If your company has experienced a phishing attack - whether someone clicked a link, entered credentials, or opened a malicious file - the priority now is containing the threat and recovering safely.

 This guide walks you through what to do next, helping you take control of the situation and reduce the risk of further damage.

At STORM Guidance, we support businesses through every stage of cyber incident response - including phishing recovery and the steps below are based on real-world experience handling cases just like yours.

Step 1: Identify What Happened

Begin by gathering the facts:

• Who received and interacted with the phishing email?

• What actions were taken (clicked links, entered passwords, downloaded files)?

• Are any accounts behaving suspiciously or showing unauthorised access?

Work with your IT or security team to understand how the attack unfolded and what systems or data may be affected.

Step 2: Contain the Threat

If credentials were compromised or malware may have been installed:

• Change affected passwords immediately, especially for email, finance, or admin systems

• Revoke sessions or access tokens where possible

• Isolate infected devices from the network (do not wipe them - preserve evidence)

• Disable suspicious forwarding rules in email accounts

Step 3: Assess the Impact

Check for:

• Unauthorised email activity (especially messages sent from internal accounts)

• Access to sensitive data (e.g. HR, finance, or client records)

• Signs of business email compromise, payment fraud, or unauthorised logins

Determine if any personal or customer data was affected - this may trigger reporting obligations under applicable data protection laws.

Step 4: Report the Incident

Depending on the outcome:

• Notify your regulator (e.g. the ICO in the UK) within 72 hours if personal data was compromised

• Alert any impacted customers, partners, or third parties

• Inform your cyber insurance provider, if applicable

• Record your findings and actions for internal review

STORM Guidance can support with regulatory reporting, legal coordination, and drafting clear customer communications if needed.

Step 5: Restore Systems Securely

Once you’ve confirmed the threat has been removed:

• Run full antivirus and EDR scans on affected devices

• Rebuild systems from clean backups if needed

• Monitor for any signs of persistence or unauthorised access

• Tighten access controls where appropriate (e.g. MFA enforcement)

If the Attack Leads to Ransomware or Threats:

If the phishing incident results in ransomware, data theft, or extortion demands, avoid direct communication with the attacker.

STORM Guidance can manage threat actor engagement on your behalf - including assessing credibility, managing negotiations, and supporting secure recovery, if necessary.

Step 6: Prevent Future Attacks

Turn recovery into resilience:

• Run refresher phishing awareness training for staff

• Improve email filtering and threat detection tools

• Review user privileges and access levels

• Test your incident response plan through a phishing scenario

How STORM Guidance Can Support Your Recovery

✔ Immediate response and incident containment

✔ Forensic investigation and threat identification

✔ Credential and data exposure risk assessment

✔ Legal, regulatory, and client communication support

✔ Training, simulation, and strategy to prevent recurrence

Phishing Recovery Is About More Than Cleanup

A phishing attack doesn’t have to become a business crisis - but the way you handle it matters.

With the right response, you can contain the damage, meet your obligations, and protect your business moving forward.

STORM Guidance is here to support your business - from phishing response and recovery to threat actor engagement if the incident escalates, and long-term resilience planning.