← All articles

You clicked a phishing link — what to do next

GottaPhish Team · June 4, 2026

Clicking a phishing link happens to plenty of careful people — it's an easy mistake, not a disaster, and what matters most is what you do next. Acting quickly and calmly can prevent nearly all of the harm. Here's a clear, step-by-step guide.

First, don't panic — and don't hide it

The single most damaging reaction is to stay silent out of embarrassment. Attackers rely on that hesitation; every minute counts, and reporting quickly is what limits the damage. You are not in trouble for reporting a mistake — you're helping protect the whole organisation.

Take a breath. Then work through the steps below.

Step 1: Stop and disconnect

If you clicked a link or downloaded a file, disconnect the device from the internet. On a laptop, turn off Wi-Fi or unplug the network cable. This helps stop any harmful software from communicating out or spreading.

Don't shut the computer down unless your IT team tells you to — they may want to see what happened.

Step 2: Don't enter anything else

If the link opened a web page asking for your login, password, or card details:

Step 3: Change your passwords

If you entered a password — or you're not sure whether you did — change it as soon as possible, using a different, trusted device if the affected one may be compromised.

Step 4: Report it straight away

Tell your IT or security team immediately, even outside working hours if that's an option. Give them the facts:

Your IT team would far rather hear about a click at 9pm than discover a breach next week. Reporting is the responsible thing to do.

If you don't have an IT team, contact the real organisation the message pretended to be (your bank, for instance) using their official phone number or website — never the details in the suspicious message.

Step 5: Watch for follow-on trouble

In the days that follow, stay alert:

What if you only clicked, but entered nothing?

You may be fine — but still report it. Simply visiting a malicious page can occasionally be enough to cause harm, and your IT team can check the device to be sure. Reporting also warns them that others may have received the same message.

Turning a mistake into a lesson

Once the immediate steps are done, it's worth reflecting calmly on what made the message convincing. Was it the urgency? A familiar-looking sender? Recognising the trick that worked on you makes you far harder to fool next time. Mistakes like this are one of the most powerful ways people learn to stay safe.

How GottaPhish helps

When someone clicks a phishing link, the damage depends entirely on how quickly and calmly they react — and GottaPhish, together with our expert support team, helps your organisation build the confidence to act correctly in exactly those moments. Our realistic simulations let people experience a phishing click in a completely safe setting, so the right response — stop, change passwords, report — becomes second nature, supported by no-blame awareness training and dashboards that track reporting rates over time. Our support and experts team works hands-on with you to set up campaigns, design believable scenarios, and interpret the results, building a workplace where mistakes are reported quickly and everyone stays protected.