What should you do if you suspect you have been phished?

If you think you have fallen for a phishing attack, act immediately. Stop interacting with the message, secure your accounts from a different device, and report the incident so it can be contained and investigated.

Phishing remains one of the most common ways attackers gain unauthorised access to systems, accounts and data. A calm, methodical response in the first few minutes can significantly reduce the impact.

What should you do if you suspect you have been phished?

Fast checklist for individuals

If you have clicked a link, opened a file or entered your details:

  • Stop using the device for sensitive activity. If possible, disconnect it from the internet.
  • From a different device, change the passwords for any accounts that might be affected.
  • Turn on multifactor authentication where you can.
  • Check your email rules and forwarding for anything unfamiliar.
  • Run a full antivirus or anti malware scan on the affected device.
  • Report the phishing attempt and keep notes of what happened.

The sections below walk through these steps in more detail.

For individuals

Step 1 Stop and assess

If you have clicked a suspicious link, opened an unexpected attachment or downloaded something that could be malicious:

  • Disconnect from the internet if you can, to reduce ongoing malicious activity.
  • Make a note of what happened, including the device used, who the message appeared to come from, and any links or files you interacted with.
  • Run trusted antivirus or anti malware tools.

If you still have doubts about whether the device is safe after scanning, you may need to reset or rebuild the operating system.

If you entered your username and password into a site that may be fake:

  • Note the details as above, including the address of the site if you can remember it.
  • Move quickly to secure the account.

Step 2 Secure your accounts

On a different, trusted device:

  • Go directly to the affected service (for example Microsoft, Google, Apple or your bank) by typing the address manually or using a trusted bookmark.
  • Change your password immediately using a strong, unique password you have not used elsewhere.
  • If you have reused that password on other services, change those passwords as well.
  • Enable multifactor authentication if it is not already active. This gives extra protection even if a password has been exposed.

Carefully review your multifactor authentication settings:

  • Remove any devices, phone numbers or authentication apps that you do not recognise.
  • Check for other linked accounts that sign in with the same identity and review them for unusual activity.

Step 3 Inspect your email settings

Attackers often try to keep access to a compromised mailbox by:

  • Adding mail forwarding rules to copy messages to an external address.
  • Creating filter or deletion rules to hide password reset or security alerts.

Check your email settings for any rules, delegates or forwarding instructions you did not set up yourself and remove them.

Step 4 Check your device and browser

On the affected device:

  • Run a full antivirus or anti malware scan.
  • Ensure your operating system, browser and security tools are fully up to date.
  • Clear your browser cache and saved passwords. Some phishing pages use scripts that store credentials locally.
  • Review your browser’s saved passwords and remove anything unfamiliar or recently added.

Step 5 Wider protection and monitoring

To reduce risk in future and watch for signs of misuse:

  • Consider using a password manager to generate and store unique passwords for each service.
  • Use a trusted site such as haveibeenpwned.com to see whether your email address appears in known data breaches.
  • Monitor your online accounts and financial statements closely for unusual activity.
  • If you believe financial details were exposed, contact your bank or card provider immediately.

Step 6 Report the phishing attempt

Reporting helps providers and authorities block similar attacks:

  • Use your email provider’s phishing report function if it has one.
  • In the UK, you can forward suspicious emails to report@phishing.gov.uk (the National Cyber Security Centre reporting service).
  • Delete the message and any attachments. Do not reply or click any further links.
  • Keep relevant details or screenshots in case your organisation’s IT team or the authorities request them.

Step 7 Should you warn your contacts

If you think your email or social media account has been accessed by someone else, you should warn your important contacts, but only after you have secured your account.

Do this:

  • First regain control of your account by changing the password, checking forwarding rules, and reviewing multifactor authentication settings.
  • Then send a short message to recent or key contacts explaining that your account was briefly compromised and that they should ignore or delete any unusual messages.

Example wording:

My account was briefly compromised earlier today. If you have received any unexpected emails or messages from me, please delete them and do not click any links or attachments.

Avoid:

  • Sending an alert before the account is secure, as an attacker might still be able to send messages from it.
  • Posting publicly unless necessary. Direct communication is usually better and avoids unnecessary attention.

This helps prevent further spread of phishing links and limits reputational damage, especially if the attacker used your account to contact friends, colleagues or clients.

For organisations

The same basic principles apply for organisations, but there are extra steps around incident response, investigation and compliance.

Step 1 Report and contain

As soon as an employee suspects they have interacted with a phishing message:

  • They should report it immediately to IT or security, ideally through a designated reporting button or phishing inbox.
  • The affected account should be disabled temporarily and the device isolated from the corporate network until it can be checked.

Early reporting is essential. Delays can turn a contained incident into a wider compromise.

Step 2 Reset and review

The IT or security team should:

  • Force a password reset for the affected user.
  • Review multifactor authentication settings and remove any unfamiliar devices or apps.
  • Check for suspicious mail rules, forwarding addresses or delegated access.
  • Examine sign in logs and audit trails for unusual or foreign activity.
  • If the same password could have been reused elsewhere, enforce resets on related systems.

Where possible, temporarily block external mail forwarding at the server level until accounts are confirmed as clean.

Step 3 Investigate the incident

Carry out a structured investigation:

  • Identify whether other users received or interacted with the same phishing message.
  • Review whether any internal systems or external platforms were accessed after the suspected compromise.
  • Preserve evidence including logs, message headers and attachments for forensic analysis or regulatory reporting.

Escalate in line with your incident response process and involve senior management, the Data Protection Officer or external specialists where required.

Step 4 Communicate and educate

Once the immediate threat is contained:

  • Notify staff about the phishing attempt, without sharing the malicious content, so they can recognise similar messages.
  • Remind employees how to report suspicious emails.
  • Reinforce cyber awareness training, including checking sender details, verifying URLs and being cautious with unexpected attachments and links.

Step 5 Strengthen organisational controls

After a phishing incident, review and tighten controls:

  • Enforce multifactor authentication on all business critical systems.
  • Apply conditional access policies to reduce sign ins from untrusted devices or locations.
  • Review and maintain SPF, DKIM and DMARC settings to reduce domain spoofing.
  • Confirm endpoint protection, intrusion detection and email filtering tools are up to date.
  • Run regular phishing simulations and awareness campaigns.
  • Test your incident response procedures so teams are ready for future events.

Step 6 Legal and compliance considerations

Under UK GDPR and the Data Protection Act 2018, any confirmed compromise involving personal data must be assessed to decide whether it is a notifiable breach.

  • If it meets the threshold, the Information Commissioner’s Office (ICO) must be notified within 72 hours of discovery.
  • Keep records of suspected phishing incidents to support audit and accountability requirements.

Step 7 Seek further assistance if needed

If there are signs that the attacker gained broader access, installed malware or reached multiple systems, bring in qualified cyber security specialists for deeper forensic analysis and containment support.

Toro can assist with:

  • Evidence collection and investigation
  • Recovery and hardening activities
  • Training and exercises to improve future readiness

Final thoughts

Mistakes can happen, even to experienced users. What matters most is the speed, confidence and thoroughness of the response.

Swift reporting, isolation and review can turn a potential breach into a contained event. Clear procedures and regular awareness training ensure that when phishing happens, as it inevitably will, the impact is kept to a minimum.

Need support with phishing readiness or incident response

Talk to Toro about phishing simulations, incident response exercises and converged security support across your cyber, physical and human defences.

Share this:

Latest Security How To Guides