How to Respond to a Phishing Email at Work: A Step-by-Step Guide

Most Employees Don’t Know What to Do After They Spot a Phishing Email

Security awareness training teaches employees to recognize phishing emails. Far less training covers what to do after you identify one — or, more critically, what to do after you clicked on one before you realized it was a phishing attempt. The response to a phishing email matters as much as the recognition. A properly reported phishing email helps protect your entire organization. An improperly handled click can turn a contained incident into a full breach.

This guide provides a clear, step-by-step procedure for both scenarios: what to do when you spot a phishing email before clicking, and what to do if you have already clicked.

Scenario 1: You Received a Phishing Email But Did Not Click

Step 1: Do Not Click Anything in the Email

Do not click links, do not open attachments, do not reply, and do not forward the email to colleagues to show them what a phishing email looks like. Even previewing an attachment in some email clients can trigger malicious macros. If you have not clicked anything, keep it that way.

Step 2: Report It Through Your Organization’s Reporting Mechanism

Every organization should have a defined phishing reporting procedure. Common options:

• Microsoft 365: The Report Message button in Outlook submits the email to Microsoft’s anti-phishing intelligence and can be configured to send a copy to your IT team simultaneously
• Google Workspace: The Report Phishing option in Gmail submits the email to Google and can be configured to alert your administrator
• Security awareness training platforms: KnowBe4, Proofpoint, and similar platforms provide a Phish Alert Button that employees use to report suspicious emails directly to the security team
• Email or ticket to IT: If none of the above are available, forward the email as an attachment (not inline) to your IT contact or designated security email address

Step 3: Delete the Email

After reporting, delete the email from your inbox and empty the deleted items folder. The email has been captured through the reporting mechanism — keeping it in your inbox creates ongoing risk from accidental future interaction.

Step 4: Alert Colleagues If the Email Targeted the Organization

If the phishing email appeared to be targeting your organization specifically — impersonating your CEO, referencing a current company project, or using your company’s branding — notify your IT or security team immediately so they can send a warning to other employees before anyone else clicks. Organization-targeted phishing campaigns often hit multiple recipients simultaneously.

Scenario 2: You Clicked a Phishing Link or Opened an Attachment

Clicking a phishing link or opening a malicious attachment does not automatically mean your device is compromised or your credentials are stolen — but it creates a risk that requires immediate action. The first few minutes after a click are critical.

Step 1: Disconnect From the Network Immediately

If you clicked a link or opened an attachment and suspect it may be malicious, disconnect your device from the network immediately — unplug the ethernet cable and turn off Wi-Fi. This limits the ability of any potential malware to communicate with attacker-controlled servers, spread to other network devices, or exfiltrate data. Do not shut down the computer — running memory may contain forensic evidence of what executed.

Step 2: Do Not Try to Fix It Yourself

Do not attempt to run a scan, delete suspicious files, or otherwise remediate the device yourself. Improper cleanup can destroy forensic evidence and may not fully remove malware. Contact your IT support or security team and tell them exactly what happened — what you clicked, when, and what occurred after the click (did the page load? did anything download? did you enter any credentials?).

Step 3: Change Passwords for Any Credentials You Entered

If you entered a username and password on any page after clicking the link — even a page that appeared to be your company login portal — change that password immediately from a different, uncompromised device. Also change the password on any other account where you use the same password. This is the most time-critical action after a credential-harvesting phishing click.

Step 4: Report Immediately and Completely

Contact IT or your security team immediately and tell them everything — what the email said, what link you clicked, what page appeared, whether you entered any information, and what happened afterward. Do not be embarrassed or minimize what occurred. Security teams deal with phishing clicks regularly and need complete information to assess the risk and respond appropriately. Delayed or incomplete reporting makes the incident worse.

Step 5: Monitor for Suspicious Account Activity

In the days following a phishing click, monitor your business accounts for unusual activity — emails sent that you did not send, calendar invites you did not create, or any account settings changes. Attackers who successfully harvest credentials sometimes wait days before using them to avoid immediate detection.

Creating a Culture Where Employees Report Phishing

Phishing reporting only works if employees actually report. Common barriers to reporting include embarrassment, fear of punishment, and uncertainty about whether something is actually phishing. Address these barriers explicitly:

• Make clear that reporting is always the right action — there is no penalty for reporting something that turns out to be legitimate
• Never punish employees who report phishing clicks honestly — punishment discourages future reporting and keeps incidents hidden
• Acknowledge and appreciate phishing reports — a brief “thanks for the heads up” to an employee who reported a phishing attempt reinforces the behavior
• Share aggregate phishing statistics with the team — when employees see that the organization receives and successfully blocks dozens of phishing attempts monthly, they understand the reporting system works

Bottom Line

Phishing email response procedures are as important as phishing recognition training — employees who know what to do in the first minutes after a suspicious click contain incidents before they become breaches. Document your reporting procedure, make it simple (one button or one email address), and communicate it to every employee. The organizations that respond well to phishing are the ones whose employees report immediately and honestly rather than hoping no one notices.