← Back to BlogIncident Response

What Happens If You Click a Phishing Link? (And What to Do Next)

What Happens If You Click a Phishing Link? (And What to Do Next)

You clicked. Your heart dropped. Now what?

First: don't panic. Clicking a phishing link doesn't necessarily mean the worst has already happened. Whether you've entered information or not makes a huge difference. Here's what to do.

What might have happened when you clicked:

  1. If you just clicked and didn't enter anything: You may be okay. Some phishing pages do try to auto-install malware just from visiting, but modern browsers with security updates prevent most of this. Still — act quickly.
  1. If you entered login credentials: Those credentials are now in a scammer's hands. Change your password immediately on the real site, and do the same for any other accounts where you use that password.
  1. If you entered credit card or banking details: Contact your bank immediately. They can freeze the card, reverse pending transactions, and monitor for suspicious activity.
  1. If you downloaded and opened a file: This is the most serious scenario. You may have malware on your device. Disconnect from the internet and call your IT support immediately.

Your 30-minute action plan:

Minutes 1–5: Disconnect and contain If you suspect you've downloaded malware, disconnect your device from Wi-Fi and any networks immediately. This stops malware from spreading to other devices or communicating with the attacker's servers.

Minutes 5–10: Change your passwords On a different, known-clean device, change the password for any account you entered details for. Also change your email password — email accounts are master keys to everything else.

Minutes 10–15: Enable multi-factor authentication If you haven't already, turn on MFA for your email, banking, and any other critical accounts. Even if the scammer has your password, MFA stops them from logging in.

Minutes 15–20: Contact your bank (if financial details were entered) Call the number on the back of your card or go directly to your bank's official website. Report what happened and ask them to monitor or freeze your account.

Minutes 20–30: Report it and run a scan Report the phishing attempt to the ACCC Scamwatch (scamwatch.gov.au) and forward the email to your IT team or managed service provider. Run a malware scan using reputable software (Windows Defender, Malwarebytes, or similar).

For business owners: also do this

Tell your IT team immediately. Time matters enormously in limiting the spread of a breach. There's no shame in reporting it — there IS shame in delaying and allowing it to escalate. A quick, honest report to your IT team is always the right call.

The lesson worth taking from this

Everyone's clicked a dodgy link at some point. What matters is how quickly and calmly you respond. The steps above can make the difference between a minor fright and a major breach.

Build better click instincts with Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →