You clicked a phishing link — what to do next
Clicking a phishing link happens to plenty of careful people — it's an easy mistake, not a disaster, and what matters most is what you do next. Acting quickly and calmly can prevent nearly all of the harm. Here's a clear, step-by-step guide.
First, don't panic — and don't hide it
The single most damaging reaction is to stay silent out of embarrassment. Attackers rely on that hesitation; every minute counts, and reporting quickly is what limits the damage. You are not in trouble for reporting a mistake — you're helping protect the whole organisation.
Take a breath. Then work through the steps below.
Step 1: Stop and disconnect
If you clicked a link or downloaded a file, disconnect the device from the internet. On a laptop, turn off Wi-Fi or unplug the network cable. This helps stop any harmful software from communicating out or spreading.
Don't shut the computer down unless your IT team tells you to — they may want to see what happened.
Step 2: Don't enter anything else
If the link opened a web page asking for your login, password, or card details:
- Do not type anything into it. Close the page.
- If you already entered information, don't dismiss it — that's important to report (see Step 4).
Step 3: Change your passwords
If you entered a password — or you're not sure whether you did — change it as soon as possible, using a different, trusted device if the affected one may be compromised.
- Change the password for the account you were tricked into (for example, your email or a work system).
- If you reuse that same password anywhere else, change it there too. Reused passwords are one of the biggest risks after a phishing click.
- Where available, turn on two-factor authentication (a second code sent to your phone or an app). It adds a strong extra layer of protection.
Step 4: Report it straight away
Tell your IT or security team immediately, even outside working hours if that's an option. Give them the facts:
- What the message looked like and who it appeared to be from.
- What you clicked or downloaded.
- Whether you entered any information, and if so, what.
Your IT team would far rather hear about a click at 9pm than discover a breach next week. Reporting is the responsible thing to do.
If you don't have an IT team, contact the real organisation the message pretended to be (your bank, for instance) using their official phone number or website — never the details in the suspicious message.
Step 5: Watch for follow-on trouble
In the days that follow, stay alert:
- Check your accounts for logins or activity you don't recognise.
- Watch your bank statements if any financial details were involved, and tell your bank if something looks wrong.
- Be wary of new messages. Attackers who get a response often follow up, sometimes pretending to "help" you fix the problem.
What if you only clicked, but entered nothing?
You may be fine — but still report it. Simply visiting a malicious page can occasionally be enough to cause harm, and your IT team can check the device to be sure. Reporting also warns them that others may have received the same message.
Turning a mistake into a lesson
Once the immediate steps are done, it's worth reflecting calmly on what made the message convincing. Was it the urgency? A familiar-looking sender? Recognising the trick that worked on you makes you far harder to fool next time. Mistakes like this are one of the most powerful ways people learn to stay safe.
How GottaPhish helps
When someone clicks a phishing link, the damage depends entirely on how quickly and calmly they react — and GottaPhish, together with our expert support team, helps your organisation build the confidence to act correctly in exactly those moments. Our realistic simulations let people experience a phishing click in a completely safe setting, so the right response — stop, change passwords, report — becomes second nature, supported by no-blame awareness training and dashboards that track reporting rates over time. Our support and experts team works hands-on with you to set up campaigns, design believable scenarios, and interpret the results, building a workplace where mistakes are reported quickly and everyone stays protected.
