By Carolyn Rohaly, President, CPRS Vancouver Chapter
CPRS Vancouver recently experienced a phishing attempt: an impersonation email was sent to several board members, claiming to be from me, requesting an urgent e-transfer to cover "administrative expenses" for a fake event. The message mimicked familiar leadership language and tried to create a false sense of urgency.
Thankfully, no one took the bait. But the incident is a timely reminder that phishing scams can—and do—target everyone, even communications professionals.
To help you when you face a similar situation, this blog post will cover:
-
How to respond quickly to phishing using crisis communication best practices
-
How to build a proactive communications plan for phishing and cybersecurity threats
1. Initial Response to Phishing Using SCCT: A Professional Guide
Dr. Timothy Coombs’s Situational Crisis Communication Theory (SCCT) emphasizes tailoring your response based on the type of crisis, the perceived responsibility, and interest-holder expectations. Phishing attempts fall under the category of “victim crises”—meaning the organization is a target, not a perpetrator.
According to SCCT, in a victim crisis, the priority should be informing, correcting misinformation, and reassuring interest-holders. Here’s how CPRS members can apply these principles:
✅ Step 1: Recognize and Validate
Immediately acknowledge the phishing attempt—internally and, if necessary, externally. Transparency protects your credibility.
Example: “An unauthorized party sent an email impersonating a board member. No funds were transferred, and we are taking this seriously.”
✅ Step 2: Instructive Communication
Let interest-holders know what they should do next (e.g., delete the message, don’t click, don’t reply). SCCT highlights the importance of clear, action-oriented guidance in reducing harm.
✅ Step 3: Express Concern and Reassure
Even if you’re not at fault, empathetic messaging helps maintain trust:
“We understand this kind of scam can be concerning and we’re grateful to our members for staying vigilant.”
✅ Step 4: Corrective Action
Detail the steps you’re taking to reduce future risks (e.g., enhanced email verification, educating your team). This reinforces accountability and shows you're strengthening protections.
2. How to Build a Phishing Communications Plan Using Crisis Preparedness Principles
Even if phishing doesn’t cause harm, your response shows how seriously you take security. A plan helps ensure your messaging is timely, consistent, and professional.
🔹 A. Crisis Typology and Response Strategy
Use SCCT to pre-categorize phishing as a victim-type crisis, and prepare messages based on that classification:
-
Instructive (what action to take)
-
Adjustive (what’s being done to fix/prevent)
-
Reassuring (empathy, transparency, confidence)
🔹 B. Pre-Approved Messaging Templates
Create templates for:
🔹 C. Spokesperson Protocol
Identify your default spokesperson—usually someone from leadership or communications—and ensure they understand tone, timing, and transparency principles.
🔹 D. Monitoring and Escalation Flow
Set up a process to:
-
Report suspicious messages
-
Escalate serious attempts to IT or cyber authorities
-
Monitor for ongoing impersonation or brand misuse
🔹 E. Regular Training and Simulations
Incorporate phishing recognition and reporting into your staff onboarding, volunteer orientation, and annual training calendar.
Final Thoughts
When responding to a crisis, remember that a well-managed response can actually enhance an organization’s reputation—especially if interest-holders view the organization as a victim that handled the situation appropriately.
CPRS Vancouver’s experience is a reminder that credibility is built not just by avoiding crises, but by responding to them ethically, transparently, and thoughtfully. By applying the principles of SCCT and preparing in advance, communications professionals can lead with clarity even during moments of uncertainty.
Resources
Coombs, W. Timothy (2014). Ongoing Crisis Communication: Planning, Managing, and Responding (4th ed.). SAGE Publications.
Reply All Podcast (2017).
What Kind of Idiot Gets Phished?