Incident Response Guide

I Clicked a Phishing Link

Don't panic. What actually happened depends on what you did next — here's how to find out, and exactly what to do.

Updated 7 May 2026

A phishing link is a fake link designed to trick you into doing something harmful — entering your password on a fake website, downloading malware, or handing over personal information. They arrive most commonly in emails, text messages, and social media messages, and they’re built to look legitimate: your bank, a delivery company, Netflix, or even a message that appears to come from a friend.

The word “phishing” comes from “fishing” — the attacker casts a wide net and waits for someone to bite.

Don’t Panic — But Act Fast

Clicking a phishing link doesn’t automatically mean your device is infected or your accounts are compromised. What matters most is what happened after you clicked.

Take a breath, then work through this guide.

Step 1: What Did You Do After Clicking?

Your situation depends on which of these matches you:

Scenario A — You clicked, a page opened, but you closed it immediately and didn’t do anything

Your risk is low.

The page may have tried to load something harmful, but simply visiting a page without interacting with it rarely causes serious damage — especially on phones (iPhones in particular are well-protected against this).

You should still:

  • Run a malware scan on your device (see Step 2)
  • Keep an eye on your accounts for the next few days

Scenario B — You entered your username, password, or any personal information on the page

Act immediately. Every minute counts.

Phishing pages are designed to look exactly like real websites — your bank, Google, Facebook, your workplace login. If you typed anything in and pressed submit, the attacker now has that information.

Go straight to Step 2, then Step 3.

Scenario C — You downloaded a file or installed something

This is the most serious situation.

If you opened a file that was downloaded, or clicked “Allow”, “Install”, or “Continue” on something that appeared unexpectedly — your device may have been compromised.

Go straight to Step 2 and follow it fully.

Step 2: Immediate Actions (Do This Right Now)

1. Close the page and stop interacting with it

If the page is still open — close it now. Don’t click anything on it, not even “X” or “Cancel”. Press Ctrl+W on Windows or Command+W on Mac to close the tab, or just close your browser entirely.

2. Disconnect from the internet

This sounds drastic, but it’s one of the most effective things you can do. Some malicious software needs an internet connection to fully install itself or to send your data to the attacker. Cutting the connection early can stop it.

  • On a phone: Turn on Airplane Mode
  • On a computer: Turn off Wi-Fi, or unplug the network cable

You can reconnect after you’ve run a scan (next step).

3. Run a malware scan

Use your device’s built-in security tool or antivirus software to run a full scan:

  • Windows: Open Windows Security → Virus & threat protection → Quick scan (or Full scan)
  • Mac: Use Malwarebytes (free) or your installed antivirus
  • iPhone: iPhones are very well-protected — if you only clicked a link and didn’t install anything, a scan isn’t necessary, but change your passwords if you entered any credentials
  • Android: Use Google Play Protect (Settings → Security → Google Play Protect → Scan) or a trusted antivirus app

If the scan finds anything, remove it and restart your device before continuing.

Step 3: If You Entered Any Information

If you typed in a password:

Change that password immediately — from a different, trusted device if possible.

Use our password generator to create a strong new password. It runs entirely in your browser and nothing is sent anywhere.

Then change the password on every other account where you use the same password. Attackers try stolen passwords on dozens of sites automatically.

Enable two-factor authentication (2FA) on the account if you haven’t already. This means even if someone has your password, they still can’t get in without a second confirmation — usually a code from an app on your phone.

If you entered your credit or debit card number:

Call your bank now. Don’t wait for a suspicious charge to appear. Ask them to:

  • Block the card immediately
  • Issue a replacement card
  • Check for any recent transactions you didn’t make

The number is on the back of your card or on your bank’s official website.

If you entered your full name, address, ID number, or date of birth:

This information can be used for identity theft — opening loans, accounts, or contracts in your name. Monitor your credit and financial accounts closely for the next few weeks.

Step 4: Check Your Accounts for Signs of Access

Even if you didn’t enter anything, it’s worth a quick check:

  • Email: Look for sent emails you didn’t write, or login alerts from unfamiliar locations
  • Social media: Check for posts, messages, or friend requests you didn’t make
  • Banking: Check your transactions for anything unfamiliar
  • Other accounts: Look for password reset emails you didn’t request

If you find signs of unauthorised access, treat it as a hacked account — see the relevant guide for that service.

Step 5: Report It

Reporting a phishing link takes two minutes and helps protect others from the same attack.

Report the link to your browser:

  • Chrome: Click the padlock icon → “Report dangerous site”
  • Firefox: Help menu → “Report Deceptive Site”

Report to the company being impersonated: If the fake page pretended to be your bank, PayPal, or another service — forward the original phishing email to that company. Most have a dedicated address (e.g. phishing@paypal.com). Check their official website for the correct address.

Report to your national cybercrime centre: Most countries have an online reporting form. Search for “report phishing” plus your country name to find the correct page.

What NOT to Do

  • Don’t ignore it — even if nothing seems wrong right now
  • Don’t click “Unsubscribe” in the phishing email — that link may also be malicious
  • Don’t reply to the email — it confirms your address is active
  • Don’t keep using the same password on other sites
  • Don’t assume your phone is immune — phones can display convincing fake pages and steal credentials just as easily as computers

When to Contact Authorities

Contact your bank and the police immediately if:

  • Money has been taken from your account
  • Your card was charged for something you didn’t buy
  • You gave out your full banking credentials (card number, PIN, online banking password)

Contact the police if:

  • You’re being blackmailed or threatened following the incident
  • Someone is impersonating you using information you entered on the phishing page
  • Accounts or loans have been opened in your name

Don’t wait. File a report — it creates an official record needed for bank disputes, insurance claims, and account recovery.

Prevention Checklist

To avoid this happening again:

  • Check the sender address carefully before clicking any link in an email — hover over it first to see the real destination
  • When in doubt, go directly to the website by typing the address yourself — don’t use the link in the email
  • Use different passwords on every account (use a password generator and a password manager)
  • Enable two-factor authentication on your email, banking, and social media accounts
  • Keep your browser and operating system updated — updates fix security vulnerabilities
  • Trust your instincts — if an email creates urgency (“your account will be closed!”, “act within 24 hours!”), slow down and verify first