I clicked a phishing link — what now?

What you did in the seconds after the click decides everything. Clicked only: usually survivable. Typed credentials or codes: move now — the attacker is racing you.

  1. Triage: what exactly happened?Clicked and closed = low risk, browsers sandbox most drive-bys. Entered a password, card number, or a code from an SMS/app = act on the matching step below IMMEDIATELY. Installed something or granted an app permissions = treat the device as compromised.
  2. Typed a password? Change it now — everywhereFrom another device if possible: change that password on the real site, then on every account reusing it, and end all active sessions. Turn on real 2FA as you go. The attacker scripts this — minutes matter.
  3. Typed card or bank details? Call the bankBlock the card via app or hotline, flag the transaction risk, watch for “verification” follow-up calls — the phisher’s partner often phones pretending to be the bank’s fraud desk. Banks never ask you to move money to a “safe account”. Ever.
  4. Gave a code or approved a push? Assume account takeoverThat code WAS the takeover. Run the recovery flow of the account it belonged to right now — the hacked-account guide has the eviction sequence (sessions, forwarding rules, tokens).
  5. Installed something? Isolate the deviceDisconnect from Wi-Fi/data, run a reputable malware scan, and change passwords only from a CLEAN device — typing new credentials into an infected machine hands those over too. When in doubt: back up files, factory reset.
  6. Report and inoculateForward the phish to your national reporting address and mark it as phishing in your mail app (this trains everyone’s filters), warn colleagues if it hit a work address, and report money lost to the police — bank recovery often requires the report. Next time a link smells off: check it with our scam checker BEFORE clicking.

De-shame this: phishing works on IT professionals, which is why the industry measures click rates in the double digits. The kits are pixel-perfect clones and the pretexts (parcel, refund, boss, bank) are engineered against your busiest moment. What separates a near-miss from a disaster is never cleverness — it is speed on steps 2–4 and refusing the follow-up call. And the data trail matters afterwards: if the phish impersonated a real company whose breach leaked your email, that leak has an owner — the breach flow covers your rights against them.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← What now?✍️ Generate this letter — free📞 Your data protection authority