What do you do if you suspect you have a phishing attack? What is your response plan? Does it include: Request forwarding, as an attachment, of the suspicious email? Analyzing the url links, headers, sender address, business need or applicability? Were there any attachments? If yes, filter through Virus Total or some other reliable online tool looking for reported vulnerabilities. If the attachment or url are malicious, check the logs for user activity and be sure to interview the user or users. Interviewing the user is important to ascertain if they either intentionally or inadvertently clicked on a link to a possible malicious site. But review the logs, as often users either don’t recall, or will not admit their behavior. Clearly some technical knowledge and skills are necessary to address this possible security incident. But there also is a project planning aspect to managing this. Having a good Incident response process has always been important, but with the proliferation of phishing attacks on all businesses and organizations, never more so than today. This must be one of your highest priorities. Mock drills are an essential part of this process. Just like testing backups, testing your IR plan is crucial. You have to know if you have been breached.