Back to blog
CybersecurityPhishingSMB

What to do after a phishing attack? (step-by-step guide for SMBs)

Kristof Vanknippenberg26 May 20266 min

It happens more often than you'd think. An employee opens an email that looks perfectly legitimate — from the bank, a supplier, or Microsoft — and clicks a link. Only afterwards does it turn out to be a phishing attack. So what now? What do you do as a small business in Belgium when the damage is already done?

In practice, we see that many small businesses freeze at that point. They don't know what the first step is, who to call, or how serious it actually is. That's understandable — you're a business owner, not an IT specialist. But the faster you react, the smaller the damage.

This step-by-step guide helps you respond in a structured way when things go wrong.

Step 1: Don't panic, but act quickly

The most important thing: stay calm, but don't wait. A phishing attack at a small business can escalate within minutes. Think about access to your mailbox, bank details, or customer data.

What you should do immediately:

  • Disconnect the affected device from the internet (turn off wifi, unplug the network cable). This limits any potential spread.
  • Stop using the device until it's been checked.
  • Write down exactly what happened: which link was clicked, what information was entered, and at what time.

That information is incredibly valuable afterwards — both for your IT partner and for any required reporting.

Step 2: Change passwords immediately

Did the employee enter login credentials on a fake page? Then you have to assume those credentials are compromised.

Change immediately:

  • The password of the affected account (Microsoft 365, email, CRM…)
  • Passwords of any other accounts where the same password was used (yes, unfortunately that's still very common)
  • Enable multi-factor authentication (MFA) if it's not already active — this is the single best way to prevent further damage

In practice, we see that MFA still isn't enabled by default at many Belgian businesses. That's a risk you can fix today.

Step 3: Check for suspicious activity

Log into your Microsoft 365 admin centre (or have your IT partner do this) and check:

  • Sign-in activity: are there logins from unknown locations or devices?
  • Mail rules: hackers often set up automatic forwarding rules so they can keep reading your emails unnoticed
  • Sent items: have emails been sent from your employee's account to customers or suppliers?

That last one is particularly unpleasant. Imagine your customers receiving a phishing email from your business. That's not just a security problem — it's a reputation problem.

Step 4: Inform your team and contacts

Honesty is always the best policy. Let your colleagues know there's been a phishing incident so they can be extra alert. And if emails were sent from the affected account, contact the recipients as well.

A short message is enough: "We've had a security incident. Have you received a suspicious email from us? Please don't open it and delete it."

Transparent communication shows professionalism — not weakness.

Step 5: Report to the right authorities

In Belgium, you may be legally required to report a data breach to the Data Protection Authority (GBA). This applies when personal data may have been leaked — think names, email addresses, or financial details of customers.

You can also report the incident to the Centre for Cybersecurity Belgium (CCB) through their reporting portal. They offer useful resources for small businesses as well.

Not sure whether you're required to report? Ask your IT partner. Better to report once too many than once too few.

Step 6: Have the device checked

Before the affected device is used again, have it thoroughly checked. In some cases, malware was installed without anyone noticing — for example, a keylogger that records passwords.

A quick virus scan usually isn't sufficient. Leave this to someone with experience. In the worst case, the device may need to be completely reset.

Step 7: Prevent it from happening again

Responding to an incident is one thing. Making sure it doesn't happen again is just as important.

Some practical measures we often recommend to small businesses in Limburg and the surrounding area:

  • Enable MFA on all accounts — not just for the owner, but for everyone
  • Give awareness training to your team. Not a dry presentation, but concrete examples: "This is what a phishing email looks like, and here's what to watch out for"
  • Set up email filtering in Microsoft 365 to automatically block suspicious messages
  • Regularly review your security settings — at least once per quarter

It doesn't have to be expensive or complex. Often it's small changes that make a big difference.

How common is phishing among small businesses in Belgium?

More common than you'd expect. Small businesses are actually a popular target, precisely because they're often less protected than large organisations. The attacks are also becoming increasingly sophisticated — with emails that are almost indistinguishable from the real thing.

This isn't something that only happens to others. If you have a business with five employees and use Microsoft 365, you're a potential target.

Conclusion

A phishing attack is unpleasant, but it doesn't have to be a disaster — provided you react quickly and correctly. With this step-by-step guide, you know exactly what to do when things go wrong.

But even better: make sure you're prepared before it happens. A few simple measures can already make your business significantly more resilient.

Not sure if your business is well protected against phishing? I help small businesses in Limburg with practical and personal IT support — from security to day-to-day IT management.