Purpose: This drill is designed for small organisations without a dedicated cyber team.
Immediate actions
- Stop the payment process.
- Do not use contact details in the suspicious message.
- Verify using a known trusted supplier contact.
- Record who verified the request and how.
- If payment has been made, contact the bank immediately.
- Preserve emails, invoices and payment evidence.
Do not
- Do not delete evidence before it is captured.
- Do not ignore it because nothing appears to have happened.
- Do not reuse passwords.
- Do not delay reporting because it feels embarrassing.
Escalate if
- Money, customer data, staff data or business-critical services may be affected.
- You suspect criminal fraud or unauthorised access.
- You are unsure what has been exposed.
After-action review
- Was reporting simple?
- Was MFA enabled?
- Were roles clear?
- What control would reduce the chance of this happening again?
Note: Practical guidance only. Seek specialist support where personal data, money loss or criminal activity may be involved.