Tapping a phishing link on a phone is rarely enough, on its own, to infect it. Both iOS and Android run the browser and every app in a sandbox, so opening a scam page does not silently install software the way an old desktop drive-by could. What actually causes harm on a phone is the step after the page loads: typing your password or card number into a fake login screen, adding a "configuration profile" the page asks for, or installing an app it pushes you toward. If all you did was open the link and close it, you are almost certainly fine.
Can visiting a page infect your phone?
Usually not by itself. A modern, up-to-date iPhone or Android will not run software from a web page without you granting a permission or installing something. Automatic, no-tap infection of a fully patched phone does exist, but it is rare and expensive, aimed at specific high-value targets rather than the mass scam texts most people receive. For an ordinary phishing text, the risk is what the page tricks you into doing, not the page loading.
So two questions decide how worried to be: did you enter any details, and did you install or approve anything? If the answer to both is no, close the tab and move on. If either is yes, work through the platform steps below, then read what to do now (full recovery steps) for the account-by-account cleanup.
On iPhone
- Close the Safari tab showing the page. Do not tap any buttons on it first.
- If you typed a password, card number, or verification code, change that password now on the real site or app, and turn on two-factor authentication. Details entered into a fake page are the real exposure, so treat this as the priority.
- Clear the page from Safari. Open Settings, tap Apps, tap Safari, then tap Clear History and Website Data.
- Check for an unknown configuration profile. Go to Settings, then General, then VPN & Device Management. A personal iPhone you have not enrolled with a school or employer usually shows nothing here. If you see a profile you do not recognise, tap it and choose Remove Profile.
- Update iOS from Settings, General, Software Update, so any browser and system fixes are in place.
Apple's own guidance is that Safari warns you before a known phishing site loads, and that you should never enter personal details on a page you reached from a suspicious message. iOS will not let a web page install an app on its own, which is exactly why the profile check matters: a malicious configuration profile is one of the few things a page can talk you into adding, and it can reroute your traffic or add a hostile VPN once installed.
On Android
- Close the browser tab. If the page started a download or told you to install an app, do not open or install that file, especially an APK.
- If you entered any details, change that password now and turn on two-factor authentication for the account.
- Run Google Play Protect. Open the Play Store, tap your profile icon, tap Play Protect, then Scan. Play Protect checks your installed apps for harmful behaviour and can warn you about, disable, or remove a bad one.
- Review recently installed apps and their permissions in Settings, Apps. Remove anything you do not remember installing, and revoke permissions that look wrong for what the app does.
- Update Android and Chrome so Google Safe Browsing and system fixes stay current.
Android blocks a web page from installing an app unless you have granted that browser permission to install unknown apps, so a single tap cannot sideload an APK by itself. The trap is following the page's instructions to allow that install. If you never approved an install and entered nothing, a Play Protect scan and a quick app review are usually all you need. Chrome also shows a red "Dangerous site" warning, powered by Safe Browsing, before many phishing pages ever load.
Watch for follow-up scam texts
Tapping a link or replying can tell the sender your number is live, so expect more smishing, which is phishing sent by SMS. Do not reply or tap further links. On iPhone, report the message as junk and delete it. On Android, report spam in the Messages app and delete it. In the US you can also forward scam texts to 7726 (SPAM). For a few days, be extra wary of texts and calls that claim to be your bank, a courier, or Apple or Google support, since a fresh "your account is locked" message is a common second stage.
If you want the mechanics behind all of this, see what happens if you click a phishing link and the pillar guide, what is a phishing link. Next time a link looks off, paste it into our phishing URL checker to see where it really leads before you tap.