Clicked a Phishing Link? Do These 7 Things Right Now

Updated June 2026 · 4 min read

First, take a breath: clicking a phishing link is rarely a disaster by itself — what matters far more is what you typed or downloaded after the page opened. So if you just clicked a phishing link and are wondering what to do, work through these seven steps in order. Most people only need the first two or three.

1. Don't type anything — just close the tab

If the page is still open, close it now. Don't fill in any form, don't click "Verify", "Unsubscribe" or "Cancel order", and don't call any phone number shown on the page. A phishing page usually can't hurt you until you give it something — a password, a card number, a one-time code.

If you clicked but typed nothing, you can almost certainly relax. Modern phones and computers aren't normally infected just by opening a web page. Glance at step 6, then get on with your day.

2. Typed a password? Change it right now — on the real site

This is the step where minutes matter. If you entered a password on a phishing site, assume the scammer already has it.

1. Open a new tab and type the real website's address yourself (for example www.example.com), or use your bookmark or the official app. Never go back through the link in the message.
2. Log in and change your password to something new and unique.
3. Change it everywhere you reused that password — criminals try stolen passwords on other sites within hours. Your email matters most, because it can reset almost everything else.

One tell-tale sign you were on a fake: the address looked almost right, but not quite. login.example.com belongs to the real company; something like login-example-com.account-verify.example does not.

A clicked link is a near miss; a typed password is a real leak. Change that password immediately on the genuine site — and on every other account where you reused it.

3. Turn on two-factor authentication

While you're in those security settings, switch on two-factor authentication (often shortened to 2FA). In plain English, it means the site asks for a second proof that it's really you — usually a code on your phone — so a stolen password alone isn't enough to break in. It's sometimes called "two-step verification". Turn it on for your email and bank first.

4. Entered card or bank details? Call your bank now

If you typed a card number, CVV, PIN, banking login or a one-time code, treat it as urgent:

• Call the number on the back of your card or use your official banking app, and ask them to block the card and issue a new one.
• Tell them exactly what you entered and when, so they can watch or freeze the account.
• If money has already left, ask the bank to raise a fraud dispute straight away — the sooner you call, the better your chances of getting it back.

5. Downloaded a file? Run an antivirus scan

If the page made you download something — an "invoice", an app, a "security update" — don't open it. Delete the file, then run a full antivirus scan (on Windows, the built-in Microsoft Defender is fine). On a phone, uninstall any app the page told you to install. It's also a good moment to add a safety net: our free browser extension checks each site as you browse and turns its shield red before you type anything into a suspicious page.

6. Watch your accounts for a few weeks

Scammers don't always strike immediately, so stay alert for the next few weeks:

• Check your bank and card statements for small "test" charges you don't recognise.
• Watch for password-reset emails or login alerts you didn't ask for — that's someone trying the door.
• Be extra wary of follow-up calls or messages — especially anyone offering to "help you recover your money". That second contact is a scam too.

7. Report it

Reporting takes ten minutes and protects the next person:

• Your bank, if any money or card details are involved.
• The brand being impersonated — most large companies have a page or email address for reporting fakes, often something like phishing@example.com.
• Your country's cybercrime portal. In India, that's cybercrime.gov.in, or call the helpline 1930 quickly if money was taken. Most countries have a local equivalent — search for "report cybercrime" plus your country's name.
• Finally, mark the original message as phishing or spam in your email or SMS app, which helps the filters block it for everyone else.

How to avoid the next one

Almost every phishing message runs on urgency: "your account will be suspended", "your parcel is on hold". A few calm habits beat nearly all of it:

• Slow down. Real companies don't mind if you take five minutes to check.
• Go direct. Instead of tapping links in messages, open the official app or type the address yourself.
• Check the domain — the part of the address just before the first single slash. https://www.example.com/help really belongs to example.com; https://example.com.payment-update.example/help does not.
• Use a unique password for every account (a password manager remembers them so you don't have to) and keep 2FA switched on, so one slip never sinks everything.

Clicked, closed the tab, changed your password, told your bank — that's the whole drill. Do it calmly and quickly, and a phishing link becomes a near miss instead of a loss.