CompTIA CySA+ (CS0-003) — Question 100

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

Answer options

• A. Scan the employee's computer with virus and malware tools
• B. Review the actions taken by the employee and the email related to the event
• C. Contact human resources and recommend the termination of the employee
• D. Assign security awareness training to the employee involved in the incident

Correct answer: B

Explanation

The correct action is to review the employee's actions and the relevant email because it helps to understand the specifics of the incident and gather evidence. Scanning the computer may not be immediately useful without context, while contacting HR for termination is premature and assigning training does not address the immediate security concern.