# Phishing Incident Response *Defi Focused Incident Response Playbooks* By [Defendefi](https://paragraph.com/@defendefi) ยท 2023-12-02 --- This article kicks off a wider series on DeFi-focused incident response plans and playbooks. Surprisingly, only 2% of surveyed DeFi protocols possess an incident response plan. These IRPs are designed to guide smaller protocols lacking such plans, especially in the event of an incident. Each plan in this series is intentionally generic, accommodating the distinctly unique characteristics of various incidents. The original playbooks can be found on [Github](https://github.com/0xKoda/DIRP/tree/main). Scope ----- This playbook is specifically designed to address response to a phishing link being clicked and assets subsequently drained. 1\. Preparation --------------- * Compile a detailed inventory of * all blockchain assets and domains controlled by the organization. * Crucial for avoiding errors with internal digital resources. * personnel authorized to manage blockchain transactions and smart contracts. * Formulate communication templates * to quickly alert employees of ongoing phishing attacks targeting the company. * for collaboration with hosting and blockchain service providers against malicious entities. * to inform external stakeholders about potential security threats. * Create a new hot-wallet * write down seed phrase * quickly send any remaining funds from compromized wallet/s 2\. Identification ------------------ * Identify the transaction hash that resulted from the phishing incident: * Filter though unusual smart contract interactions. * Requests from unknown wallet addresses. * Unexpected transaction signing requests. * Identify the front end and domain that incited the phishing incident: * Using recent browser history. * Inspect recent emails that may have transported the link. * Triage domains though Virus Total and other providers. 3\. Response ------------ * Immediate steps upon a phishing attack detection: * Secure and isolate affected assets and wallets. * Alert internal security teams and start emergency protocols. * Issue organization-wide notifications to cease all blockchain-related operations temporarily. * Pause any active contracts (if possible). * Begin sending any remaining assets to new hot-wallet * Liaise with blockchain networks or service providers for: * Assistance in tracking and halting malicious activities. * Support in recovering compromised assets, if possible. * Advice on fortifying security measures post-incident. * Report the phishing link, contract and or wallet address: * Upload URL to virus total and other providers. * Create a pull request to [MM phishing detect](https://github.com/MetaMask/eth-phishing-detect/commits/main/src/config.json) and add the URL. 4\. Recovery ------------ * Analyze the incident to determine: * The point of entry and methods used in the phishing attack. * The full extent of damages, including asset loss and data compromise (if any). * Necessary improvements in security protocols and staff training for prevention. * Develop a recovery strategy encompassing: * Steps for safe resumption of all operations. * Stock-take of new and old wallets following incident. * Preventative measures against future incidents. * Communication plans to restore trust with affected parties. ![](https://storage.googleapis.com/papyrus_images/d102cc9f8f8623943ab5aa13965f674a.png) ### Additional Resources * [MetaMask Eth Phishing Detect](https://github.com/MetaMask/eth-phishing-detect/tree/main) * [Wallet Guard](https://www.walletguard.app/) * [MetaSleuth](https://metasleuth.io/) --- *Originally published on [Defendefi](https://paragraph.com/@defendefi/phishing-incident-response)*