What to Do If You Clicked a Phishing Link
Clicked a suspicious link and worried? Stay calm. Clicking alone is usually low harm. This calm, step-by-step guide helps you triage by what you did next and lock things down fast.
First, take a breath. If you clicked a link in a suspicious email or text and now you are panicking, you are not alone, and in most cases you are going to be fine. Clicking a link by itself is often low harm. What matters most is what happened after the click: did you only see a page, did you type in a password, did you enter card or bank details, or did something download? This guide walks you through each situation calmly and tells you exactly what to do.
- Clicking a link alone is usually not the disaster it feels like. Most harm comes from what you type or download next.
- If you typed a password, change it now everywhere you reuse it, and turn on two-factor authentication.
- If you shared card, bank or OTP details, call your bank immediately. In India, call 1930 within the first hour.
- If something downloaded or installed, disconnect from the internet and run a full antivirus scan.
- Do not enter anything else on the page, and never call phone numbers shown on a suspicious site.
First, do not panic
Modern phones and computers are reasonably good at containing a single click. Simply viewing a phishing page does not usually hand control of your device to anyone. The danger rises sharply only when you enter information or run a file. So the calmest and most useful thing you can do right now is work out which of the situations below matches you, then follow those steps. Do not enter any more details on the page, and do not call any phone number it displays.
Quick triage table
| What you did after clicking | Risk level | First action |
|---|---|---|
| Only saw the page, entered nothing | Low | Close the tab, scan your device |
| Entered a password | Medium to high | Change that password everywhere you reuse it |
| Entered card, bank or OTP details | High, urgent | Call your bank now; in India call 1930 |
| Downloaded or installed a file or app | High | Disconnect from the internet, run a full scan |
A: You only opened the page and entered nothing
This is the most common and least serious case. If you did not type anything and nothing downloaded, you have probably dodged it.
- Do not enter any information, even if the page looks like a real login or asks you to "verify".
- Close the tab or window. There is no need to interact with it further.
- If a file started downloading on its own, delete it without opening it, and follow section D.
- Run a scan with your built-in security tool (Microsoft Defender, your phone's Play Protect, or your antivirus) for peace of mind.
- Report and delete the original message so you do not tap it again. Most email and messaging apps have a "Report phishing" or "Report junk" option.
B: You entered a password
If you typed a password into the fake page, assume the attacker now has it. Act quickly but methodically. The good news: a password you change in time is useless to them.
- Change the password for that account immediately, by going to the real website or app yourself, not through any link in the message.
- Change it everywhere else you used the same or a similar password. This is the step people skip and regret. Attackers try stolen passwords across many sites.
- Turn on two-factor authentication (2FA) for that account and your important accounts (email, banking, social media). This blocks most takeovers even if a password leaks.
- Check recent account activity: login history, connected devices, forwarding rules and recovery email or phone settings. Remove anything you do not recognise.
- Secure your email account first if it was involved, since it can reset every other account.
C: You entered card, bank or OTP details
This is the situation that needs you to move fast, ideally within minutes.
- Call your bank's official fraud line immediately, using the number on the back of your card or the bank's real website. Tell them it was fraud and ask them to freeze or block the card and watch for transactions.
- Freeze or lock the card in your banking app if you have that option, as a stopgap while you wait to speak to someone.
- In India, call the national cybercrime helpline 1930 as soon as possible. The first hour is the "golden hour": reporting fast gives the bank and police the best chance to freeze the money before it is moved. Then file a complaint at cybercrime.gov.in.
- Elsewhere, report to your national channel: in the US, ReportFraud.ftc.gov and IdentityTheft.gov; in the UK, Action Fraud or Police Scotland.
- Change the passwords for your banking and email accounts and turn on 2FA.
- Watch your statements closely for the next few weeks and dispute anything you did not authorise.
D: You downloaded or installed something
If the link led you to download a file, app or attachment, and especially if you opened or installed it, treat the device as possibly compromised until you have checked it.
- Disconnect from the internet (turn on aeroplane mode or switch off Wi-Fi). This limits what malware can send or receive.
- Do not enter any passwords on that device until it is cleaned.
- Run a full antivirus or anti-malware scan and let it remove anything it finds. On Windows, Microsoft Defender is built in.
- On a phone, delete the app you installed. Check Settings for any app you do not recognise that has been granted Accessibility, Device admin or "display over other apps" permissions, and revoke them.
- If anything still seems wrong after scanning, back up your personal files and consider a factory reset to be safe. Change your important passwords afterwards from a different, clean device.
Signs of compromise to watch
- Login alerts, password-reset emails or 2FA prompts you did not request.
- Friends receiving odd messages from your accounts.
- Unfamiliar transactions, or small "test" charges on your card.
- Your phone running hot, draining fast, or showing pop-ups and new apps you did not install.
- Being signed out of accounts, or recovery details that have been changed.
How to recognise phishing and avoid it next time
Phishing messages usually share a few tells: a sense of urgency or threat, a link that does not match the real company's address, generic greetings, small spelling errors, and requests for passwords, OTPs or payment that a real organisation would never make. To reduce your risk:
- Use a password manager so every account has a unique password. Then one leak cannot unlock the rest.
- Turn on two-factor authentication, ideally an app or passkey rather than SMS, on every important account.
- Do not click links in unsolicited messages. Go to the website or app directly and log in there.
- Never share an OTP with anyone, including people claiming to be from your bank. Staff will never ask for it.
- Keep your phone and computer updated, since updates patch the flaws malware relies on.
Frequently asked questions
Can I get hacked just by clicking a link? Rarely. On an up-to-date device, simply opening a phishing page usually does little on its own. The real risk comes from entering information or downloading and running a file.
Should I factory reset my phone or computer? Not for a click alone. A reset is worth considering only if you installed something suspicious and a full scan does not reassure you, or your device keeps behaving strangely. Back up your files first and reset your passwords from a clean device afterwards.
I entered my password but nothing has happened. Am I safe? Change it anyway, everywhere you reused it, and turn on 2FA. Stolen credentials are often used days or weeks later, so acting now is what keeps you safe.
How fast do I need to act if money is involved? As fast as you can. Call your bank within minutes, and in India call 1930 within the first hour to give them the best chance of freezing the funds.
Official help and sources
- UK National Cyber Security Centre, phishing scams guidance: ncsc.gov.uk
- US Federal Trade Commission, how to recognise and avoid phishing: consumer.ftc.gov
- US report fraud: reportfraud.ftc.gov and identity theft recovery: identitytheft.gov
- India national cybercrime helpline 1930 and reporting portal: cybercrime.gov.in
If money was stolen or you need to report the crime, see our cybercrime help hub for country-by-country reporting and recovery steps.