Skip to main content
Relaymetry

Clicked a phishing link on your phone? iPhone and Android steps

Tapping a phishing link on a phone is usually not enough to infect it. On an up-to-date iPhone or Android, simply loading the page rarely installs anything, because the browser and apps run in a sandbox. The damage comes from what you do after the page loads: typing your password or card details, adding a configuration profile, or installing an app the page pushes. Close the tab, do not install anything it offers, and if you entered any details, change that password now.

Tapping a phishing link on a phone is rarely enough, on its own, to infect it. Both iOS and Android run the browser and every app in a sandbox, so opening a scam page does not silently install software the way an old desktop drive-by could. What actually causes harm on a phone is the step after the page loads: typing your password or card number into a fake login screen, adding a "configuration profile" the page asks for, or installing an app it pushes you toward. If all you did was open the link and close it, you are almost certainly fine.

Can visiting a page infect your phone?

Usually not by itself. A modern, up-to-date iPhone or Android will not run software from a web page without you granting a permission or installing something. Automatic, no-tap infection of a fully patched phone does exist, but it is rare and expensive, aimed at specific high-value targets rather than the mass scam texts most people receive. For an ordinary phishing text, the risk is what the page tricks you into doing, not the page loading.

So two questions decide how worried to be: did you enter any details, and did you install or approve anything? If the answer to both is no, close the tab and move on. If either is yes, work through the platform steps below, then read what to do now (full recovery steps) for the account-by-account cleanup.

On iPhone

  1. Close the Safari tab showing the page. Do not tap any buttons on it first.
  2. If you typed a password, card number, or verification code, change that password now on the real site or app, and turn on two-factor authentication. Details entered into a fake page are the real exposure, so treat this as the priority.
  3. Clear the page from Safari. Open Settings, tap Apps, tap Safari, then tap Clear History and Website Data.
  4. Check for an unknown configuration profile. Go to Settings, then General, then VPN & Device Management. A personal iPhone you have not enrolled with a school or employer usually shows nothing here. If you see a profile you do not recognise, tap it and choose Remove Profile.
  5. Update iOS from Settings, General, Software Update, so any browser and system fixes are in place.

Apple's own guidance is that Safari warns you before a known phishing site loads, and that you should never enter personal details on a page you reached from a suspicious message. iOS will not let a web page install an app on its own, which is exactly why the profile check matters: a malicious configuration profile is one of the few things a page can talk you into adding, and it can reroute your traffic or add a hostile VPN once installed.

On Android

  1. Close the browser tab. If the page started a download or told you to install an app, do not open or install that file, especially an APK.
  2. If you entered any details, change that password now and turn on two-factor authentication for the account.
  3. Run Google Play Protect. Open the Play Store, tap your profile icon, tap Play Protect, then Scan. Play Protect checks your installed apps for harmful behaviour and can warn you about, disable, or remove a bad one.
  4. Review recently installed apps and their permissions in Settings, Apps. Remove anything you do not remember installing, and revoke permissions that look wrong for what the app does.
  5. Update Android and Chrome so Google Safe Browsing and system fixes stay current.

Android blocks a web page from installing an app unless you have granted that browser permission to install unknown apps, so a single tap cannot sideload an APK by itself. The trap is following the page's instructions to allow that install. If you never approved an install and entered nothing, a Play Protect scan and a quick app review are usually all you need. Chrome also shows a red "Dangerous site" warning, powered by Safe Browsing, before many phishing pages ever load.

Watch for follow-up scam texts

Tapping a link or replying can tell the sender your number is live, so expect more smishing, which is phishing sent by SMS. Do not reply or tap further links. On iPhone, report the message as junk and delete it. On Android, report spam in the Messages app and delete it. In the US you can also forward scam texts to 7726 (SPAM). For a few days, be extra wary of texts and calls that claim to be your bank, a courier, or Apple or Google support, since a fresh "your account is locked" message is a common second stage.

If you want the mechanics behind all of this, see what happens if you click a phishing link and the pillar guide, what is a phishing link. Next time a link looks off, paste it into our phishing URL checker to see where it really leads before you tap.

Frequently asked questions

Can just visiting a phishing page infect my iPhone or Android?

Usually no. On an up-to-date phone, opening the page rarely installs anything on its own, because iOS and Android run the browser and apps in a sandbox. The real risk is what you do next: typing a password or card number into a fake login page, adding a configuration profile, or installing an app the page pushes. Automatic infection of a fully patched phone is rare and mostly limited to targeted attacks.

I clicked a phishing link on my iPhone but did not enter anything. Am I safe?

Most likely yes. If you only opened the page and closed it without typing details or installing a profile or app, there is usually nothing to clean up. To be tidy, close the tab and clear Safari history and website data (Settings, Apps, Safari, Clear History and Website Data), keep iOS updated, and ignore any follow-up messages.

How do I check my iPhone for a malicious configuration profile?

Go to Settings, General, VPN & Device Management. A personal iPhone that you have not enrolled with a school or company usually shows nothing there. If you see a profile you do not recognise, tap it and choose Remove Profile. Keep only profiles you or your employer knowingly installed.

What should I do on Android after tapping a phishing link?

Close the browser tab and do not install anything the page offers, especially an APK file. Open the Play Store, tap your profile icon, tap Play Protect, then run a scan. Review recently installed apps and their permissions, remove anything you did not install, and change the password for any account whose details you entered.

Will a phishing link send me more scam texts?

It can. Tapping a link or replying tells the sender your number is active, so expect more smishing (phishing by SMS). Do not reply or tap further links. On iPhone report the message as junk and delete it; on Android report spam in the Messages app and delete it. In the US you can forward scam texts to 7726 (SPAM).

Other phishing & link-safety guides

References

Browse all guides →