A client has received an email with or without an attachment from a known or unknown source
Edit me

Client Receives a Suspicious/Phishing Email

How to respond to phishing or to a suspicious email


The email may contain malware or a link to a malicious site that tricks the client into disclosing personal information.

The longer a malevolent website stays online, the more victims it will create. Reporting this website is one of the most important steps the Helpline can take.


  1. Reply to the client using the template in Article #57: Phishing - First Email to respond to their concerns and ask for additional information that may be missing.

    Be sure to clearly state the email should not be opened, nor a linked site visited.

    NOTE: If the client has already visited a site, or opened an attachment, we should increase the urgency and impact of the case.

  2. After receiving the headers and full email source from the client in Step 1, analyze the following:

  3. Once you have gathered all the information you need on the phishing message, search for the detected indicators of compromise on MISP, following the instructions in Article #354: Search in CiviCERT’s MISP Instance.

  4. Communicate to the client the conclusions of your investigation, and if necessary, report the website.

  5. Add the event to MISP following the instructions in Article #355: How to Add an Event to CiviCERT’s MISP Instance.