What to do after clicking a phishing link

Clicking a phishing link does not automatically mean you have been compromised. What matters most is what happened after you clicked - and how quickly you act.

This guide runs through each scenario in order of severity, so you can jump to the one that applies to you.

Step one: don't panic, but act quickly

The worst thing you can do is freeze. Most phishing attacks require you to take a second action - entering your details, downloading a file, authorising a payment - before the scammer gains anything. If you caught it early, you may be fine.

Close the tab or browser if you haven't already. Then work through the scenarios below.

Scenario 1: You clicked but entered nothing

This is the best-case outcome. Simply visiting a phishing page does not usually cause harm - the risk comes from what you do on the page, not from the page loading.

What to do:

1. Close the tab
2. Run the URL through SniffTest to confirm it was a phishing site - this gives you a clear record of what you clicked
3. If the link came from a message that appeared to be from someone you know, let them know their account may have been compromised and used to send scam messages

That is usually enough. Monitor your accounts over the next few days as a precaution, but there is no immediate action required.

Scenario 2: You entered a password or login credentials

Act immediately. The scammer may already be trying to access your account.

1. Change your password now - on the account the fake site was impersonating, and on every other account where you use the same password
2. Enable two-factor authentication if it is not already active - this makes the stolen password useless on its own
3. Check account activity - look for any logins, changes, or actions you didn't make
4. Log out of all sessions - most account settings pages have an option to sign out everywhere
5. Alert the real organisation - if the phishing site was impersonating your bank, email provider, or another service, tell them so they can flag your account

If you use a password manager, this is the moment to rotate any reused passwords. Credential stuffing - using stolen username/password pairs across dozens of services - is automated and starts fast.

Scenario 3: You entered payment card details

Call your bank immediately. Do not wait.

1. Call the fraud line on the back of your card - ask them to cancel or freeze the card and flag your account for monitoring
2. Ask about reversing recent transactions - if fraud has already occurred, your bank may be able to recover funds, particularly in the first 24 hours
3. Check your statements - look for any charges you didn't make, however small; scammers often test cards with a tiny transaction before making larger ones
4. Request a replacement card - even if no fraud has occurred yet, the card details are compromised

In the UK, contact Action Fraud at actionfraud.police.uk to file a report. This creates an official record and contributes to fraud investigations.

Scenario 4: You entered personal information

Personal details - name, address, date of birth, National Insurance number - are used for identity fraud, which can take longer to surface but is harder to undo.

1. Note exactly what you shared - the more specific you are, the more useful your fraud report will be
2. Report to Action Fraud (UK) at actionfraud.police.uk or the FTC (US) at reportfraud.ftc.gov
3. Check your credit report - sign up for a free service like ClearScore or Experian (UK) and monitor for credit applications you didn't make
4. Consider a protective registration - CIFAS in the UK offers a protective registration service that flags your identity as a fraud risk, making it harder for someone to open credit in your name

Scenario 5: You downloaded a file or app

This is the highest-risk scenario. Malicious downloads can install malware that logs keystrokes, steals passwords, or gives attackers remote access to your device.

1. Disconnect from the internet - turn off Wi-Fi and mobile data to prevent any malware from communicating with its command server
2. Do not log into anything on the device until it has been scanned
3. Run a full antivirus scan - use reputable software (Malwarebytes, Windows Defender, or your device's built-in security)
4. If the device is a work device - contact your IT or security team immediately; do not try to fix it yourself
5. Change passwords from a different device - assume any credentials entered on the infected device may be captured

If you're not confident the device is clean after scanning, a factory reset is the safest option, though you'll lose anything not backed up.

After any phishing incident: three things to do

Regardless of what happened, these steps are worth doing after any phishing encounter:

Report it. In the UK, forward phishing texts to 7726 and report phishing emails to [email protected]. For websites, report to the NCSC at report.ncsc.gov.uk. Your report helps protect other people from the same attack.

Check the link. Run the phishing URL through SniffTest - even after the fact, it gives you a clear record of what the site was and what signals it triggered. Useful if you need to report to your bank or the police.

Tell someone. If the phishing message appeared to come from a contact, let them know. If it came from a spoofed brand, consider warning others in any relevant community or group.

Frequently asked questions

Q: Does clicking a phishing link automatically give hackers access to my device?

A: Usually not. Simply visiting a phishing page is generally safe - the risk comes from entering information or downloading something. Drive-by downloads (malware that installs automatically just from visiting a page) are possible but rare and typically target unpatched browsers. Keeping your browser updated significantly reduces this risk.

Q: How do I know if I've been phished?

A: Common signs include unexpected password reset emails, logins you don't recognise in your account activity, charges on your bank statement you didn't make, or contacts telling you they received strange messages from you. If you're unsure, run the link through SniffTest and check your accounts for unusual activity.

Q: How quickly do I need to act after clicking a phishing link?

A: As quickly as possible. Credential theft is often automated - scammers use bots to attempt logins with stolen details within minutes. For payment card fraud, banks have a better chance of reversing transactions made in the first 24 hours. The sooner you act, the better.

Q: Should I tell my bank even if nothing seems to have happened?

A: Yes, if you entered any payment details. Even if no fraudulent transactions have appeared, your bank can flag your account for monitoring and issue a replacement card before the details are used. It costs you nothing to call.

Q: Can I get my money back after a phishing scam?

A: Possibly. Banks in the UK are required to reimburse victims of authorised push payment fraud in many cases, and can sometimes reverse unauthorised card transactions. Contact your bank immediately and file a report with Action Fraud - having a reference number strengthens your case. Success varies depending on how quickly you acted and the type of payment made.