The 1-Page Phishing Response Plan Every Employee Can Follow

Someone on your team gets a suspicious email. They are not sure if it is real. They click the link "just to check." Within seconds, they have handed their Microsoft 365 login to a criminal. That scenario plays out in small offices every week, and the outcome almost always depends on what happened in the first five minutes after the click.

When an employee spots or clicks a suspicious email, the right response in the first five minutes — stop, don't delete, disconnect if you clicked, and call your IT provider — limits the damage. Forwarding the email, deleting it, or staying quiet are the mistakes that turn a close call into a reportable breach. A one-page written plan eliminates guesswork when people are already rattled.

Two situations, two checklists

Most people either catch the email before clicking or realize something went wrong after. The steps are different depending on where you are.

You spotted it — you have not clicked anything

1. Do not click any link, button, or image inside the email — including the "Unsubscribe" link at the bottom.
2. Do not reply to the sender, even to say you know it is a scam.
3. Do not forward it to coworkers to warn them. Alert people verbally or by a separate message that does not include the email.
4. Use the Report button in Outlook if you see it. Microsoft 365 Business Premium includes Defender for Office 365 Plan 1 — the same email threat protection used by large enterprises — which adds a Report phishing option directly in the Outlook ribbon and in Outlook on the web. It sends the email to Microsoft for analysis and removes it from your inbox without additional steps on your part.
5. If the Report button is not visible, leave the email in your inbox untouched and contact your IT provider before doing anything else.

You clicked a link or opened an attachment

1. Stop immediately. Close the browser tab or the document that opened.
2. Do not enter any credentials on a page that opened — no username, no password, no personal information.
3. If you already entered credentials, do not change your password on the same device. Use a different device. The machine you are on may already be compromised.
4. Disconnect from Wi-Fi or unplug your ethernet cable if you can do so without disrupting other people or systems.
5. Call your IT provider right now. Not email — call. Every minute between the click and the call matters.

What do you say when you call your IT provider?

You do not need technical language. A dedicated team that knows your environment will take it from there. Just be ready to say:

• "I think I clicked a phishing email."
• "It happened around [time] on my [laptop / desktop / phone]."
• "Here is what I clicked and, if anything, what I typed."

That is enough to start a proper response. Do not try to diagnose the situation yourself before calling.

What should you not do?

These are the four mistakes that consistently make phishing incidents worse:

• Do not delete the email. It is evidence. Your IT provider needs the headers, sender information, and embedded links to assess the scope of the threat.
• Do not run a quick antivirus scan and assume you are clear. A clean result does not mean nothing happened, and some scans can overwrite data needed for a proper investigation.
• Do not stay quiet because you feel embarrassed. Everyone clicks something eventually. A five-minute call now prevents a much longer conversation with clients or a regulator later.
• Do not assume it was harmless because nothing obvious happened. Some attacks are designed to wait days before activating.

How do you prepare your team before it happens?

Print this checklist and post it somewhere your team will actually see it — near the shared printer, pinned in your team chat, or saved to your shared drive labeled "What to do — phishing." Then ask your IT provider to confirm that the Report phishing button is active in your Microsoft 365 tenant. It is included in Business Premium at no additional license cost, and a dedicated team can enable it in a short configuration step. Removing that one decision point from a stressful moment is worth the call.

Frequently asked questions

Should I delete a phishing email right away?

No. Delete it only after your IT provider confirms it is safe to do so. The email is evidence, and deleting it can slow the investigation or make it impossible to identify other people at your office who were targeted.

What if I already clicked a link in a phishing email?

Stop, do not enter any credentials on the page that opened, disconnect from Wi-Fi if possible, and call your IT provider immediately. Do not use the same device to change your password. Speed matters more than anything else at this point.

Can I forward the suspicious email to a coworker to warn them?

No. Forwarding a phishing email exposes your coworker to the same malicious links and can help the attacker reach more inboxes. Alert people verbally or by a separate message that does not include the email itself.

Does Microsoft 365 Business Premium include a built-in way to report phishing?

Yes. Business Premium includes Defender for Office 365 Plan 1, which adds a Report button to Outlook and Outlook on the web. Using it sends the message to Microsoft for analysis and removes it from your inbox. Your IT provider can confirm it is enabled in your tenant.

Do we need a written phishing plan if we only have a few employees?

Yes. Small teams are targeted as often as larger ones, and without a written plan, people improvise — which usually means deleting the email or staying quiet. A one-page reference eliminates that guesswork when people are already stressed.