I Clicked a Phishing Link — What to Do Next (Immediately)

You clicked the link. Maybe you realized it the moment the page loaded. Maybe you entered your password before the design looked "off." Either way, don't panic — but act fast. What you do in the next few minutes matters much more than what you did wrong. Here's the exact playbook, organized by urgency.

First 10 Minutes: Stop the Bleeding

1. Disconnect from the internet

If you suspect malware was downloaded (you saw a file download, a pop-up about installing something, or your browser behaved strangely), disconnect your device from Wi-Fi or unplug the ethernet cable. This prevents malware from communicating with the attacker's server or spreading to other devices on your network.

On a phone: turn on airplane mode.

2. Don't enter anything else

If the phishing page is still open, don't interact with it further. Don't try to "test" it by entering fake credentials — some phishing pages install malware through your browser regardless of what you type.

3. Take screenshots

Before closing anything, screenshot the phishing page, the URL in the address bar, and the email or message that led you there. You'll need these for reporting and for your own records. Save them somewhere outside the potentially compromised device if possible (e.g., take a photo with your phone if you're on your computer).

4. Close the phishing page

Close the browser tab. If the page won't close normally, force-quit your browser:

• Windows: Ctrl + Alt + Delete → Task Manager → select browser → End Task
• Mac: Cmd + Option + Escape → select browser → Force Quit
• iPhone: Swipe up from bottom, swipe the browser app away
• Android: Tap the square button, swipe the browser away

Scenario A: You Clicked But Didn't Enter Any Information

If you clicked the link but closed the page without entering credentials, downloading files, or granting permissions, your risk is lower — but not zero. Modern phishing pages can sometimes exploit browser vulnerabilities just by loading.

1. Clear your browser cache and cookies. Go to browser settings → Privacy → Clear browsing data. Select "Cookies" and "Cached images and files."
2. Run an antivirus scan. Use your existing antivirus software or download a reputable free scanner (Malwarebytes has a free version). Run a full system scan, not a quick scan.
3. Check your downloads folder. Look for any files that were downloaded without your consent. Delete anything you didn't intentionally download.
4. Update your browser. Ensure you're running the latest version to patch any known vulnerabilities.

If the scan comes back clean and you didn't notice anything unusual, you're likely fine. Stay alert for unusual account activity over the next few days.

Scenario B: You Entered Your Password

This is the most common situation. You typed your credentials into what looked like a login page before realizing it was fake. Act immediately:

1. Change the compromised password right now. Go directly to the real website (type the URL yourself — don't click any links) and change your password. If the attacker has already changed it, use the "Forgot password" flow to regain access through your email.
2. Change that password everywhere else you use it. If you reuse passwords (most people do), change it on every site where you've used the same or similar password. This is the #1 reason to use a password manager — you only need to change one password per breach instead of twenty.
3. Enable two-factor authentication (2FA). If the compromised account offers 2FA and you haven't set it up yet, do it now. Use an authenticator app (Google Authenticator, Authy) rather than SMS when possible.
4. Check for unauthorized activity. Log into the compromised account and review:
   • Recent login history (location, device, time)
   • Connected apps or authorized third-party services
   • Recovery email and phone number (make sure the attacker didn't change these)
   • Any forwarding rules set up in email accounts
   • Recent sent messages (attackers sometimes use compromised accounts to phish your contacts)
5. Revoke active sessions. Most services have an option to "Sign out of all devices" in security settings. Use it.

Scenario C: You Entered Financial Information

If you entered credit card numbers, bank account details, or Social Security numbers:

1. Call your bank or credit card company immediately. Tell them your card details were compromised in a phishing attack. They'll freeze your card and issue a new one. Most banks have 24/7 fraud hotlines — the number is on the back of your card.
2. Place a fraud alert on your credit. Contact one of the three credit bureaus (Equifax, Experian, or TransUnion) and request a fraud alert. They're required to notify the other two. This makes it harder for scammers to open new accounts in your name.
3. Consider a credit freeze. A freeze is stronger than a fraud alert — it prevents anyone (including you) from opening new credit accounts until you lift it. You'll need to contact each bureau individually to freeze and unfreeze.
4. Monitor your accounts daily for the next month. Set up transaction alerts on your bank accounts if you haven't already.
5. File an FTC report at identitytheft.gov if personal identification information (SSN, driver's license) was compromised.

Scenario D: You Downloaded or Installed Something

If a file was downloaded — or worse, if you ran an executable, enabled macros in a document, or installed an application from the phishing link:

1. Disconnect from the internet immediately. This limits the malware's ability to exfiltrate data or download additional payloads.
2. Don't log into any accounts on the compromised device. Keyloggers capture everything you type.
3. Run a full antivirus scan. Boot into Safe Mode if possible (this prevents most malware from running during the scan). On Windows: hold Shift while clicking Restart → Troubleshoot → Advanced → Startup Settings → Safe Mode with Networking.
4. Change passwords from a different device. Use your phone or another computer to change passwords for important accounts — email, banking, social media.
5. Check for unfamiliar programs. Look in your installed programs list (Windows: Settings → Apps; Mac: Applications folder) for anything you don't recognize.
6. If in doubt, consult a professional. If the malware persists after scanning, or if you're unsure whether your device is clean, consider a professional cleanup or a full system reset.

The Week After: Follow-Up Actions

Regardless of which scenario applies to you:

1. Report the phishing attempt. Forward the email to the company being impersonated and to your email provider's phishing report. File reports with the FTC and IC3 if financial loss occurred. See our complete reporting guide for details.
2. Warn your contacts. If your account was compromised, the attacker may use it to phish your contacts. Send a brief message through a verified channel letting people know to ignore any unusual messages from your account.
3. Set up credit monitoring. Many banks offer free monitoring after a fraud event. You can also use annualcreditreport.com to check your reports.
4. Audit your password hygiene. Use a password manager to generate unique passwords for every account. Enable 2FA everywhere it's available.
5. Learn from the experience. Review what made this phishing attempt convincing. Was it the timing? The urgency? The accurate branding? Understanding what tripped you up makes you more resistant to future attempts.

Special Situations

You Clicked on Your Work Computer

If this happened on a company device or while connected to your work network, notify your IT department immediately — even if you're embarrassed. Corporate phishing can lead to company-wide breaches, ransomware deployment, and data exfiltration. The sooner IT knows, the sooner they can contain the damage. Most security teams will appreciate the quick reporting far more than they'll judge you for clicking.

Your IT team may want to:

• Isolate your device from the network
• Check for lateral movement (the attacker spreading to other systems)
• Reset your enterprise credentials
• Scan your device and any shared resources you accessed
• Review email and network logs for suspicious activity

You Clicked on Your Phone

Mobile phishing carries slightly different risks. Phones are generally more resistant to drive-by malware than computers, especially iPhones with their sandboxed app architecture. However:

• If you entered credentials into a phishing page on your phone, the credentials are just as compromised as if you'd done it on a computer
• If the phishing page prompted you to install a profile (iOS) or download an APK (Android), that's more dangerous than a simple page load. On iOS, go to Settings → General → VPN & Device Management and remove any profiles you don't recognize. On Android, check your installed apps for anything unfamiliar.
• If the page requested notification permissions, go to your notification settings and revoke access — scammers use browser notifications to send ongoing phishing messages

You Scanned a QR Code That Turned Out to Be Malicious

QR code phishing (quishing) is functionally the same as clicking a link — the QR code just delivered the URL differently. Follow the same steps above based on what happened after the page loaded. The additional concern with QR codes is that you can't hover over them to preview the URL, so you may not have noticed the domain was wrong until after the page loaded.

How to Prevent This from Happening Again

1. Use a password manager. A password manager only auto-fills credentials on the correct domain. If you land on paypa1.com instead of paypal.com, the password manager won't offer to fill in your PayPal credentials — a built-in phishing detector.
2. Enable phishing-resistant MFA. Hardware security keys (like YubiKey) verify the actual website domain during authentication, so they can't be phished. Authenticator apps are the next best option. SMS-based MFA is better than nothing but can be intercepted.
3. Keep your browser and OS updated. Many phishing pages try to exploit browser vulnerabilities. Updates patch these vulnerabilities, often within days of discovery.
4. Use DNS-level protection. Services like Cloudflare's 1.1.1.1 for Families or Quad9 (9.9.9.9) block known malicious domains at the DNS level, preventing your device from even connecting to the phishing server.
5. Develop the "hover" habit. Before clicking any link in an email, hover to check the URL. On mobile, long-press. This single habit prevents the majority of phishing clicks.

Going Forward

Everyone clicks a bad link eventually. Phishing is designed by professionals who study human psychology — falling for it doesn't mean you're careless. What matters is how quickly you respond.

For future suspicious messages, paste them into IsThisAScam before clicking any links. The tool analyzes the content for scam patterns and tells you whether it's safe — in seconds, before you're at risk.