DADavisDesign
Cyber-Defenders Cyber-Defenders
Cybersecurity Support Hub

Phishing Response Guide

Immediate response, analyst workflow, and visual examples to prevent credential theft and financial loss.

Immediate Action

What to do right now

  • 📴 If you clicked a link or downloaded a file, disconnect from the network immediately to prevent malware spread.
  • 🚫 Do not reply to the sender or try to “test” the suspicious link yourself.
  • 📎 Forward the email as an attachment to your security or IT team following your local escalation process.
  • 🕵️ Analyze the email using the SLAM method (Sender, Links, Attachments, Message) to identify potential threats.
📊
Context

Why this matters

90 seconds
Typical time to click a phishing link after opening
+$4M
Average cost of a successful business email compromise
1 click
All it takes to expose credentials or deploy malware
Your actions in the first few minutes are critical.

Quick reporting, preserving evidence, and avoiding interaction with suspicious content significantly reduces impact.

🧭
SLAM Method

How to inspect a suspicious email

SLAM Method: Quickly review the Sender, Links, Attachments, and Message. It’s a fast way to spot impersonation, credential traps, and risky files.

Sender

  • 👤Does the display name look like an executive, vendor, or internal team?
  • 📧Does the address/domain match the real sender and the topic (no misspellings or odd domains)?

Links

  • 🔗Hover first—confirm it goes to the legitimate site, not a look-alike domain.
  • 🔑Never enter passwords, MFA codes, or recovery info from an email link.

Attachments

  • 📎Unexpected attachments from new or external senders are high risk.
  • 🧩Avoid executable or macro files—verify before opening.

Message

  • ⏱️Urgency or secrecy pressure (“act now”, “don’t tell anyone”) is a red flag.
  • 💰Money requests or odd tone—validate out-of-band.

📘 Tier 1 Analyst: Detailed Runbooks

Click a runbook to open step‑by‑step guidance. Access requires a non‑Guest authenticated account.

🚨
Escalation

When to escalate immediately

If in doubt, escalate.

Do not delete the email before security has reviewed it. Include full headers and any observed behavior in your ticket.

🧪
Examples

Common phishing scenarios

Use these realistic examples to spot common lures and pressure tactics.

👁️ Example 1: The "CEO" Request (Urgency)

From: CEO Name <[ceo.name@gmail.com]>
Subject: URGENT: Wire Transfer Needed
To: You

Hi,

I am in a meeting and can't talk right now. I need you to process a wire transfer immediately for a new vendor.

It needs to go out in the next 30 minutes or we lose the deal. Do not mention this to anyone yet, I will explain later.

Sent from my iPad

👁️ Example 2: The "Password Expiry" (Credential Harvesting)

From: CEO Name <ceo.name@yourcompany.com>
Subject: Action Required: Password Expires in 24 Hours

Dear User,

Your password is set to expire today. You must retain your access by validating your credentials below.

Failure to do so will result in permanent account lockout.

Regards,
System Administrator

👁️ Example 3: The Fake Subscription Renewal

From: Geek Squad Billing <[billing8675309@geeksquad-support.com]>
Subject: INVOICE #9982: PAYMENT OF $499.99 SUCCESSFUL

Hello Customer,

Thank you for your order. We have successfully charged your account $499.99 for your annual antivirus protection plan.

If you did not authorize this charge, you must call our fraud department immediately to cancel.

Call Now: +1 (888) 555-0192

👁️ Example 4: The "Shared Document"

From: Human Resources <hr-updates@company-benefits-update.com>
Subject: Important: Review Updated Q3 Policy

Team,

HR has shared a new file with you: "Q3_Bonus_Structure_Updates.pdf"

Click here to Open Document

Please review and sign by end of day Friday.

Welcome Back

Sign in to your account

or
Don't have an account? Sign Up

🔒 Sign In Required

Access to detailed runbook content requires authentication. Sign in or create a Cyber Defenders account to unlock full access.

With an account you get:

  • Step-by-step phishing runbooks
  • Responder-ready checklists & evidence tips
  • Consistent workflows across the Support Hub

Create your account at Cyber Defenders

Create Account

Create your Cyber Defenders account

or
Already have an account? Sign In