Differences

This shows you the differences between two versions of the page.

--- clt_email_legitimacy_checklist [2025/10/16 21:58] – thesaint
+++ clt_email_legitimacy_checklist [2025/10/16 22:32] (current) – [5) Optional: Template to report to IT (see wanip.io for info below)] thesaint
@@ Line 8: / Line 8: @@
 **Audience:** End users and admins.\\
 **Purpose:** Help you decide if an email is legitimate in under 60 seconds.\\
-**Updated:** @@2025@@\\
+**Updated:** 2025\\
 ----
@@ Line 248: / Line 248: @@
 ----
+====== WHAT TO DO If You Clicked — And If You Entered Info ======
+**Audience:** End users (with quick admin notes).\
+**Goal:** Fast, idiot-proof actions that limit damage.\
+**Use when:** You clicked a suspicious link OR you entered details on a fake site.
+----
+===== 0) TL;DR =====
+  * If you only **clicked**: **Disconnect** → **Close browser** → **Clear data** → **Scan device** → **Change passwords** (if prompted/logged in). **Report it**.
+  * If you **entered any info**: **Change that password NOW (from a different device)** → **Enable/confirm MFA** → **Sign out of all sessions** → **Remove risky mail rules / app tokens** → **Notify bank/IT** → **Report it**.
+----
+===== 1) Scenario A — Clicked the link, did NOT enter anything =====
+**Within 10 minutes**
+  - Disconnect from the internet (Wi-Fi off / Airplane mode) if anything started to download.
+  - Close the tab/app. If it won’t close, reboot.
+  - **Clear only the phishing site’s data**:
+    * Chrome/Edge: Menu → Settings → Privacy → Cookies & Site Data → **See all site data** → search the domain → Remove.\\
+    * Safari (iOS/macOS): Settings/Preferences → Safari → Advanced → Website Data → search → Remove.
+  - Delete any **downloaded** file (especially `.zip .exe .js .scr .bat .ps1 .html .iso .img`) without opening.
+**Within 1 hour**
+  - Run a security scan:\\
+    * **Windows:** *Windows Security* → Virus & threat protection → **Scan options → Microsoft Defender Offline scan**.\\
+    * **macOS:** Update macOS, then run a full scan if you have reputable AV.\\
+    * **Android:** Play Store → Play Protect → **Scan**.\\
+    * **iOS/iPadOS:** Update iOS; Settings → General → **VPN & Device Management** → remove unknown profiles.
+  - If that browser was already **logged in** to email/banking, change those passwords as a precaution.
+**Report**
+  - Use **Report phishing** in your mail app and send the message to IT/security.\\
+  - Optional public reporting: **[[https://www.scamwatch.gov.au/|ACCC Scamwatch]]**, **[[https://www.cyber.gov.au/report-and-recover/report|ReportCyber (ACSC)]]**, **reportphishing@apwg.org**.
+----
+===== 2) Scenario B — You entered info on the phishing site =====
+Do **all** applicable items below, in this order.
+**A) If you entered your work or personal account password**
+  - From a **different, clean device**, go change the password **immediately**.
+  - Turn **MFA on** (or re-enrol a fresh MFA method).
+  - **Sign out everywhere**:\\
+    * Google: myaccount.google.com → Security → **Manage all devices** → Sign out of unrecognised devices; **Third-party access** → Remove unknown apps.\\
+    * Microsoft 365: myaccount.microsoft.com → Security info → **Sign out everywhere**; **Apps & services** → Remove unknown OAuth grants.
+  - Check **mail rules** and **forwarding**:
+    * Look for auto-forward to unknown addresses, reply-to changes, or auto-delete rules. Remove anything suspicious.
+**B) If you entered card or banking info**
+  - Call your bank immediately (use the number on the card/official app) → **block the card** and **dispute** any charges.
+  - Turn on transaction alerts. Consider a **temporary credit ban/freeze** with AU credit bureaus (Equifax, illion, Experian).
+**C) If you entered ID documents (driver’s licence, passport, Medicare)**
+  - Contact the issuing authority to **flag** or **replace** the document number (as per their policy).
+  - Get identity assistance: **[[https://www.idcare.org/|IDCARE]]** (AU/NZ identity support).
+**D) If you installed anything or accepted an extension**
+  - Uninstall the app/extension. Reboot.
+  - Run the scans listed in *Scenario A* (Defender Offline etc.).
+  - For managed work devices: **isolate** the device and notify IT to run full EDR scans.
+**E) Tell IT/Security (work accounts)**
+  - Send the original email (as attachment if possible) and include: your username, time clicked, data typed, files downloaded, current device state.
+  - Expect IT to: force password resets, revoke sessions/tokens, check mail rules, scan hosts, and monitor sign-ins.
+----
+===== 3) What NOT to do =====
+  - Don’t keep browsing the phishing site “to look around.”
+  - Don’t reply to the attacker or use links/phone numbers provided in the email.
+  - Don’t reuse the compromised password anywhere else.
+----
+===== 4) Aftercare (next 24–72 hours) =====
+  - Watch your inbox for password-reset emails you didn’t initiate.
+  - Review recent account activity/sign-ins; enable **login alerts**.
+  - For banking: monitor transactions; keep your case reference from support.
+  - Consider a **security check-up** (Google/Microsoft account security pages).
+----
+===== 5) Optional: Template to report to IT =====
+(see [[https://wanip.io|wanip.io]] for info below)
+> **Subject:** Possible phishing — clicked/entered info
+> **When:** YYYY-MM-DD HH:MM (local time)
+> **From address of email:** (copy/paste)
+> **Link hovered/visited:** (full URL)
+> **What I did:** Clicked only / Entered password / Entered card# / Downloaded file (specify)
+> **Device & OS:** (e.g., Windows 11 laptop)
+> **Browser:** (e.g., Chrome)
+> **Actions taken so far:** Disconnected, cleared site data, Defender Offline scan, changed password, enabled MFA, notified bank, etc.
+> **Attachments:** Original email (.eml/.msg) and any screenshots.
+----
+===== 6) Quick Reference (one-minute flow) =====
+  - Clicked? **Disconnect → Close → Clear site data → Scan → Report.**\
+  - Entered info? **Change password (other device) → Enable MFA → Sign out everywhere → Remove mail rules/OAuth apps → Notify bank/IT → Report.**