours AND inform the affected individuals promptly (GDPR Article 34).

How to notify? Go to the CNIL online notification service. Complete the initial notification with the information available. You can supplement the notification later - CNIL prefers a quick, partial notification over a late, complete one.

Required information in the notification:

  • Nature of the breach (unauthorized access, disclosure, etc.)
  • Categories of personal data concerned (credentials, contact details, banking data)
  • Approximate number of individuals affected
  • Likely consequences of the breach
  • Measures taken or planned to remedy the breach

LOPMI law: police report within 72 hours

Since April 24, 2023, the LOPMI law (a French interior ministry law) imposes an additional condition: to be compensated by your cyber insurance, you must file a police report within 72 hours of discovering the attack.

This deadline is independent of the CNIL deadline. Both run in parallel, but they serve different purposes: the CNIL notification protects the individuals whose data was compromised; the police report enables the criminal investigation and is a condition for insurance compensation.

Where to file a report?

  • At a police station or gendarmerie: go in person with the evidence you've collected (screenshots, email headers, sign-in logs, timeline of events). Explicitly request that the report reference the applicable articles of the French Penal Code.
  • Online via THESEE: the THESEE platform allows online reports for internet fraud. Note: THESEE is currently limited to individuals. Companies must go in person or write to the public prosecutor.
  • By letter to the public prosecutor: send a written complaint to the judicial court in your company's headquarters jurisdiction. Attach all evidence.

Applicable French Penal Code articles:

  • Article 323-1: fraudulent access to an automated data processing system (3 years imprisonment, EUR 100,000 fine; 5 years and EUR 150,000 if data is modified or deleted)
  • Article 313-1: fraud (5 years and EUR 375,000; aggravated to 7 years and EUR 750,000 via electronic communication)
  • Article 226-4-1: identity theft (1 year and EUR 15,000)

Additional reporting

In addition to the police report and CNIL notification, complete the following reports as applicable:

Cybermalveillance.gouv.fr (France's national cybercrime assistance platform): Go to cybermalveillance.gouv.fr/signalement. The platform offers an online diagnostic workflow that identifies the attack type and guides you through the right steps. It can also connect you with approved technical assistance providers.

17Cyber: The 17Cyber portal is France's one-stop government resource for cybercrime victims. It provides immediate diagnosis and, if needed, a live chat with a specialized officer.

Signal Spam: If the attack came by email, report the message on signal-spam.fr. Signal Spam is a partnership between CNIL and anti-spam stakeholders. Your report feeds blocking databases.

Phishing Initiative: Report the phishing site URL on phishing-initiative.eu. The platform verifies the URL and, if confirmed fraudulent, has it blocked by web browsers (Chrome, Firefox, Edge).

PHAROS: To report illicit online content (fake sites, phishing pages), use the internet-signalement.gouv.fr platform.

INFO ESCROQUERIES (France's fraud helpline): For guidance on your steps, call 0 805 805 817 (free call, Monday to Friday 9 AM to 6:30 PM). Advisors from France's interior ministry will direct you to the right contacts.

CERT-FR (ANSSI): If the incident is major (sensitive data compromise, targeted attack, business continuity impact), contact CERT-FR at 3218 or by email at cert-fr@ssi.gouv.fr. ANSSI primarily supports critical infrastructure operators and regulated entities, but receives and processes all reports. Since 2025, ANSSI's free MesServicesCyber service is accessible to all public and private entities.

The next 48 hours: technical remediation

Containment is in place, legal obligations are triggered. Move to in-depth technical remediation.

Antivirus and EDR scan

Run a full antivirus scan on the compromised workstation, and on every workstation that received the phishing email - even if the user says they didn't click. Use an endpoint detection and response (EDR) tool if your company has one. A traditional antivirus may miss recent malware; an EDR analyzes suspicious behavior in real time.

If the employee downloaded an attachment or file, submit it to a sandbox analysis service (such as VirusTotal or Any.Run) to understand what the file does.

Audit of compromised accounts

Review the compromised account's activity for the 48 hours before and after the incident:

  • Emails sent: did the attacker send messages from the account? To whom? With what attachments?
  • Files viewed or downloaded: on OneDrive, SharePoint, or Google Drive, did the attacker access documents?
  • Permission changes: did the attacker share files or folders with external addresses?
  • Application consents: in Entra ID or Google, did the attacker authorize third-party apps to access the account? These consents persist after the password change - revoke them.
  • App passwords: some services allow creating app-specific passwords that bypass multi-factor authentication. Check for and delete any unknown app passwords.

Check for password reuse

If the employee reused the compromised password on other services (personal accounts, other business platforms), consider those accounts compromised. Change passwords on all these services. This is the time to mandate a company-wide password manager if you haven't already.

Enable multi-factor authentication (MFA)

If the compromised account did not have MFA enabled, enable it immediately. If MFA was already active, verify that the attacker didn't add a new authentication factor (phone number, authenticator app) for their benefit. Remove any factor not recognized by the user.

Prefer phishing-resistant MFA methods: hardware security keys (FIDO2/WebAuthn) or passkeys. SMS codes are vulnerable to SIM swapping; authenticator app codes are vulnerable to adversary-in-the-middle (AiTM) attacks that intercept tokens in real time.

Verify backups

Before any cleanup operations, check the status of your backups. If the compromised workstation hosts critical data not backed up elsewhere, make a backup copy (on an isolated medium) before starting cleanup. Remediation operations - malware removal, file restoration - can cause data loss.

Also verify that recent backups don't contain malicious files. If the attacker placed malware on a cloud-synced folder (OneDrive, Google Drive), the malware may have been automatically backed up. Restoring a contaminated backup means reinfecting the system.

Block the phishing domain and URL

At the firewall or proxy level, block the domain and URL used by the attacker. If your company uses a DNS filter (OpenDNS, Cloudflare Gateway, or similar), add the domain to the block list. This prevents any other employee from visiting the phishing site - even if the email is still in their inbox.

Also add the sender's email address (and sending domain) to your anti-spam filter's block list. Configure a transport rule in Exchange or Google Workspace to automatically delete future emails from that domain.

Analyze the phishing email headers

The email headers contain technical information about the message's path: the sending IP address, the mail server used, and authentication results (SPF, DKIM, DMARC). This information is useful for the police report and for strengthening anti-phishing filters.

Check in particular:

  • The From field (displayed sender) vs the Return-Path field (actual sender): if they differ, the sender identity is spoofed
  • The SPF and DKIM results: if the email fails these checks, your spam filter should have blocked it - investigate why it didn't
  • The originating IP address: this can be shared with law enforcement for the investigation
  • The Received headers: they trace the email's path from server to server and can reveal the sending service used by the attacker (compromised server, hijacked legitimate email service, dedicated infrastructure)

Save the complete original email (with headers) as a .eml file. This file constitutes digital evidence. Don't modify it, don't forward it (forwarding alters headers) - export it directly from the email client.

Immediate filter strengthening

Use the incident as an opportunity to strengthen anti-phishing filters:

  • DMARC: if your domain doesn't have a DMARC policy, create one. Start in "none" mode (observation), then move to "quarantine" after two weeks of analysis, then to "reject". A DMARC policy at "reject" prevents spoofing of your domain - which protects your clients and partners as much as yourself.
  • External sender warning banner: configure a banner on emails from outside the organization ("This message is from an external sender - verify the sender's identity before clicking"). Microsoft 365 and Google Workspace offer this feature. It doesn't block anything, but it creates a visual cue that triggers the verification reflex.
  • Block Office macros: if your company doesn't need macros in Office documents, block them by default via group policy. Macros remain one of the most common malware vectors in phishing attachments.

Internal communication

A phishing incident concerns the entire company, not just the person who clicked. Communication must be quick, factual, and supportive.

Communication to the team

Send a message to all staff within the hour following confirmation of the incident. The tone should be informative, not alarming. The goal: prevent other employees from clicking on the same email, and reassure them about the actions underway.

Internal communication template:

Subject: Security alert - phishing email detected

A fraudulent email was identified in our inboxes today. The email appears to be [briefly describe: a Microsoft message / a vendor invoice / an email from management] and contains a link to a fake login page.

If you received this email: do not click the link. Delete it immediately. If you already forwarded it to someone, let them know.

If you clicked the link or entered information: contact [name/department] at [phone/email] immediately. No disciplinary action will be taken - reporting quickly limits the damage.

The incident is being managed by [IT team / service provider]. We will keep you informed if additional actions are needed from you.

Never name the person who clicked. Anonymity of the victim is essential to maintaining a reporting culture. If employees know their mistake will be made public, they'll stop reporting - and the company will discover the next incident too late.

Executive briefing

Inform the CEO and board members through a separate channel (phone call or in-person meeting, not email if the email system is potentially compromised). Communicate:

  • The facts: type of attack, number of people affected, data potentially exposed
  • Actions taken: containment, password changes, reporting
  • Legal obligations in progress: CNIL notification (if applicable), police report (LOPMI)
  • Financial risk assessment: remediation costs, insurance impact, CNIL sanction risk
  • Decisions needed: external communication (clients, partners), cyber insurance activation

Notification to affected individuals (GDPR Article 34)

If the incident presents a high risk to the rights and freedoms of individuals whose data was compromised, you must inform them directly, promptly, in clear language.

Template for notification to affected individuals:

Subject: Information regarding a security incident affecting your data

We are writing to inform you that a security incident on [date] may have affected some of your personal data: [specify data categories: name, email, phone number, etc.].

The incident was detected on [date] and immediate measures were taken: [summarize actions]. A notification has been sent to CNIL in accordance with GDPR.

We recommend that you [recommended actions: change your passwords, monitor your accounts, etc.].

For any questions, contact our DPO (Data Protection Officer): [contact details].

Communication to clients and partners

If the attacker used the compromised account to send emails to external contacts (clients, vendors, partners), you must warn them promptly and through a different channel than email.

By phone (priority for contacts who received a fraudulent email):

  • Explain the situation: "A fraudulent email was sent from our address. Do not click any links and do not reply to this message."
  • Ask them to delete the email and confirm they haven't clicked

By email (sent from a clean account, not the compromised one):

  • Send a factual message to all contacts who may have received the fraudulent email
  • Specify the subject and approximate time of the fraudulent email
  • Indicate the actions to take (delete, don't click)
  • Provide a phone contact for questions

Speed of this communication protects your reputation. A client warned by you will forgive the incident. A client who discovers the fraud on their own - or worse, after clicking - will lose trust.

Internal breach register

Regardless of the CNIL notification, GDPR (Article 33, paragraph 5) requires every data controller to maintain an internal breach register. This register must document each breach, its effects, and the remediation measures. CNIL can request it during an audit.

For each incident, the register must contain:

  • Date and time of the breach
  • Date and time of discovery
  • Nature of the breach (unauthorized access, disclosure, etc.)
  • Categories and approximate number of individuals affected
  • Categories of data concerned
  • Likely consequences
  • Measures taken to remedy the breach
  • Decision to notify (or not notify) CNIL, with justification
  • Decision to inform (or not inform) affected individuals, with justification

Even if the incident doesn't reach the CNIL notification threshold (no risk to individuals), it must appear in this register. It's your compliance evidence in case of an audit.

Cyber insurance: filing the claim

If your company has cyber insurance, report the claim within the contractual deadlines - typically 5 business days maximum after discovering the incident. Some policies require a shorter deadline (48 hours). Check your policy.

Prerequisite: the police report

Since the LOPMI law (April 24, 2023), insurance compensation is conditioned on filing a police report within 72 hours. No report, no compensation - regardless of your policy's coverage.

Documents to prepare for the insurer

  • Copy of the police report (receipt)
  • Detailed incident timeline (detection time, actions taken, people involved)
  • Screenshots of the phishing email and fraudulent site
  • Sign-in logs showing suspicious activity
  • List of potentially compromised data
  • Copy of the CNIL notification (if applicable)
  • Cost estimate: technical remediation costs, lost revenue, legal fees, notification costs

What cyber insurance covers (and doesn't)

Generally covered:

  • Technical remediation costs (expert intervention, system restoration)
  • Notification costs to affected individuals
  • Legal fees (counsel, representation)
  • Lost revenue (if the incident interrupts business)
  • Crisis management costs (crisis communication, public relations)

Coverage varies by policy:

  • Social engineering fraud (fraudulent wire transfer after phishing): some policies exclude this or apply sub-limits
  • Ransom (ransomware): coverage is controversial and increasingly restricted
  • Regulatory fines and penalties (CNIL): generally excluded as considered uninsurable

Watch for exclusions: Check whether your policy requires pre-existing security measures (up-to-date antivirus, regular backups, MFA enabled, employee training). If these conditions aren't met at the time of the incident, the insurer can deny the claim. Cybersecurity training is increasingly required by insurers - see our article on cyber insurance and training evidence.

Post-incident: learning the lessons

The incident is under control. The temptation is to move on and forget. That's a mistake. Post-incident analysis is what prevents the same scenario from happening again.

Post-mortem analysis

Organize a post-mortem meeting within 5 to 10 days of closing the incident. Bring together the people involved: the person who clicked (if willing), the IT manager, the external provider, management.

Post-mortem structure (inspired by the NIST SP 800-61 Rev. 3 framework, aligned with Cybersecurity Framework 2.0):

Timeline of events:

  • What time was the email sent?
  • What time did the employee click?
  • What time was the incident reported internally?
  • How much time elapsed between the click and the password change?
  • Did the attacker have time to exploit the access?

Root cause analysis:

  • Why didn't the spam filter block the email?
  • Did the email show detectable signs (suspicious domain, missing DKIM, spelling errors)?
  • Did the compromised account have MFA enabled?
  • Had the employee received recent phishing training?
  • Did the employee know how to report a suspicious email?

Response evaluation:

  • Was the response procedure followed?
  • Were containment timelines acceptable?
  • Were legal obligations met within deadlines?
  • What tools or procedures were missing?

Corrective actions:

  • Technical improvements (MFA, spam filter, training)
  • Organizational improvements (reporting procedure, crisis communication)
  • Human improvements (enhanced training, phishing simulation)

Document the results

Write a post-mortem report. This document serves as a reference for future incidents, proof of diligence for insurance and CNIL, and a basis for improvements.

The report should include:

  • An executive summary (one page maximum, intended for management)
  • The complete timeline (with precise timestamps)
  • The technical analysis (attack vector, compromise scope, exposed data)
  • The response evaluation (what worked, what failed, timelines)
  • The corrective actions decided, with a responsible person and deadline for each
  • The direct and indirect costs of the incident

Store this report in a secure location, accessible only to authorized personnel. It contains sensitive information about the company's vulnerabilities.

Update procedures

After the post-mortem, update your incident response procedure. Every incident reveals gaps - the procedure must evolve accordingly. Document the changes and share them with the relevant people.

The most common improvements after a first phishing incident:

  • Creating a "Report suspicious email" button in the email client (reduces reporting time from hours to seconds)
  • Enabling MFA on all accounts (the measure that would have prevented 90% of credential compromises)
  • Implementing a DMARC policy at "reject" on the company domain
  • Subscribing to a phishing simulation service to train reflexes
  • Writing an internal guide "what to do if I get a suspicious email" - posted in offices and sent to every new hire

Training the affected person

The person who clicked probably feels guilty, stressed, even humiliated. The company's response at this moment is decisive for security culture.

What to do:

  • Reassure: "Phishing exploits how the brain normally works. Anyone can click - including IT managers (65% of them already have, according to Arctic Wolf 2025)."
  • Offer a short individual training session (15 minutes) targeted at the type of phishing that worked
  • Include the person in the phishing simulation program if they're not already

What not to do:

  • Name the person in front of the team
  • Apply disciplinary action (except for intentional misconduct or documented repeat offense after training)
  • Use the incident as an "example" during a team meeting

To understand why even experts click, see our article on the psychology of phishing and cognitive biases.

Prevent the next incident. nophi.sh runs monthly phishing simulations with automated training after every click. Your staff learn to spot fraudulent emails before a real incident happens. Create a free account - first campaign in 15 minutes.

Follow-up phishing simulation

Within 2 to 4 weeks of the incident, launch a targeted phishing simulation. The goal isn't to "test" the victim - it's to verify that reporting reflexes work across the organization, and that the incident has strengthened collective vigilance.

Data shows that organizations that launch a simulation within a month of a real incident see their reporting rate increase by 40% on average (SANS Security Awareness 2025). The real incident creates an emotional anchor that reinforces learning - provided the simulation is accompanied by supportive remediation.

To set up a simulation program, see our complete guide to phishing simulation in the workplace.

Phishing incident response checklist

Print this checklist. Post it in the IT manager's office and the executive's office. On the day, check each box in order. The first actions are the most urgent - they limit the attacker's access. Subsequent actions activate the legal and organizational track.

Phase 0: Preparation (before any incident)

  • Identify who is responsible for incident response in the company
  • Have administrator access to Microsoft 365 / Google Workspace accounts
  • Have the IT provider's phone number accessible without going through email
  • Know the DPO (or GDPR lead) contact details
  • Have a copy of the cyber insurance policy accessible offline
  • Train at least two people on the first 6 containment actions

Phase 1: The first 15 minutes

  1. Disconnect the workstation from the network (Wi-Fi OFF, cable unplugged)
  2. DO NOT turn off the computer
  3. Change the compromised password (from a different device)
  4. Revoke all active sessions (Entra ID / Google Workspace)
  5. Check for and remove suspicious email forwarding rules
  6. Alert the IT team / provider by phone
  7. Take screenshots of the email, URL, and headers

Phase 2: The first hour

  1. Identify the type of phishing (credential theft, malware, BEC)
  2. Inventory data accessible from the compromised account
  3. Check sign-in logs for exploitation
  4. Classify the incident (level 1, 2, or 3)
  5. Send a security alert to all staff

Phase 3: The first 24 hours

  1. Evaluate the CNIL notification obligation (personal data compromised?)
  2. If applicable: notify CNIL via the online service
  3. File a police report (police station, gendarmerie, or public prosecutor)
  4. Report on Cybermalveillance.gouv.fr and/or 17Cyber
  5. Report the email on Signal Spam and the URL on Phishing Initiative
  6. Brief management (by phone, not email)

Phase 4: The next 48 hours

  1. Scan the compromised workstation (antivirus/EDR)
  2. Audit the account's activity over the past 48 hours
  3. Check application consents and app passwords
  4. Enable or verify MFA
  5. Block the phishing domain/URL at the firewall level
  6. Change the password on all services where it was reused
  7. If personal data exposed: inform affected individuals (GDPR Art. 34)

Phase 5: The first week

  1. File the cyber insurance claim (within 5 business days)
  2. Prepare the insurer file (report, timeline, evidence, cost estimate)
  3. Organize the post-mortem meeting
  4. Document corrective actions
  5. Update the incident response procedure
  6. Plan a follow-up phishing simulation (in 2 to 4 weeks)

Special cases

The employee downloaded a malicious attachment

If the employee opened an attachment (Word file with macros, booby-trapped PDF, disguised executable), the workstation is potentially infected with malware. In addition to the standard containment actions:

  • Isolate the workstation from the network immediately: the malware may attempt to spread laterally to other machines on the network
  • Do not restart the workstation: some malware deactivates on restart to evade detection, while others persist but erase traces from disk
  • Have the workstation analyzed by a professional: an antivirus scan is not enough. A forensics expert can identify the malware type, its objective (exfiltration, persistence, ransomware), and determine whether it communicated with a command and control (C2) server
  • Check other workstations on the network: if the malware is a worm or spreads via network shares, other machines may be infected
  • Preserve the malicious file: do not delete it. Quarantine it. It will be needed for forensic analysis and the police report

The employee made a fraudulent wire transfer (BEC)

Wire transfer fraud (Business Email Compromise) is the most costly scenario. If a transfer was sent to a fraudulent account:

  • Contact your bank immediately: within minutes of discovery. The bank can attempt a funds recall if the transfer has not yet been credited. Recovery chances drop drastically after 24 hours and become virtually nil after 72 hours for international transfers.
  • Request a freeze on the beneficiary account: the bank can contact the destination bank to freeze the account
  • File a police report immediately: the LOPMI 72-hour deadline is a maximum, not a target. For wire fraud, every hour counts
  • Preserve the entire email chain: the transfer request emails, internal approvals, banking confirmations
  • Check whether other fraudulent transfers were made: attackers don't always stop at one

The average cost of CEO fraud in France is EUR 150,000 (Vade data, 2024). The most serious cases exceed one million euros.

If the transfer was sent to a foreign account (a common scenario), the funds recall involves international banking cooperation. The French bank contacts the foreign bank via the SWIFT network. The timeline and outcome depend on the destination country and the local bank's responsiveness. Western European countries generally cooperate well; transfers to Southeast Asia, Eastern Europe, or West Africa are much harder to recover.

In parallel with the banking process, the police report allows investigators to issue international mutual legal assistance requests via Interpol or Europol. These procedures are slow (several months) but can result in foreign asset freezes.

Multiple employees clicked (mass campaign)

If the phishing email hit multiple employees, the incident changes scale. Switch to crisis management mode:

  • Identify all employees who received the email: search for the subject and sender in email logs
  • Delete the email from all inboxes: on Microsoft 365, use the "Soft delete" function via the Compliance Center or PowerShell (Search-Mailbox or New-ComplianceSearch). On Google Workspace, use the search tool in the admin console.
  • Contact each person who clicked individually: don't rely on a collective email to identify victims. Call them one by one.
  • Apply the containment procedure to each compromised account: password change, session revocation, forwarding rule verification
  • Evaluate whether the attacker used a compromised account to launch an internal attack: a phishing email sent from a legitimate company account is far more dangerous than an external email

The executive was compromised

Compromise of an executive's account is the most serious scenario, for three reasons:

  1. Broad access: the executive's account often has access to sensitive data (strategy, finance, HR, legal)
  2. Maximum credibility: an email sent from the CEO's account gets near-total response rates from staff
  3. Reputational impact: if fraudulent emails are sent to clients or partners from the executive's account, the company's image is directly affected

Specific actions:

  • Immediately change passwords for all services the executive accesses (email, ERP, CRM, online banking, electronic signature)
  • Check emails sent from the account in the hours following the compromise: if wire transfer requests or fraudulent emails were sent, immediately contact the recipients
  • Warn clients and partners if fraudulent emails were sent from the executive's account, through a separate communication channel (phone, mail)
  • Commission a full security audit: compromise of an executive account justifies in-depth forensic analysis to verify no persistence mechanisms were installed
  • Evaluate the legal impact: if the executive is the company's legal representative, their electronic signature may have been used to validate documents. Check recent signatures and approvals made from their account.

The incident occurs on a Friday evening or during holidays

Attackers deliberately target low-vigilance periods: Friday afternoons, holiday eves, vacation periods. If the incident occurs when the IT team is absent or reduced:

  • Apply the first 6 containment reflexes: they don't require advanced technical expertise. Any trained employee can disconnect a workstation, change a password, and revoke sessions.
  • Contact your IT service provider by phone: maintenance contracts often include an on-call or emergency number
  • Don't push it to Monday: an attacker who gains control of an account on Friday evening has the entire weekend to exploit the access, send fraudulent emails, and install persistence mechanisms
  • The LOPMI 72-hour deadline doesn't pause during the weekend: if you discover the incident Friday at 5 PM, you have until Monday at 5 PM to file the police report

Frequently asked questions

Should you pay if it's ransomware?

The official position of ANSSI and the French government is to never pay the ransom. Paying does not guarantee data recovery (40% of companies that pay don't recover all their files, according to Sophos 2024), funds criminal organizations, and makes your company a priority target for future attacks. The LOPMI law does not prohibit payment, but conditions it on filing a police report within 72 hours. Focus your resources on restoring from backups and rebuilding compromised systems.

Can you fire an employee who clicked on a phishing email?

French labor law does not provide for automatic sanctions for this type of error. Clicking on a phishing email does not constitute professional misconduct except in exceptional circumstances: repeat offense after documented training, deliberate violation of a written and signed security procedure, or malicious intent. French case law protects employees who fall victim to social engineering: courts consider that the employer has an obligation to provide training and implement technical protective measures. Firing an employee for clicking creates a precedent that destroys reporting culture: no one will report their mistakes, and incidents will be discovered too late.

Does the company risk a CNIL fine if it reports an incident?

Reporting an incident to CNIL does not automatically trigger a penalty. CNIL penalizes failures in security obligations (absence of adequate protective measures), not the incident itself. However, failing to report an incident that should have been reported exposes the company to a penalty for non-compliance with GDPR Article 33 - on top of the penalty for the underlying security failure. Notification demonstrates the company's good faith and commitment to compliance.

How much does a phishing incident cost an SME?

According to Groupama data (2025), the average cost of a cyber incident for a French SME is EUR 466,000, including technical remediation, lost revenue, legal and notification costs, and commercial impact. For a phishing incident with credential compromise without massive data exfiltration, costs are generally more modest: between EUR 5,000 and EUR 50,000 for technical remediation and administrative costs (police report, CNIL notification, insurance claim). The real hidden cost is lost time: each person involved in the response (executive, IT, legal, DPO) spends between 20 and 60 hours on the incident. For an SME, that's the equivalent of one to three weeks of lost productivity.

What if the employee entered their bank details?

If the employee entered bank details (card number, account number, IBAN) on a phishing site:

  • Block the card or account immediately through the bank (by phone, not email)
  • Monitor account activity for the following weeks
  • Report the fraud to your bank in writing to dispute unauthorized transactions - the French Monetary and Financial Code (Articles L133-18 and L133-19) provides for reimbursement of unauthorized transactions except in cases of gross negligence by the account holder
  • File a police report: the report is necessary for bank reimbursement in fraud cases

Should you communicate publicly about the incident?

There is no legal obligation for SMEs to communicate publicly (unlike listed companies that may have market transparency obligations). Public communication is a strategic decision, not a requirement. Generally, only communicate publicly if: clients or partners were directly affected (fraudulent emails sent from your account), the incident was publicized by another source, or transparency strengthens your credibility with stakeholders.

How do you prevent the next incident?

Prevention combines technical, human, and organizational measures:

Technical: MFA on all accounts (top priority), anti-phishing filter on email (Microsoft Defender for Office 365, Google Workspace Security, or third-party solution), DMARC policy at "reject" on your domain (prevents brand spoofing), DNS filter to block known malicious domains.

Human: regular phishing simulation program (one to two simulations per month), contextual training (immediate remediation after each click on a simulation), report button in the email client (simplifies the reporting reflex).

Organizational: phone verification procedure for sensitive requests (wire transfers, bank detail changes), password policy with company-wide password manager, documented and tested incident response procedure, annual crisis simulation exercise.

For insights into the psychological mechanisms that phishing exploits and how to design effective training, see our article on phishing statistics in the workplace, our cybersecurity training guide for SMEs, and our guide to recognizing fraudulent emails.

Conclusion

Managing a phishing incident takes method, speed, and composure. The first 15 minutes are the most important: disconnect, change passwords, revoke sessions, preserve evidence. The next 72 hours activate the legal track: CNIL notification if personal data is compromised, police report to secure insurance compensation.

But the real lesson from a phishing incident isn't technical. It's organizational. Every incident reveals gaps: missing MFA, misconfigured spam filter, no reporting procedure, insufficient training. Post-incident analysis is what prevents the next incident.

The best response to an incident is not having to trigger one. A regular phishing simulation program, basic technical measures (MFA, DMARC, DNS filter), and a company culture that values reporting over punishing mistakes - this combination reduces click rates on phishing emails by 75% in 12 months (SANS Security Awareness 2025).

The cost of a prevention program is a few euros per employee per month. The cost of an unprepared incident runs into tens or hundreds of thousands of euros - not counting the stress, the sleepless nights, and the impact on client and partner trust.

According to the Cybermalveillance.gouv.fr 2024 annual report, assistance requests grew by 49.9% year-on-year, reaching over 420,000 requests. Phishing remains the top threat, for individuals and businesses alike. Your company will be targeted. The only unknown is when.

This guide is your battle plan. Print it, share it, test it. And if you want your employees to develop reporting reflexes before a real incident, launch a simulation program.

Launch your first phishing simulation | Discover our features