It happens fast. You're scrolling through your inbox, tapping through messages, and then - you click something you instantly regret. Maybe the email looked like it was from your bank. Maybe it was a text that seemed to be from a delivery service. Maybe you just weren't paying attention. First things first: don't panic. Clicking a phishing link doesn't automatically mean your accounts are compromised or your device is infected. What matters most is what you do in the next few minutes.
This guide walks you through exactly what to do, in order, to limit the damage.
What Actually Happens When You Click a Phishing Link?
Before the steps, it helps to understand what you're dealing with. Not all phishing links do the same thing - the risk depends on what kind of link it was and what happened after you clicked.
You got redirected to a fake login page. This is the most common scenario. The link takes you to a convincing imitation of a real website - your bank, PayPal, Google, Microsoft - and asks you to enter your credentials. If you typed anything in, that information went straight to an attacker.
A drive-by download was triggered. Some phishing links are designed to silently install malware the moment the page loads - no clicking "download", no confirmation prompt. These are particularly dangerous because you may have no idea it happened. The malware can include keyloggers (which record everything you type), spyware, ransomware, or Remote Access Trojans that let an attacker control your device remotely.
Your device information was captured. Even if nothing visible happened, clicking the link may have transmitted your IP address, device type, browser, and location to the attacker. This confirms to them that your contact information is live and that you're a real person - making you a target for follow-up attacks.
Nothing happened. Sometimes you get lucky. The link was broken, or it led to a generic page with nothing malicious. But you can't count on this being the case without investigating.
What to Do Immediately After Clicking a Suspicious Link
Step 1: Don't interact with anything on the page
If a page loaded, do not click anything, do not fill in any forms, and do not download anything that appears. Close the tab immediately. If a file downloaded without you initiating it, do not open, rename, or delete it - leave it for your antivirus to find.
Step 2: Disconnect from the internet
If you suspect malware may have been installed - especially if something downloaded, if your device started behaving strangely, or if you're on a work computer - disconnect from Wi-Fi or unplug your ethernet cable immediately.
This cuts off any malware's ability to communicate with the attacker's servers, and prevents it from spreading to other devices on your network. You can reconnect once you've run a scan.
Step 3: Run a malware scan
Use reputable antivirus software to run a full scan of your device. Make sure the software is up to date so it can detect the latest threats. If you don't have antivirus installed, this is the moment to get it.
If a phishing link infects your device with malware, an attacker may be able to steal personal, professional, or financial files that expose you to identity theft, financial fraud, and account takeovers. On a work device, contact your IT or security team right away rather than trying to handle it yourself. They need to know so they can investigate whether anything spread across your organisation's network.
Step 4: Change your passwords - but on a different device
If there's any chance your device has been compromised, change your passwords from a different device. This is a precaution against keyloggers, which record what you type and could capture your new password as you set it.
Start with the highest-risk accounts first:
Your email (attackers who access your email can use it to reset every other account you own)
Your bank and financial accounts
Social media
Any account where the same password was reused
Use strong, unique passwords for each account. If you're not already using a password manager, now is a good time to start.
Step 5: Enable two-factor authentication
If you haven't already enabled two-factor authentication (2FA) on your important accounts, do it now. Even if an attacker obtained your password, 2FA means they still can't get in without access to your phone or authentication app. This is one of the most effective protections available and takes about two minutes to set up on most platforms.
Step 6: Check your accounts for unusual activity
Log into your email, bank, and social media accounts and look for anything suspicious: logins from unfamiliar locations, password change notifications you didn't request, emails you didn't send, or transactions you don't recognise. Many platforms show a login history - check it.
If you see anything unusual, contact the platform immediately and follow their account recovery process.
Step 7: If you entered financial information, contact your bank
If you typed in any payment card details, bank account information, or your Social Security number, call your bank directly using the number on the back of your card. They can monitor your account for fraudulent activity, block your card if needed, or issue a replacement.
You may also want to place a fraud alert or credit freeze with the major credit bureaus (Equifax, Experian, TransUnion) to prevent anyone from opening new credit accounts in your name.
Step 8: Report the phishing attempt
Reporting phishing links helps protect other people from the same attack. You can:
Forward phishing emails to reportphishing@apwg.org (the Anti-Phishing Working Group)
Report phishing to the FTC at reportfraud.ftc.gov
If the link came via email or social media, report it as spam or phishing within the platform itself and block the sender
How to Tell If Your Device Has Been Infected
After clicking a suspicious link, keep an eye out for these warning signs over the following days:
Your device is noticeably slower than usual
Programs crash unexpectedly or behave strangely
You notice unfamiliar applications or browser extensions you didn't install
Your browser homepage or default search engine has changed
You're seeing unusual pop-ups or redirects when browsing
Your email contacts report receiving messages you didn't send
You see login attempts or password reset emails you didn't request
Any of these could indicate that something was installed without your knowledge. Run another malware scan and consider getting professional help if symptoms persist.
What If You Clicked the Link But Didn't Enter Anything?
If the page loaded but you didn't type anything in and nothing visibly downloaded, you're likely in better shape. However, some malware can install itself simply from a page loading (known as a drive-by download), so you should still:
Run a malware scan
Monitor your accounts for unusual activity over the next few weeks
Check your browser extensions for anything unfamiliar
The absence of obvious symptoms doesn't guarantee you're in the clear.
What If You Clicked on Your Phone?
Mobile devices aren't immune. While iOS and Android have strong built-in security, phishing links on mobile can still capture your credentials via fake login pages, trigger downloads of malicious apps, or harvest your device information.
The steps are the same: don't interact further with the page, run a security scan if your mobile security app supports it, change passwords from another device, and monitor your accounts. On iPhone, go to Settings and check for any unfamiliar apps. On Android, go to Settings > Apps and look for anything you don't recognise.
How to Avoid Getting Caught Again
Once you've dealt with the immediate situation, it's worth understanding how phishing links reach you so convincingly in the first place.
Modern phishing attacks use AI-generated content to produce convincing messages at scale. In early 2025, research found that nearly 83% of phishing emails now use AI-generated content, making them significantly harder to spot than the poorly-written scams of the past.
The most reliable habit is simply to pause before clicking any link you weren't expecting - even if it appears to come from someone you know. Before you click, ask yourself:
Was I expecting this message?
Does the sender's email address exactly match the real domain (not just look similar)?
Is there urgency being created to pressure me into clicking quickly?
Does the link destination match where it claims to go?
If anything feels off, check the link before you click it. Haven's free link checker lets you paste any URL and verify it's safe before your browser ever loads it - so you can catch phishing links before they can do any damage.
The Bottom Line
Accidentally clicking a phishing link is more common than most people realise, and it doesn't have to become a disaster if you act quickly. The key steps:
Don't interact with anything on the page - close it immediately
Disconnect from the internet if you suspect malware
Run a full malware scan
Change your passwords from a different device
Enable two-factor authentication on important accounts
Check your accounts for suspicious activity
Contact your bank if you entered any financial information
Report the phishing attempt
Speed matters. The faster you act, the better your chances of limiting any damage. And going forward, a link checker is the simplest way to make sure you're never in this position again.
Read More
How to Tell If an Email Is Real - Spot the signs of a phishing email before you click anything
Is This Website Legit? How to Check Before You Click - How to verify a site is safe before you hand over any information
Is Google Chrome Safe? What It Protects You From (And What It Doesn't) - Why browser security alone isn't enough to stop phishing