In today's digital world, a cyberattack isn't a matter of "if," but "when." For businesses of all sizes, having a clear and actionable incident response plan is the key to minimizing financial damage, protecting your data, and ensuring swift asset recovery. While the threat may seem overwhelming, a structured approach can help you navigate the chaos with confidence. Here are some helpful tips: 

Phase 1: Immediate Lockdown & Damage Control 

The moments after a breach are critical. Your top priority is to contain the threat and prevent further damage.

1. Isolate the Threat and Prevent Overflow:

• Disconnect. Immediately take all affected computers, servers, and devices offline. This is a crucial first step to stop the spread of malware and prevent attackers from exfiltrating more data. Unplug network cables and/or disable Wi-Fi connections.
• Freeze Accounts. Contact your bank, credit card companies, and any payment processors to report the fraudulent activity. Ask them to freeze or reverse any suspicious transactions and place a hold on all business accounts that may have been compromised.
• Change All Passwords. This is non-negotiable. Change passwords for all accounts—email, social media, banking, and cloud services. Utilize a strong, unique password for each account and consider using a password manager to securely store them.
• Review Access Privileges. Check for any unauthorized user accounts or changes to existing user permissions. A common tactic for attackers is to create a new user account to maintain access.

2. Document Everything (No Detail is Too Small):

• Gather all digital evidence. Take screenshots of fraudulent emails, messages, and transaction confirmations. Save a copy of the scammer’s contact info, including email addresses, phone numbers, and any URLs. The Federal Trade Commission (FTC) provides a detailed guide for businesses on how to prepare for and respond to a data breach.
• Log the timeline. Create a detailed, chronological record of every event: when you were first contacted, when the transaction occurred, and when you discovered the fraud. This will be invaluable for law enforcement and your bank's fraud department.

Phase 2: Reporting the Crime & Seeking Expertise

Once the immediate threat is contained, it's time to officially report the incident. Timely and accurate reporting is essential for both law enforcement investigation and your company's recovery.

• Federal Agencies & Law Enforcement:
  
  • FBI Internet Crime Complaint Center (IC3): This is the primary federal agency for reporting cybercrime. File a detailed report at ic3.gov. The information you provide helps the FBI identify and prosecute cyber criminals.
  • CISA (Cybersecurity and Infrastructure Security Agency): If you are a critical infrastructure business, consider reporting the incident to CISA. They offer valuable resources and threat information. You can find more information in their Incident Response Plan (IRP) Basics guide.
  • Federal Trade Commission (FTC): Report the fraud to the FTC at ReportFraud.ftc.gov. The FTC uses these reports to track scam trends, alert the public, and take legal action against fraudsters.
  • Local Police Department: File a police report in your jurisdiction. While they may have limited resources for a digital crime, a police report is often required by banks and insurance companies for their investigations.
• Industry-Specific Regulators: Depending on your industry, you may have specific reporting requirements. For example, if you handle protected health information (PHI), you must report the breach to the Department of Health and Human Services (HHS).
• Cybersecurity Professionals:

• Legal Counsel: Contact an attorney specializing in cybersecurity and data privacy. They can advise you on your legal obligations, including notifying customers or regulatory bodies, and help you navigate potential lawsuits.
• IT & Cybersecurity Experts: Unless you have a dedicated in-house team, it is highly recommended to engage a third-party cybersecurity firm to conduct a forensic investigation. They can help you identify the attack vector, determine the scope of the breach, and ensure the threat is completely eradicated.

Phase 3: Preventing Future Attacks & Identity Protection

We’re talking about fortifying your defenses and protecting your business' future.

1. Review and Re-Secure:

• Enable Multi-Factor Authentication (MFA). This is the single most effective security measure recommended by federal agencies. For instance, the FTC's Safeguards Rule outlines this as a key requirement for financial institutions.
• Scan Your Systems. After all compromised systems have been isolated, run a full antivirus and anti-malware scan to ensure no lingering threats remain.
• Audit Your Accounts. Scrutinize all business accounts—bank, credit, and credit card statements—for any unusual or small transactions that might indicate further compromise.

2. Protect Your Business's Credit:

• Place a fraud alert. Contact the major business credit bureaus (e.g., Dun & Bradstreet, Experian Business) to place a fraud alert on your company's credit file. This can prevent scammers from opening new lines of credit in your name.

3. Educate & Empower Your Team:

• Hold a Debriefing. Once the incident is under control, hold a debriefing with your team. Share what happened, how it was handled, and what you've learned. This transparency builds trust and helps everyone understand the importance of their role in preventing future attacks.
• Encourage a Culture of Cybersecurity. A strong cybersecurity defense starts with your team. Create a culture where security is everyone’s responsibility, not just the IT department's. This begins with leadership communicating the importance of security and continues with consistent, engaging training that makes secure practices a core value of your business. The National Institute of Standards and Technology (NIST) provides extensive resources on building a security-focused culture and a comprehensive Incident Response Framework.

There’s More! Beware of Recovery Scams

After reporting the fraud, you may be contacted by "recovery specialists" who promise to get your money back for a fee. These are almost always a second wave of scammers. Legitimate recovery will only ever come from your bank or law enforcement. 

Visit our Security Center for additional resources and tips.