Quick answer
Clicking a phishing link usually does one thing: your browser loads the page at the other end. That page cannot empty your bank account on its own, and it cannot install software just because it appeared on screen. The damage, when there is any, comes from the step after the click. So the honest answer to "what happens" is that it depends on what you do next, and the possible outcomes fall into a short list.
If you have already clicked, the recovery steps live on their own page: what to do now. This guide explains the outcomes, so you can tell which of those steps you actually need.
The most common outcome: a fake login page
Most phishing links lead to a counterfeit sign-in screen. It copies the look and the web-address style of a real service (a bank sign-in, a Microsoft 365 login) and waits for you to type your username and password. The moment you submit the form, those credentials go straight to the attacker instead of the real service. Google's definition of these pages is blunt: content that "tricks visitors into doing something dangerous, such as revealing confidential information."
Notice what did the damage. Loading the page stole nothing. The theft happened when you filled in the form. That is why the single most useful habit is to stop and read the real domain before you type anything, which is the whole subject of how to tell if a link is safe.
A file that wants to download or open
Some links point at malware rather than a login form, and this splits into two cases. In a prompted download, the page pushes a file at you (an "invoice," a fake browser update) and counts on you to open it. Nothing runs until you do. In a drive-by download, the page tries to pull code onto your device automatically by abusing a flaw in the browser or a plugin.
The drive-by is the frightening-sounding case, and it is also the one that current, updated software mostly shuts down. The UK's NCSC published a revealing figure from a real intrusion: of 14 people who clicked, 13 malware attempts failed to launch because the devices were up to date. One succeeded. Keeping software patched is what turns "I clicked" into a non-event for this whole category.
The click that marks you as a live target
There is a quieter outcome with no malware in it at all. Simply opening the link, or loading a tracking pixel inside the message, can tell the sender that your address or number is real and that a person is reading. The US FTC puts it plainly: opening a link in an unexpected message "can expose you to scammers, even if you don't enter any sensitive info." The practical result is more phishing, aimed at a list you have now been promoted onto. That is a nuisance rather than a breach, but it is worth knowing.
The rarer case: an exploit against unpatched software
Now and then a malicious page carries an exploit built for a specific, unpatched weakness in your browser or operating system. If it connects, code can run without a second click from you. This is genuine, yet it is the exception rather than the rule, and it leans entirely on your software being behind on updates. A current browser with automatic updates closes most of the window.
So how worried should you be?
Risk tracks what you did after the click, not the click by itself. A rough ladder:
- You clicked, saw a suspicious page, and closed the tab without typing or downloading anything: low risk. Update your software and run a scan to be sure.
- You entered a password or card details: treat those credentials as compromised and move quickly.
- You downloaded and opened a file: assume malware until a scan clears it.
The what is a phishing link overview covers how these links are built and disguised in the first place. If you are looking at a link right now and cannot tell whether it is safe, run it through the phishing URL checker before you open it. When in doubt, leave it alone and reach the company through a channel you already trust.
What clicking does not do
The myths are worth naming too. A single click does not instantly drain every account you own, and it does not brand your device with a virus you can never remove. Clicking is not automatically harmless either, so "I only clicked" is a reason to check rather than to shrug it off. The truthful position sits between those two extremes, which is exactly where the security agencies place it.