I clicked a phishing link — what now?
What you did in the seconds after the click decides everything. Clicked only: usually survivable. Typed credentials or codes: move now — the attacker is racing you.
- Triage: what exactly happened?Clicked and closed = low risk, browsers sandbox most drive-bys. Entered a password, card number, or a code from an SMS/app = act on the matching step below IMMEDIATELY. Installed something or granted an app permissions = treat the device as compromised.
- Typed a password? Change it now — everywhereFrom another device if possible: change that password on the real site, then on every account reusing it, and end all active sessions. Turn on real 2FA as you go. The attacker scripts this — minutes matter.
- Typed card or bank details? Call the bankBlock the card via app or hotline, flag the transaction risk, watch for “verification” follow-up calls — the phisher’s partner often phones pretending to be the bank’s fraud desk. Banks never ask you to move money to a “safe account”. Ever.
- Gave a code or approved a push? Assume account takeoverThat code WAS the takeover. Run the recovery flow of the account it belonged to right now — the hacked-account guide has the eviction sequence (sessions, forwarding rules, tokens).
- Installed something? Isolate the deviceDisconnect from Wi-Fi/data, run a reputable malware scan, and change passwords only from a CLEAN device — typing new credentials into an infected machine hands those over too. When in doubt: back up files, factory reset.
- Report and inoculateForward the phish to your national reporting address and mark it as phishing in your mail app (this trains everyone’s filters), warn colleagues if it hit a work address, and report money lost to the police — bank recovery often requires the report. Next time a link smells off: check it with our scam checker BEFORE clicking.
De-shame this: phishing works on IT professionals, which is why the industry measures click rates in the double digits. The kits are pixel-perfect clones and the pretexts (parcel, refund, boss, bank) are engineered against your busiest moment. What separates a near-miss from a disaster is never cleverness — it is speed on steps 2–4 and refusing the follow-up call. And the data trail matters afterwards: if the phish impersonated a real company whose breach leaked your email, that leak has an owner — the breach flow covers your rights against them.
Verified against the sources above on 18 July 2026. Information, not legal advice.