What to Do If You Click a Phishing Link: Step-by-Step Recovery

It happens fast. You glance at an email, tap a link, and suddenly you’re staring at a page that looks… off. Maybe the URL is strange. Maybe the site asked for your password. Maybe nothing happened at all — but a file downloaded on its own. If you’re wondering what to do if you click a phishing link, you’re already taking the right first step by looking for answers.

You’re not alone. Phishing attacks are the most common type of cybercrime, with the FBI’s Internet Crime Complaint Center receiving over 300,000 phishing complaints in a single year. The good news? Acting quickly can dramatically reduce the damage.

This guide walks you through exactly what to do, minute by minute, after clicking a suspicious link.

Step 1: Disconnect From the Internet Immediately

The moment you realize something is wrong, cut your connection. This stops any malware from sending your data to an attacker’s server and prevents further communication between your device and the malicious site.

What you should do:

1. Turn off Wi-Fi — Disable your wireless connection right away. On Windows, click the Wi-Fi icon in the taskbar and turn it off. On Mac, click the Wi-Fi icon and select “Turn Wi-Fi Off.”
2. Unplug your Ethernet cable — If you’re using a wired connection, physically disconnect the cable.
3. Put your phone in airplane mode — Swipe down from the top of your screen and tap the airplane icon.
4. Stay disconnected until you’ve completed the next few steps.

Don’t worry about losing work. The few minutes you spend offline are nothing compared to the hours or days it takes to recover a compromised identity.

Step 2: Assess What Actually Happened

Not every phishing link causes the same kind of damage. Understanding what occurred helps you respond appropriately instead of panicking.

Ask yourself these questions:

• Did you enter any information? If you typed a username, password, credit card number, or Social Security number, treat this as a serious breach.
• Did a file download automatically? This could be malware. Do NOT open it.
• Did the page just load and you closed it? You may be fine, but you should still take precautions.
• Did you install anything? Some phishing pages trick you into downloading apps or browser extensions.

What you should do:

• Write down exactly what happened while it’s fresh in your mind. Note the sender’s email, the link URL, and any information you entered.
• Take screenshots of the suspicious email or text message for evidence.
• Check your browser’s download folder for any unexpected files.

Step 3: Scan Your Device for Malware

Phishing links often deliver malware — software designed to steal data, spy on your activity, or lock your files. Even if nothing visible happened, a silent infection could already be running.

What you should do:

1. Run a full system scan using your existing antivirus software. If you don’t have one installed, use a reputable free option like Microsoft Defender (built into Windows) or Malwarebytes.
2. Quarantine or delete any threats the scan finds.
3. Run a second opinion scan with a different tool. No single antivirus catches everything. Malwarebytes Free is a great second scanner that works alongside your main protection.
4. Check your browser extensions — Remove anything you don’t recognize or didn’t install yourself. Go to your browser’s extension settings and delete unfamiliar add-ons.

If the scan finds serious malware that you can’t remove, consider taking your device to a professional or performing a factory reset.

Step 4: Change Your Passwords — Starting With the Most Important Ones

If you entered a password on the phishing site, the attacker now has it. Even if you didn’t enter anything, some phishing pages can steal saved passwords from your browser automatically.

Change passwords in this order:

1. Email account — This is the most critical. If an attacker controls your email, they can reset passwords for every other account you own.
2. Banking and financial accounts — Log in from a different, trusted device if possible.
3. Social media accounts — Compromised social accounts are used to scam your contacts.
4. Any other account where you used the same password.

What you should do:

• Use a different, trusted device to change passwords if you suspect your current one might be compromised.
• Create unique, strong passwords for each account. Not sure how? Read our guide on how to create strong passwords.
• Start using a password manager so you never have to reuse passwords. Learn whether password managers are safe and why they’re worth it.

Step 5: Enable Two-Factor Authentication Everywhere

Changing your password is essential, but adding a second layer of protection makes it far harder for attackers to get back in — even if they have your password.

Two-factor authentication (2FA) requires a second verification step when you log in, usually a code sent to your phone or generated by an authenticator app.

What you should do:

1. Enable 2FA on your email first — This is your most valuable account.
2. Enable 2FA on banking, social media, and cloud storage accounts.
3. Use an authenticator app (like Google Authenticator or Authy) instead of SMS codes when possible. SMS codes can be intercepted through SIM-swapping attacks.
4. Save your backup codes in a secure location. Each service provides backup codes when you enable 2FA — store these in a password manager or a locked safe.

Step 6: Contact the Right People and Organizations

Depending on what information was compromised, you may need to alert specific organizations before the damage spreads.

If Financial Information Was Compromised

• Call your bank or credit card company immediately. Report the incident and ask them to freeze your card or monitor for suspicious activity.
• Request a fraud alert with one of the three major credit bureaus (Equifax, Experian, or TransUnion). A fraud alert makes it harder for someone to open accounts in your name.
• Place a credit freeze if you suspect identity theft. This locks your credit report so no one can open new accounts.

If Your Email or Social Media Was Hacked

• Use the platform’s recovery tools to regain access to your account.
• Notify your contacts that your account was compromised and they should ignore any messages from you.
• Report the hack to the platform (Google, Meta, etc.).

If You Entered Personal Identification Information

• Report identity theft at IdentityTheft.gov, the FTC’s official recovery resource.
• File a police report if significant financial loss or identity theft has occurred.
• Contact the IRS if your Social Security number was compromised to prevent tax fraud.

What you should do: Make a list of every organization you contact, including dates, times, and the names of people you speak with. This documentation is valuable if disputes arise later.

Step 7: Monitor for Identity Theft Long-Term

Phishing damage doesn’t always show up right away. Attackers sometimes sit on stolen data for weeks or months before using it. Long-term monitoring is essential.

What you should do:

1. Check your bank and credit card statements weekly for at least 90 days. Look for charges you don’t recognize, no matter how small.
2. Review your credit report at AnnualCreditReport.com. You’re entitled to free reports from all three bureaus annually.
3. Set up transaction alerts on your bank and credit card accounts so you’re notified of every purchase.
4. Watch for phishing follow-ups. Once attackers have some of your information, they may use it to craft more convincing phishing attempts targeting you specifically — a technique called “spear phishing.”
5. Consider identity monitoring services. Many credit cards and banks offer free identity monitoring. Activate it if available.

How to Recognize a Phishing Link Before You Click

The best recovery is prevention. Knowing how to spot a phishing email can save you from ever needing this guide.

Warning signs of a phishing link:

• The URL doesn’t match the company’s real website (e.g., “paypa1.com” instead of “paypal.com”)
• The email creates extreme urgency (“Your account will be closed in 24 hours!”)
• The sender’s email address looks unusual or misspelled
• The message contains generic greetings like “Dear Customer” instead of your name
• Links redirect through unexpected domains

What you should do: Always hover over a link before clicking to see where it actually goes. When in doubt, navigate to the company’s website directly by typing the URL into your browser.

Common Phishing Scenarios: What to Do If You Click a Phishing Link in the Wild

Understanding how phishing attacks play out in the real world helps you recognize them faster.

The Fake Bank Alert

You receive an email that looks like it’s from your bank. It says there’s been suspicious activity on your account and you need to verify your identity immediately. The link takes you to a convincing copy of your bank’s login page. If you enter your credentials, the attacker captures them.

What to do: Never click links in unexpected bank emails. Log in to your bank’s app or type the URL directly.

The Package Delivery Scam

A text message claims your package couldn’t be delivered and asks you to click a link to update your address. The link leads to a page that installs malware or asks for personal information.

What to do: Check delivery status directly through the shipping company’s official website or app.

The Tech Support Call

Someone calls claiming to be from Microsoft or Apple, saying your device has a virus. They ask you to visit a website or install remote access software. This is always a scam — legitimate tech companies don’t cold-call customers about viruses.

What to do: Hang up immediately. Never give a stranger remote access to your device.

What If You Did Nothing After Clicking?

Maybe you clicked a phishing link days or even weeks ago and only now realize something was wrong. It’s not too late to take action, but you should move through all the steps above as soon as possible.

What you should do:

• Change your passwords immediately, especially for your email and financial accounts.
• Run a thorough malware scan on every device you used since clicking the link.
• Check your bank statements and credit report for any suspicious activity.
• Enable 2FA on all important accounts.
• Report the incident to the relevant organizations.

The longer you wait, the more time attackers have to use your information. But even delayed action is better than no action.

Frequently Asked Questions

Can I get hacked just by clicking a phishing link without entering any information?

Yes, it’s possible. Some phishing links trigger automatic downloads of malware or exploit vulnerabilities in your browser to install malicious software. This is called a “drive-by download.” That’s why disconnecting from the internet and scanning your device are critical first steps, even if you didn’t type anything.

How do I know if my device has malware from a phishing link?

Watch for these signs: your device is running unusually slowly, you see pop-ups you didn’t expect, your browser redirects to strange websites, or your battery drains faster than normal. However, some malware shows no visible symptoms at all, which is why a thorough antivirus scan is essential after any phishing incident.

Should I report a phishing attempt even if I didn’t lose anything?

Absolutely. Reporting phishing helps authorities track and shut down scam operations, protecting other people from falling victim. You can report phishing to the FTC at ReportFraud.ftc.gov and forward phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org.

How long should I monitor my accounts after clicking a phishing link?

At minimum, monitor your financial accounts and credit report for 90 days. If sensitive information like your Social Security number was compromised, consider monitoring for at least a year. Many identity theft cases don’t surface until months after the initial breach.

Is it safe to use my device after removing malware?

If your antivirus scan comes back clean and you’ve changed all compromised passwords, your device is generally safe to use. However, if you found sophisticated malware or the scan couldn’t remove all threats, consider doing a factory reset to be completely sure. Always restore from a backup made before the incident.

Take Action Now

Knowing what to do if you click a phishing link can mean the difference between a minor scare and a major financial headache. The key is speed — every minute counts when your data is at risk.

Here’s your quick-reference checklist:

1. ✅ Disconnect from the internet
2. ✅ Assess what happened
3. ✅ Scan for malware
4. ✅ Change your passwords (email first!)
5. ✅ Enable two-factor authentication
6. ✅ Contact banks and relevant organizations
7. ✅ Monitor for identity theft long-term

If you found this guide helpful, learn more about protecting yourself with our articles on how to spot phishing emails, whether password managers are safe, and how to create strong passwords. Stay safe out there.