What to Do If You Clicked a Phishing Link

First, breathe. Clicking a phishing link is not the same as losing your account or money — and what you do in the next few minutes matters more than the click itself. Most people who act quickly come out fine.

This is an ordered checklist. Start at the top and only do what applies to you.

Quick version: Don't enter anything else. Change the password for any account you may have exposed, turn on two-factor authentication, watch your bank and email for changes, and report it. Speed limits the damage.

If you only clicked (and entered nothing)

Often the link just opens a fake page. If you didn't type anything or download anything:

1. Close the page. Don't enter credentials, even to "test" it.
2. Don't tap anything else in the original email or text.
3. Run a quick security scan if you're on a computer, in case a download started.

Simply viewing a phishing page rarely does harm on its own. The danger is what you type next — so the fact that you stopped is good news.

If you entered a password

1. Change that password immediately — and anywhere you reused it. Go to the real site directly; don't use the email's link.
2. Turn on two-factor authentication (2FA) so a stolen password alone isn't enough.
3. Sign out of all devices in the account's security settings to kick out anyone already in.

If you entered card or bank details

1. Call your bank using the number on the back of your card — not any number from the message.
2. Ask them to watch for fraud or reissue the card.
3. Check recent transactions and turn on transaction alerts.

If you downloaded a file or installed something

1. Disconnect from the internet (turn off Wi-Fi) to stop anything from communicating out.
2. Run a full antivirus/malware scan.
3. If anything looks wrong and you're unsure, take the device to a trusted technician — not the "support number" from the message.

"I replied to the scam — does that matter?"

Replying to a scam email or text doesn't hand over your accounts, but it confirms you're a real, reachable person, so expect more attempts. Don't continue the conversation. Block the sender and, for texts, forward it to 7726 (SPAM) before deleting.

Warning signs your account was actually compromised

After the immediate steps, keep an eye out for the signals that someone got in. Over the next days, watch for:

• Sign-in alerts or login activity from places or devices you don't recognize.
• Password-reset or "verify it's you" emails you didn't request.
• Changed recovery details — a new phone number, email, or security question on the account.
• Sent messages you didn't write, or contacts reporting spam from you.
• Unfamiliar charges, new payees, or transfers you didn't make.

Most major services show recent login activity in their security settings. If you spot any of these, change the password again, sign out of all sessions, and contact the service's support.

Lock it down so it can't happen again

Once the fire is out, the highest-value follow-up is turning on two-factor authentication (2FA) for your important accounts — email first, then banking, then anything tied to payments. With 2FA on, a stolen password alone isn't enough to get in.

A password manager helps too: it makes every password unique, so one phished login can't unlock the rest of your accounts. These two changes do more to protect you than any single warning sign you could memorize.

Then report it

Reporting won't undo the click, but it helps shut the scam down and creates a record if money is involved:

• Report to the impersonated company (most have a phishing address, e.g. spoof@paypal.com, stop-spoofing@amazon.com).
• In the US, report to the FTC at reportfraud.ftc.gov.
• For scam texts, forward to 7726, then delete.

For the full reporting walkthrough, see the guide below on how to report a scam email.

What scammers actually do with what they get

Knowing the goal helps you prioritize. Stolen information rarely sits idle:

• Login credentials get used to break into the account directly, or get "credential stuffed" against your other accounts that share a password — which is why reuse is so dangerous.
• Card numbers are tested with small charges, then sold or used for larger ones.
• One-time codes are the real prize in many scams; handing one over can let an attacker straight past your two-factor protection. Never share a code, even with "support."
• Personal details (date of birth, address, SSN) feed identity theft — new accounts opened in your name, sometimes months later.

This is why the fast moves matter: changing a password and enabling 2FA closes the door before stolen data gets put to work.

Stop the next one before you click

The cleanest fix is to never click the next one. When a message looks off, forward it to FraudRoom at check@fraudroom.com first and get a plain-English risk level back — so the question becomes "is this safe?" before the click, not after.

FAQ

Is clicking a phishing link enough to get hacked?

Usually not by itself. The real risk is entering information on the fake page or downloading a file. If you only clicked and closed the page, you're likely fine — but still change any password you may have typed.

I gave a scammer my information — what should I do first?

Change the exposed password everywhere you used it, enable two-factor authentication, and if you shared financial details, call your bank right away. Then report it.

How do I know if my account was actually compromised?

Look for sign-ins you don't recognize, password-reset emails you didn't request, changed recovery details, or unfamiliar transactions. Many services show recent login activity in security settings.

Key takeaways

• Stopping after the click is the most important step — don't enter more.
• Change exposed passwords, enable 2FA, and sign out of all devices.
• For financial details, call your bank using the number on your card.
• Report it, and set up a way to check messages before clicking next time.

Related reading

• How to report a scam email
• Is this email a scam? How to check if it's real or phishing
• Is this text message a scam?