Incident Response Plan for Cyber Attacks, Phishing, and Fraud

,
incident_response

If you become aware that a cyber-attack has been taken against your company, it is imperative action be taken immediately to mitigate the risk of loss to data, money, and other company assets. Time is of the essence. Take the following actions immediately:

  1. If applicable (funds were transferred/compromised), contact your bank. In the case of a wire fraud, you can initiate a “SWIFT recall” on the wire transfer. Contact all banks that may have received your funds. Ask to speak to their fraud department.
  2. Notify your internal IT department or Managed Services Provider (MSP). Provide as much detail as possible. If a computer is involved in the incident, we will provide direction whether action is required to turn off or disconnect the device from the network.
  3. Report the incident to the Internet Crime Complaint Center (IC3) at http://www.ic3.gov.
  4. Report the incident to additional Federal Government agencies as described in “Cyber Incident Reporting – A Unified Message for Reporting to the Federal Government” for specific reporting requirements: https://www.dhs.gov/sites/default/files/publications/Cyber%20Incident%20Reporting%20United%20Message.pdf
  5. Notify local law enforcement of the incident
  6. Notify your cyber liability insurance provider. They can assist you with arranging public relations advisors to support proper customer notifications and legal counsel.

Expect notifications to take time as each involved party gathers the information they need. If possible, assign multiple people to initiate notifications in parallel.

Consider using a conferencing service like Microsoft Teams or Zoom that can be used by all parties throughout the notification process. Many conferencing services allow for “rooms” to be created to allow groups to break away for specific discussions and then rejoin the main group. This may also provide you the ability to record the conversations (notify participants) for later review. Practice this process before an actual incident so you are comfortable with the technology.

Keep and record the following information for possible investigation:

  • Canceled checks, Wire receipts, Credit card receipts, Money order receipts
  • Facsimiles, Certified or other mail receipts, envelopes (if you received items via FedEx, UPS or U.S. Mail), Pamphlets or brochures
  • Emails, text messages, chatroom or newsgroup text, social media messages, web pages (screen shots), phone records
  • Computer log files, if available, with date, time, and time zone