Incident Response Guide

Help — I've been phished

Stay calm. You're in the right place. Follow the steps below — the faster you act, the better your outcome.

Step 1

Do these first

Before anything else — regardless of what you clicked, entered, or downloaded.

1
Don't delete the email

You may need it as evidence — to report to Action Fraud, your IT team, or your bank. Leave it in your inbox for now.

2
Change your email password immediately

Your email is the master key to everything else. Change it now, even if you didn't enter it anywhere. Use a different device if possible.

3
Turn on two-factor authentication (2FA)

If 2FA isn't already on your email, enable it now. This stops an attacker from using your password even if they have it.

4
Tell your IT team or manager — if this was a work device or email

Don't wait. If your work account or device was involved, your IT team needs to know now. They can check for wider exposure and stop the attack from spreading.

5
Forward the email to the NCSC

Send it to report@phishing.gov.uk. This is the UK government's Suspicious Email Reporting Service (SERS). It takes 30 seconds and helps protect others.

Step 2

Based on what happened

Open the scenario that matches what you did and follow those additional steps.

🔗
I clicked a link — but didn't enter anything Lower risk, but still worth checking
1
Check your browser for unexpected extensions. Open browser settings and look for extensions you don't recognise. Remove anything suspicious.
2
Run a virus scan. Use your antivirus or Windows Defender (built into Windows 10/11) to run a full scan.
3
Monitor your accounts for the next 48 hours. Watch for unusual login alerts, password reset emails you didn't request, or any other unexpected activity.
🔒
I entered a username or password Act now — your account may already be compromised
1
Change the password immediately — on the real website, not via any link in the email. Use a strong, unique password.
2
Change it everywhere you reused that password. Attackers will try it on other services automatically.
3
Check for active sessions. Most accounts let you see where you're logged in. Go to account settings and sign out of any sessions you don't recognise.
4
Enable 2FA on the account if it isn't already on.
5
Check your email for anything unexpected — password reset confirmations, security alerts, or emails you didn't send.
💰
I entered payment or financial details Call your bank right now — time is critical
1
Call your bank's fraud team immediately. The number is on the back of your card. Ask them to block the card and monitor for suspicious transactions.
2
Check your account for transactions you don't recognise. UK banks are required to refund unauthorised payments in most cases — but you need to report them.
3
Report to Action Fraud. Call 0300 123 2040 or go to actionfraud.police.uk. Get a crime reference number — your bank may ask for this.
4
If you paid via bank transfer, call your bank immediately and ask them to raise a Faster Payments recall. Speed matters — some transfers can be reversed if caught quickly enough.
📄
I downloaded or opened a file or attachment Possible malware — act before connecting to other systems
1
Disconnect from your work network or VPN immediately. If malware was installed, you don't want it reaching other systems or shared drives.
2
Run a full antivirus scan. Use your existing antivirus or Windows Defender. Do this before reconnecting to any network.
3
If you can't run a scan, or aren't sure it's clean — stop using the device. Contact your IT team (for work devices) or a trusted IT professional before using it again.
4
Change passwords from a different, clean device. If malware was installed, anything typed on the infected device may be visible to the attacker.
👤
I gave personal information (name, address, DOB, NI number) Risk of identity fraud — protect yourself now and in the weeks ahead
1
Register with CIFAS for Protective Registration. This adds a flag to your credit file so lenders carry out extra checks before offering credit in your name. Around £25 for 2 years at cifas.org.uk.
2
Check your credit file. Use Experian, Equifax, or TransUnion (Credit Karma) to look for any new credit applications or accounts you didn't open.
3
Be alert to follow-up contact. Attackers often follow up by phone, claiming to be your bank, HMRC, or the police. If someone calls and asks to "verify your details" — hang up and call back on the official number.
4
Report to Action Fraud. Call 0300 123 2040 or visit actionfraud.police.uk. Identity fraud is a serious crime and should be reported even if nothing has happened yet.
Step 3

Report it

Reporting takes minutes and is genuinely useful — it helps authorities identify and take down active campaigns.

Everyone should do this
NCSC — Suspicious Email Reporting
Forward the phishing email to report@phishing.gov.uk. The NCSC uses these reports to investigate and take down malicious sites.
If money was involved or identity fraud
Action Fraud
Call 0300 123 2040 or report online at actionfraud.police.uk. You'll get a crime reference number.
If financial details were entered
Your bank's fraud team
Call the number on the back of your card or on your bank's official website. Don't use any number from the phishing email.
If it happened on a work account
Your IT team — and possibly the ICO
If customer or staff data was at risk, your organisation may have a legal obligation to report to the ICO within 72 hours.
Step 4

In the days ahead

The immediate danger has passed — but stay alert over the next few weeks.

⚠️
Watch for follow-up attacks

Attackers know you engaged. You may receive calls, texts, or emails from someone claiming to be your bank, HMRC, or a "fraud team." Always hang up and call back on the official number — never trust inbound contact.

📄
Check your bank statements regularly

Look for small test transactions (often £1 or less) as well as larger ones. Fraudsters sometimes test a card with a micro-charge before using it for something bigger.

🔒
Review account security across the board

Use this as a prompt to check 2FA is enabled on your email, banking, and any other important accounts. A password manager can help you use strong, unique passwords for each service.

📊
Check your credit file in 2–4 weeks

If any personal information was shared, check your credit report after a few weeks to catch any fraudulent credit applications early. Experian, Equifax, and TransUnion all offer free access.

Not sure what was compromised?

If you're unsure what happened, what data may have been accessed, or what you need to do next — we're happy to help. No jargon, no judgement, no obligation.

Talk to us — it's free Email us directly