I clicked a phishing link — what should I do now?

Everyone makes mistakes, and clicking a phishing link is one of the most common. The good news: clicking alone is often harmless, and even if you entered information, quick action can prevent most of the damage. Here is exactly what to do, in order, depending on how far you went.

First: don't panic, but act promptly

Phishing relies on fear, and panic leads to mistakes. Take a breath, then work through the steps below calmly. Speed matters, but so does doing the right things rather than thrashing.

If you only clicked the link

Simply opening a phishing page usually does not compromise you, especially on an updated device. But to be safe:

• Do not enter any information on the page. Close it.
• Do not download or open anything the page offered.
• If a download started automatically, do not open the file. Scan it with the scanner and delete it if flagged.
• Watch your device for the warning signs of infection over the next days.

If you entered your password

This is more serious, but recoverable if you move fast:

1. Change that password immediately — from a different, trusted device if possible — by going directly to the real site, not through any link.
2. Change it everywhere you reused it. If that password protected multiple accounts, all of them are now at risk. Change each, and stop reusing passwords going forward.
3. Enable two-factor authentication on the affected account so a stolen password alone is not enough.
4. Check the account's activity and active sessions, logging out unfamiliar devices and looking for anything you did not do.

If you entered payment or card details

1. Contact your bank or card issuer immediately to report it. They can freeze the card and watch for fraud.
2. Monitor your statements closely for unauthorised charges, and dispute any that appear.
3. Consider a replacement card — the number should be treated as compromised.

If you entered a one-time code

Some phishing pages ask for the 2FA code sent to you, which they use in real time to break into your account. If you provided one, change the password and check the account immediately, since the attacker may already be inside. Remove any unfamiliar devices or app passwords, and re-secure your 2FA.

Special case: your email account

If the phished account was your email, treat it as the top priority. Email is the recovery route for nearly every other account, so an attacker with your email can reset your banking, social media and more. Secure it first: change the password, enable strong 2FA, and check recovery settings and forwarding rules for anything the attacker may have added.

Then: contain and learn

• Report the phishing to the impersonated company and your email or messaging provider, helping protect others.
• Scan your device if anything was downloaded, and watch for unusual behaviour.
• Tell anyone affected — if your account was used to message contacts, warn them not to engage with anything sent in your name.

Preventing the next one

Once you have contained the situation, reduce the chance of it happening again: adopt a password manager so a single phishing success cannot cascade, enable 2FA everywhere, learn the phishing red flags, and get into the habit of scanning suspicious links with the URL scanner before clicking. Falling for phishing once is human; the systems above make it far less likely — and far less costly — next time.

Most people who act quickly after a phishing mistake emerge with no lasting harm. The attackers count on victims freezing or feeling too embarrassed to respond. Move fast, follow the steps, and you take back control.

Frequently asked questions