# Phishing Incident Response > Defi Focused Incident Response Playbooks **Published by:** [Defendefi](https://paragraph.com/@defendefi/) **Published on:** 2023-12-02 **URL:** https://paragraph.com/@defendefi/phishing-incident-response ## Content This article kicks off a wider series on DeFi-focused incident response plans and playbooks. Surprisingly, only 2% of surveyed DeFi protocols possess an incident response plan. These IRPs are designed to guide smaller protocols lacking such plans, especially in the event of an incident. Each plan in this series is intentionally generic, accommodating the distinctly unique characteristics of various incidents. The original playbooks can be found on Github.ScopeThis playbook is specifically designed to address response to a phishing link being clicked and assets subsequently drained.1. PreparationCompile a detailed inventory ofall blockchain assets and domains controlled by the organization.Crucial for avoiding errors with internal digital resources.personnel authorized to manage blockchain transactions and smart contracts.Formulate communication templatesto quickly alert employees of ongoing phishing attacks targeting the company.for collaboration with hosting and blockchain service providers against malicious entities.to inform external stakeholders about potential security threats.Create a new hot-walletwrite down seed phrasequickly send any remaining funds from compromized wallet/s2. IdentificationIdentify the transaction hash that resulted from the phishing incident:Filter though unusual smart contract interactions.Requests from unknown wallet addresses.Unexpected transaction signing requests.Identify the front end and domain that incited the phishing incident:Using recent browser history.Inspect recent emails that may have transported the link.Triage domains though Virus Total and other providers.3. ResponseImmediate steps upon a phishing attack detection:Secure and isolate affected assets and wallets.Alert internal security teams and start emergency protocols.Issue organization-wide notifications to cease all blockchain-related operations temporarily.Pause any active contracts (if possible).Begin sending any remaining assets to new hot-walletLiaise with blockchain networks or service providers for:Assistance in tracking and halting malicious activities.Support in recovering compromised assets, if possible.Advice on fortifying security measures post-incident.Report the phishing link, contract and or wallet address:Upload URL to virus total and other providers.Create a pull request to MM phishing detect and add the URL.4. RecoveryAnalyze the incident to determine:The point of entry and methods used in the phishing attack.The full extent of damages, including asset loss and data compromise (if any).Necessary improvements in security protocols and staff training for prevention.Develop a recovery strategy encompassing:Steps for safe resumption of all operations.Stock-take of new and old wallets following incident.Preventative measures against future incidents.Communication plans to restore trust with affected parties.Additional ResourcesMetaMask Eth Phishing DetectWallet GuardMetaSleuth ## Publication Information - [Defendefi](https://paragraph.com/@defendefi/): Publication homepage - [All Posts](https://paragraph.com/@defendefi/): More posts from this publication - [RSS Feed](https://api.paragraph.com/blogs/rss/@defendefi): Subscribe to updates ## Optional - [Collect as NFT](https://paragraph.com/@defendefi/phishing-incident-response): Support the author by collecting this post - [View Collectors](https://paragraph.com/@defendefi/phishing-incident-response/collectors): See who has collected this post