Our last series of blogs closely examined the details of a Spear Phishing Attack.

But whoever or whatever the target is, once the damage is done, efforts need to be taken to mitigate the damage, and try to find ways so that these types of attacks don’t happen again. In this series of blogs, we examine the steps that a business or a corporation needs to take in such situations.

The Steps

  1. Identification:This is the first step in responding to a Phishing attack. At this stage, an alert is “sounded” of an impending Phishing attack, and it must be further investigated into. It is important to collect as much information and data about the Phishing E-Mail, and the following items should be captured:
    • The E-Mail address of the sender;
    • The intended recipient of the E-Mail;
    • The Subject Line of the particular E-Mail;
    • Carefully examine the E-Mail message, and if there is an attachment with it, make sure that you use the appropriate protocols to download it safely, make sure you store it in a separate folder (or even a zip file), and that it is also password protected so that only the appropriate IT personnel can access it.
    • If there is a suspicious link as well, which takes the recipient to a potential spoofed website, this will also have to be investigated. However, it is important to use a dedicated computer solely for just these purposes. Do not use any other server, workstation, or wireless device for this, as the potentially spoofed website could contain malware which could download itself rapidly.
  2. Triage:If the above investigation discovers that an actual Phishing attack is underway, then the following procedure must be accomplished:
    • Determining the specific kind of Phishing E-Mail, it is. For example, is it a:
      • BEC (Business Email Compromise)
      • Spear Phishing (where one particular individual or individuals are targeted);
      • Clone Phishing (where an original E-Mail message has been transformed into a malicious one);
      • Whaling (this is similar to BEC, but primarily C-Level Executives are specifically targeted);
      • Link Manipulation (this where a spoofed website is involved);
      • Website Forgery (this is where JavaScript code is used to maliciously alter the URL bar);
      • Covert Redirect (this when a website address looks genuine and authentic, but the victim is taken to a spoofed website);
      • Social Engineering (this occurs typically in a business environment where lower ranking employees [such as administrative assistants] are targeted and conned to give out corporate secrets);
      • SMS (in these instances, wireless devices, primarily Smartphones are targeted, and malicious text messages are sent instead).

    Once the above has been determined, then determine the priority level of response must be established. From this point, then notify the IT staff, primarily those involved with the Security aspects of the organization.

  3. Investigation:At this phase, the actual E-Mail message and its contents need to be examined carefully, the and degree of damage needs to be ascertained. In terms of the former, the following must be looked into:
      • Analysis of the E-Mail Header:
        • The From Field: This will contain the name of the sender;
        • X-Authenticated User: This will contain the E-Mail address of the sender (such as;
        • The Mail Server IP Address: This will contain the actual TCP/IP address of the E-Mail server from where the Phishing E-Mail was sent. It is important to keep in mind as well that the physical location of the E-Mail server does not necessarily imply that the Cyber attacker is located in that geographic as well. Many times, they will be in a separate location from that of the E-Mail server.
      • Analysis of the E-Mail message:
        • At this phase, the actual contents of the E-Mail message need to be examined carefully, as there are many telltale signs which can be difficult to spot at first glance.
      • Analysis of the Domain Link:
        • If the Phishing E-Mail contains a suspicious link, as stated before, carefully examine the spoofed website, and determine where the data on the website is actually posted (such as the determining the TCP/IP address of the Web server that hosts the spoofed website, etc.).

    With regards to the latter point in this part, the level and/or severity of the damage needs to be ascertained and ultimately determined. Examples of this include the following:

    • The total number of impacted employees;
    • What actions were carried out by the employees with regards to the Phishing E-Mail, for instance:
      • Did they download an attachment;
      • Or, did they go to a spoofed website and unknowingly submitted their personal information, or even sensitive business login information.
    • What was impacted:
      • Servers;
      • Workstations;
      • Wireless Devices;
      • The Network Infrastructure;
      • Other aspects of the IT Infrastructure.


Our next blog will continue with the steps that you, the business owner, or even the CIO or CISO, need to take to recover from a Phishing attack.
Ravi Das