10 Steps to Take After Clicking on a Phishing Link in 2024

Why Trust Techopedia

It’s surprisingly simple to fall prey to a phishing scam. Whether it’s an appealing email proposition, a message on social media, or a pop-up ad while you’re surfing the web, scammers excel in the art of deception.

Even if you pride yourself on being security conscious, you can still be caught off guard.

If you find yourself in the unfortunate situation of having clicked on a phishing link or attachment in a phishing attempt, we’ve gathered the 10 steps to follow.

Key Takeaways

  • Phishing attacks are escalating due to the increased use of generative AI to craft highly targeted and sophisticated attacks.
  • Never trust unsolicited messages blindly, no matter how much authority they project.
  • The outcome of clicking the phishing link in a phishing email depends on what information the hacker has placed on the malicious website.
  • Some malicious websites will try to lock up an individual’s computer and may infect the computer with ransomware.
  • If you click on a phishing email, the goal should be to get to a mitigated state as quickly as possible.

Quickly Taking Action Is Key

Although it’s unsettling to realize you may have inadvertently downloaded malware or compromised your personal information, there are actions you can and should take immediately to mitigate any potential harm. The sooner you take action, the less likely any damage will be done.

The outcome of clicking the phishing link in a phishing email depends on what information the hacker has placed on the malicious website, says Patrick Schaumont, professor in the Department of Electrical and Computer Engineering at Worcester Polytechnic Institute.

“Often, the malicious website is made to look like a legitimate website and tries to convince you to type in your personal information or login credentials,” he says. “If you type in your personal information, the hacker can use it to impersonate you or sell it to others.”

In some cases, the malicious website will try to lock up an individual’s computer and may even infect the computer with ransomware, which prevents the person from accessing it unless they pay the hacker a ransom, Schaumont says.


“[Phishing protection] becomes easy if you sprinkle in a pinch of suspicion,” he says. “After all, the hacker is trying to mislead you and will only succeed if you go along.”

Never trust unsolicited messages blindly, no matter how much authority they project, Schaumont adds.

“No legitimate online bank will ever ask you to click a link and provide personal data. No shipping service will ever tell you that they have a package for you but it’s undeliverable,” he says.

“No online shopping site will ever warn you that your credit card was charged for something that you didn’t order. No reputable boss will ever ask you to buy them a gift card. No upright person will ever find your name ‘by accident’ in their contact list.

“If it looks phishy, it probably is.”

Preventing Phishing Scams

To keep phishing scams from happening in the first place, organizations can implement phishing protection software designed to detect and prevent phishing attacks.

This software typically includes such features as email filtering, website blocking, and real-time scanning for suspicious activity to safeguard users from falling victim to phishing scams.

However, there are steps you can take if you do inadvertently click on a phishing link.

10 Steps to Take if You’ve Fallen for a Phishing Scam

When you realize that you’ve clicked on a phishing link or fallen for a scam, it’s important to take note of what actions you’ve performed, says Aaron Walton, threat intel analyst at Expel, a managed detection and response provider.

“Did you enter your password? Did you share other sensitive credentials or information? Did you download a file?” he says. “The actions you’ve performed help inform what the next steps are, and in most cases, you don’t have to deal with it on your own as others are willing and able to help.”

10 Steps to Take if You've Fallen for a Phishing Scam

1. Disconnect From the Internet

Disable Wi-Fi or unplug the Ethernet cable, says Robert Siciliano, a cybersecurity expert and CEO of ProtectNowLLC.com.

“Disconnecting prevents any potential malware or any remote access technology from communicating with the remote hackers’ servers,” he says.

2. Scan for Malware

Use reliable antivirus software to run a full system scan, says Julian Durand, vice president of product management and chief information security officer at Intertrust Technologies, a provider of trusted computing products and services.

“This will help identify and remove any malware that may have been installed,” he says.

3. Check Your Browser

Your browser has built-in warning signs that can detect phishing websites, Schaumont says.

“For example, trusted websites display a padlock symbol next to the web address field in your browser,” he says.

“You can click on the padlock, and your browser will tell you if it thinks the website is legitimate. Browsers may also display warnings before allowing you to proceed to a potential phishing site. Heed your browser’s warning, and retreat to a safer destination.”

4. Change Passwords

Any accounts the phishing website is associated with could be compromised, so you need to change your passwords, according to Siciliano.

“When you change your passwords, use long, strong, unique passwords for each account and never use the same password twice,” he says.

5. Enable Two-Factor (2FA) Authentication

Activate 2FA on all critical accounts to add an extra layer of security, reducing the risk of unauthorized access, says Durand.

6. Identify the Type of Phishing Attack

You should determine the nature of the phishing attack, says Phil Steffora, chief information and security officer at Arkose Labs, a provider of bot management and account security.

Was it seeking personal information, or was it a more dangerous type, such as a CEO impersonation attack aimed at monetary theft?

7. Review and Update Security Settings

You should regularly review the security settings on your digital accounts and devices and ensure that your software and applications are up to date to defend against new threats, Durand says.

8. Back Up Files, Photos

“Back up any important files or photos onto a USB thumb drive in case you need to wipe your device clean with a factory reset,” says Roman Zrazhevskiy, founder and CEO of MIRA Safety, a provider of personal protective equipment.

9. Implement a Fraud Alert

Place a free fraud alert on your credit report to be sure that scammers can’t defraud you, says Zrazhevskiy.

“This makes it quite difficult for scammers to open new credit accounts in your name,” he says. “However, it will also mean a few extra steps to confirm your identity whenever you want to open any new legitimate credit accounts.”

Siciliano agrees, adding, “If your Social Security number has been compromised, place a credit freeze on your credit report to prevent potential new account fraud identity theft.”

10. Report It to Your Security Team

If the activity occurred on a company laptop or account, it’s vital to report phishing to the security team ASAP, Walton says.

“They will be best equipped to secure any accounts and investigate the activity,” he says. “It’s essential to let them know because attackers are not just after you – they’re also likely aiming to compromise your employer through you.”

Siciliano adds that you might also want to consider reporting the phishing attempt to the Federal Trade Commission or the Anti-Phishing Working Group.

Don’t Be a Victim

The best advice is to not be a victim in the first place, says Durand.

“That is, do not click on suspicious links, particularly if you do not know the person sending you that link,” he says.

“Employ filters to weed out malware and configure your firewall with white lists of sites that are good. And train people in your company, family, and community not to click on arbitrary links.”

The Bottom Line

Phishing threats are evolving rapidly, and the volume of phishing is escalating exponentially due to the increased use of generative AI to craft highly targeted and sophisticated attacks, Steffora says.

“These aren’t broad campaigns anymore; instead, they’re direct assaults, personalized down to the individual,” he says. “Scammers are already using generative AI tools to impersonate voices and images and manipulate business information.”

For example, generative AI empowers scammers to use organizational charts and write contextually accurate phishing emails to individuals seeking some sort of financial transaction, such as paying a vendor, Steffora says.

“Enterprise IT and tech professionals need to start asking: What mechanisms can the business use to safeguard their companies besides email and phone because both of those have already been polluted by AI?” he says. “At the end of the day, when someone clicks on a phishing email, the goal should be to get to a mitigated state as quickly as possible.”


What happens after you click on a phishing link?

What should I do if I’ve fallen victim to a phishing scam?

What if I clicked on a phishing link but did not enter details?

What if I accidentally clicked on a suspicious link on my phone?


Related Reading

Related Terms

Linda Rosencrance
Technology journalist
Linda Rosencrance
Technology journalist

Linda Rosencrance is a freelance writer and editor based in the Boston area, with expertise ranging from AI and machine learning to cybersecurity and DevOps. She has been covering IT topics since 1999 as an investigative reporter working for several newspapers in the Boston metro area. Before joining Techopedia in 2022, her articles have appeared in TechTarget, MSDynamicsworld.com, TechBeacon, IoT World Today, Computerworld, CIO magazine, and many other publications. She also writes white papers, case studies, ebooks, and blog posts for many corporate clients, interviewing key players, including CIOs, CISOs, and other C-suite execs.