Someone clicked a link they shouldn’t have. Or an email came through that looked like your bank, your IT vendor, or the CEO — and someone replied. Now you’re not sure what happened or how bad it is.
Here’s what to do, in order. The first hour matters most.
Step 1: Don’t panic, but don’t wait either
Phishing attacks range from “someone entered their email password on a fake login page” to “ransomware is encrypting your file server.” You don’t know which one you have until you look. The worst thing you can do is either catastrophize or ignore it.
Get the person who received the email to walk you through exactly what happened: What did the email say? Did they click a link? Did they enter any credentials? Did they download anything? Did they open an attachment?
Write down the answers. You’ll need them.
Step 2: If credentials were entered, change passwords immediately
This is the most common phishing outcome for small businesses: someone typed their Microsoft 365, Google, or banking password into a fake login page.
Do this first:
- Change the password for the account they entered credentials for — right now, before reading the rest of this
- If it’s a Microsoft 365 or Google Workspace account, sign out all active sessions (Microsoft: admin.microsoft.com → Users → select user → Sign out of all sessions; Google: Admin Console → Users → select user → Reset sign-in cookies)
- Enable multi-factor authentication on that account if it isn’t already on
If the same password was used anywhere else — and it probably was — change it on every site that uses it. This is also a good time to talk to your team about a business password manager.
Step 3: Check for mail rules and forwarding
Attackers who successfully access an email account often set up a forwarding rule immediately so they keep receiving mail even after the password is changed. This is easy to miss and expensive to ignore.
In Microsoft 365: Go to admin.microsoft.com → Exchange admin center → Recipients → Mailboxes → select the affected user → Manage email apps, then check Mailbox → Mail flow settings → Email forwarding. Also look in the user’s own Outlook settings under Settings → Mail → Forwarding.
In Gmail/Google Workspace: Settings → See all settings → Forwarding and POP/IMAP. Check forwarding addresses. Also check Filters and Blocked Addresses for any rules that redirect or delete messages from specific senders (attackers sometimes delete security alerts to hide activity).
Delete anything that shouldn’t be there.
Step 4: Check what the account accessed
If you have Microsoft 365 Business Premium or an equivalent plan with audit logging, you can see what the account did after the credentials were compromised.
Microsoft 365: compliance.microsoft.com → Audit → New search → filter by the affected user and the relevant date range. Look for unusual sign-ins, large email exports, SharePoint access, or file downloads.
If you’re on a basic Microsoft 365 plan without audit logging enabled, you won’t have this history — which is a gap worth addressing before the next incident.
For unusual sign-in locations or times: Microsoft 365 admin center → Users → the affected user → Sign-in activity.
Step 5: If a file was downloaded or an attachment was opened
This is a different situation from a credential phish. If someone opened an attachment or ran a downloaded file, you may be dealing with malware rather than (or in addition to) a stolen password.
Isolate the machine. Disconnect it from your network — unplug the network cable, turn off Wi-Fi — before doing anything else. If ransomware is running, keeping the machine on the network lets it spread to your file server and other computers.
Do not turn off the machine. Some evidence and some encryption processes are halted by a running OS that gets shut down. Leave it on but disconnected until you decide your next step.
Call your IT person or a managed security provider. Malware incidents on a business network are outside the scope of DIY recovery for most small offices. The cost of a professional forensic review is almost always less than the cost of missing a persistent threat.
Step 6: Notify anyone who may have been targeted next
Phishing attackers who successfully access an email account often use it to send phishing emails to your contacts — because mail from a known address gets past spam filters and gets clicked.
Check Sent Items for the date of the incident and several days after. If you see emails you didn’t send, notify the recipients that those messages were fraudulent and should be deleted without clicking any links.
Step 7: Document and debrief
Write down what happened, what you found, and what you changed. You’ll want this if you have cyber insurance (most policies require prompt reporting), if a client asks what happened, or if the same attack pattern comes back.
The debrief is also where you decide what to change going forward. The most common gaps that make phishing attempts successful:
- No MFA on email accounts. A stolen password alone isn’t enough to access an account if MFA is on. This is the single highest-value control for small businesses.
- Shared passwords across accounts. One compromised credential becomes many.
- No spam/phishing filter. Microsoft Defender for Business (included in Microsoft 365 Business Premium) and Google Workspace’s built-in filtering both catch a significant percentage of phishing attempts before they reach inboxes.
None of these require enterprise budgets. MFA is free on every major email platform. A business password manager costs less than one hour of recovery time.
What this doesn’t cover
If you’re dealing with ransomware, a business email compromise fraud (someone impersonated your CEO and your accounts payable wired money), or a breach that may affect customer data, you need professional help and possibly legal counsel. This guide covers the most common small-business phishing scenario: credential theft via a fake login page.
Frequently Asked Questions
Should we call our IT person right away?
If a file was opened or an attachment was run, yes — immediately. For a credential phish with no file execution, you can work through the steps above while looping them in.
Do we need to notify customers?
Only if their data was accessible through the compromised account. Review what the account had access to before deciding — don’t notify preemptively if the scope is unclear.
How long do we have before the damage is done?
Attackers who compromise an email account typically set up forwarding rules and export contacts within minutes. The first 30 minutes matter most — prioritize password change and session revocation above everything else.
