KYCRI LogoKYCRI

Phishing Response Guide

If you suspect you've received a phishing email, follow these steps in order. Acting quickly limits potential damage.

1. Do Not Click, Reply, or Download
  • Do not click any links in the email
  • Do not open any attachments
  • Do not reply to the sender
  • If you already clicked a link, disconnect from the network immediately and proceed to Step 2
  • If you entered any information (passwords, credentials, personal data) on a website from the phishing email, use a different device to immediately change your passwords on all websites where that password was used. Verify you are navigating to the correct URLs by carefully checking the website address before entering any credentials.
2. Run a Security Scan

Run a full antivirus/antimalware scan on your computer.

  • Windows Defender: Settings > Privacy & Security > Windows Security > Virus & Threat Protection > Full Scan
  • Endpoint protection tools: If your organization uses CrowdStrike, SentinelOne, or similar, run a scan through that as well
3. Report to Your Email Provider

Use your email provider's built-in reporting tool:

Gmail

Open the email, click the three dots (more) menu, select "Report phishing".

Provider instructions →

Outlook / Microsoft 365

Select the email, click "Report" in the toolbar, then "Report phishing". If using Outlook desktop, use the Report Message add-in.

Provider instructions →

Yahoo Mail

Select the email, click the three dots (more) menu, select "Report phishing".

Provider instructions →
4. Save the Raw Email Headers

Raw headers contain critical investigation data. Here's how to get them:

Gmail

Open the email > Click the three dots (more) > "Show original" > Copy the full headers or download the .eml file.

Outlook (Web)

Open the email > Click the three dots (more) > "View message source" or "View message details" > Copy the headers.

Outlook (Desktop)

Double-click the email to open it > File > Properties > Copy the text from "Internet headers".

Save this information. It contains sender IP addresses and routing data that analysts need to investigate the phishing campaign.

5. Report to Your Security Team

If you are a Department of War (DoW) employee or contractor:

  • Report the phishing email to your unit Intelligence or Security contact immediately
  • Forward the email with headers to your organization's cybersecurity team
  • For government networks, report to your local Information System Security Officer (ISSO)
6. Report to Federal Authorities

Report the phishing email to the Federal Trade Commission:

Report Fraud — FTC.gov

For more information about phishing emails and how to protect yourself, visit the FBI's official guidance:

FBI — Spoofing and Phishing Guidance