# Phishing Response Checklist

Steps for reporting, triage, containment, communications, and follow-up after suspicious email.

## Immediate Actions
- Do not click additional links, open attachments, or reply to the message.
- Report the message through the approved channel or forward it to the security contact.
- Capture the sender, subject, time received, and whether any interaction occurred.

## Triage Questions
- Was a password entered, file opened, payment requested, or MFA prompt approved?
- Did other users receive the same message?
- Is the sender known, spoofed, compromised, or external?

## Follow-Up
- Reset impacted credentials and revoke active sessions when account exposure is possible.
- Block malicious sender, URL, domain, or attachment indicators when confirmed.
- Record the decision, owner, and user communication for after-action review.

## Related Actions
- Open cybersecurity checklist: /tools/cybersecurity-checklist-tools
- Explore cybersecurity track: /learning-tracks/cybersecurity