TL;DR: When a security incident is happening, people panic and forget what to do. This quick reference card gives your staff a clear, simple set of actions for the most common security scenarios — phishing, suspicious links, lost devices, and compromised accounts. Print it, laminate it, and put it somewhere visible.
How to Use This Resource
This quick reference card is designed to be printed and distributed to all staff. It should live somewhere visible — attached to a monitor, in a drawer, or on a noticeboard — so that when something suspicious happens, staff know exactly what to do without having to think under pressure.
The key principle across all scenarios: Act quickly. Do not try to handle it alone. Call IT.
Quick Reference Card: Print Version
IF YOU RECEIVE A SUSPICIOUS EMAIL
Signs of a suspicious email:
- Unexpected email from someone you know but requesting unusual action
- Urgency (“Act now”, “Within 24 hours”)
- Request to click a link, open an attachment, or make a payment
- Sender email address does not match who they claim to be
- Generic greeting (“Dear Customer”)
- Mismatched URLs (hover over links — the actual destination differs from the display text)
What to do:
- Do not click any links. Do not open any attachments.
- Do not reply to the email.
- Report it: Click “Report Phishing” in Outlook, or forward to: [IT security email — fill in]
- If you are unsure whether it is real: contact the sender by phone (not by replying to the email) to verify.
IF YOU CLICKED A SUSPICIOUS LINK OR OPENED A SUSPICIOUS ATTACHMENT
Do not wait to see what happens. Call IT immediately.
- Stay on the page (do not close the browser — IT may need to see it)
- Do not enter any credentials if a login page appeared
- Call IT helpdesk now: [Phone number — fill in]
- If it is after hours: [After-hours IT number — fill in]
- Do not shut down your computer unless IT tells you to
What to tell IT:
- What you clicked / opened
- When it happened
- What happened after (a login page appeared, a file was downloaded, nothing visible happened)
IF YOU ENTERED YOUR PASSWORD ON A SUSPICIOUS SITE
- Change your Microsoft 365 password immediately at
account.microsoft.com - Call IT to report the incident
- IT will revoke your active sessions and check for any suspicious activity
- Do not reuse the same password on any other account
IF YOUR DEVICE IS LOST OR STOLEN
Call IT immediately — time matters. A remote wipe can be performed quickly.
- Call IT helpdesk: [Phone number — fill in]
- Provide: Device type, model, last known location, when you last had it
- IT will initiate a remote wipe via Microsoft Intune
- File a police report if stolen (required for insurance claims)
- Change your Microsoft 365 password from another device
If your device contained sensitive client data: Tell IT so the appropriate notifications can be considered.
IF YOU SUSPECT YOUR EMAIL ACCOUNT HAS BEEN HACKED
Signs: Emails you did not send, colleagues receiving strange emails from you, unexpected password reset emails, login alerts from unfamiliar locations.
- Call IT immediately: [Phone number — fill in]
- IT will: revoke all active sessions, change your password, check for forwarding rules, review sign-in history
- Do not try to fix it yourself — you may inadvertently destroy evidence
- If you received a genuine MFA notification for a login you did not initiate: Deny the request and immediately call IT
IF YOU RECEIVE A SUSPICIOUS PHONE CALL
Signs: Caller claims to be from Microsoft, your IT provider, the ATO, or a bank. Requests remote access to your computer or asks for your password or MFA code.
- Do not provide any codes, passwords, or remote access
- Hang up
- If you are unsure if the call was genuine: hang up and call the organisation back on their published number (not any number given in the call)
- Report suspicious calls to IT
Important: Your IT provider will never call you and ask for your password or MFA code. Neither will Microsoft. Neither will the ATO.
IF YOU SUSPECT RANSOMWARE
Signs: Files have strange extensions, a ransom note has appeared, your computer is running very slowly, multiple colleagues report the same problem.
- Disconnect from the network immediately — unplug the ethernet cable, turn off Wi-Fi
- Do NOT shut down the computer
- Call IT immediately: [Phone number — fill in]
- Alert your manager and IT immediately
IF YOU RECEIVE AN UNUSUAL PAYMENT REQUEST BY EMAIL
Signs: Email requests a payment, asks you to change bank account details, or asks you to process a transfer urgently.
- Do not process any payment based on email instruction alone
- Call the apparent sender on a known phone number (not any number in the email) to verify
- This applies even if the email appears to come from the CEO, your manager, or a trusted supplier
Important Contact Numbers
Fill in these numbers before printing and distributing.
| Contact | Details |
|---|---|
| IT Helpdesk (business hours) | |
| IT Emergency (after hours) | |
| IT Manager direct | |
| Cyber Insurance Claims (24hr) | |
| Company Director / CEO |
The Golden Rules (Memorise These)
- If something seems wrong — call IT. Do not try to fix it yourself.
- Never provide your password or MFA code to anyone, ever.
- Verify payment requests by phone. Always.
- Call your bank immediately if a fraudulent payment was made.
- Speed matters — every minute of delay in an incident makes it worse.
For IT: Deploying This Card
Distribution: Email as a PDF to all staff. Print and laminate a copy for every workstation.
New staff: Include in IT onboarding as a physical handout, reviewed during the onboarding walkthrough.
Update frequency: Review annually or when IT contact details change. Outdated contact numbers are the most common reason staff cannot reach IT during an incident.
Training reinforcement: Use the scenarios on this card as discussion topics in team meetings or security awareness sessions. Walk through “what would you do if…” for each scenario.
For more detailed guidance on phishing identification, see Phishing Email Examples Swipe File.
For the complete incident response procedure for IT and management, see Cyber Breach Response Playbook.
If you want help running security awareness training for your team, book a Right Fit Call with CX IT Services.