If you clicked a phishing link, do not panic. Take these steps in order, and skip any that clearly do not apply to you. Clicking the link is rarely the moment the damage is done. The real risk is what came next: a page that asked for your password, or a file the link tried to download. If neither happened, you are probably fine and only need to stay watchful.
Do these now, in order
-
Disconnect if a file downloaded. If clicking the link started a download, or a page told you to install an app or "update" something, disconnect that device from the internet. Turn off Wi-Fi and mobile data so whatever landed cannot reach out or spread. If you only saw a web page and nothing downloaded, skip this one.
-
Run a full malware scan. On the device you used, update your security software and run a full scan, then let it remove anything it flags. This is the step US and UK authorities point to first when a link may have installed something. If the scan comes back clean and nothing downloaded, your device is very likely untouched.
-
Change your passwords and turn on two-factor authentication. If you typed a password into the page, treat that account as compromised. From a device you trust, change its password, then change it on every other account that used the same one. Reused passwords are how a single phished login turns into five compromised accounts. After that, turn on two-factor authentication wherever the account offers it, so a stolen password on its own is no longer enough to get in.
-
Call your bank if money or card details were involved. If you entered card or banking details, contact your bank or card issuer straight away. You can usually cancel or freeze the card in the banking app, and the bank can watch for or reverse fraudulent charges. Keep checking your statements for anything you do not recognize.
-
Report the phishing. If the link reached a work account or device, tell your IT team or employer first, so they can protect everyone else. Then report the message itself: forward a phishing email to the Anti-Phishing Working Group at reportphishing@apwg.org and a phishing text to 7726, and report it to the FTC at ReportFraud.ftc.gov. In the UK, forward suspicious emails to report@phishing.gov.uk. Reporting is not busywork; it helps providers take the fake site down faster.
-
Watch for follow-on fraud. Keep an eye on your accounts and statements for the next few weeks. Phishing often leads to a second attempt built on what the attacker just learned about you. If personal information was exposed, IdentityTheft.gov gives US residents a step-by-step recovery plan tailored to exactly what was lost.
How worried should you be?
It depends on what you did after the click, not on the click itself. Opening a phishing page rarely infects a modern, updated device on its own. If you clicked, glanced at a fake login screen, and closed the tab without typing anything, you are almost certainly fine. The outcomes that actually cause harm all need a second action from you: a password you entered, a payment you authorized, or a file you were talked into opening. For a fuller breakdown of each possible outcome and how likely it is, see what happens if you click a phishing link.
Change passwords from a device you trust
One detail trips people up here. If there is any chance the link installed something, do not change your passwords on that same device until it has been scanned and cleared. Malware could quietly capture the new password as you type it, which would undo the whole point of changing it. Use a different phone or computer you trust, change the passwords there, and return to the affected device only once its scan comes back clean.
If you clicked on your phone
The recovery steps above are the same on a phone, but the mechanics differ. Where to find a downloaded file, how to review the permissions an app was granted, and how to run a scan are not the same on iPhone and Android. If you tapped the link on a mobile device, follow the platform-specific steps in clicked a phishing link on your phone.
Check the next link before you click it
The habit that prevents a repeat is reading a link before you open it, rather than after. Learn the signs on the pillar guide, what is a phishing link, and when a message looks off, check a suspicious link before you tap it. A clean result is not a guarantee of safety, but a flagged one spares you the entire recovery process above.