Clicked a Phishing Link? What to Do Next, by Device
If you’re reading this right after clicking something you wish you hadn’t, take a breath. The click itself is rarely the disaster. I spent more than twenty years building the products that are supposed to catch this kind of thing, and one of the more useful things I can tell you is that a phishing link is not a trapdoor. What happens next depends almost entirely on what you did after the page opened.
The panic most people feel comes from imagining the worst version. The honest version is more boring and more manageable. So before you do anything drastic, let’s figure out which situation you’re actually in, because the right response for one of them is wild overkill for another.
Start here: what happened after you clicked?
Four things can happen once a phishing link opens, and the risk climbs sharply with each one. The page loaded and you closed it. You typed something in, like a password. You opened a file the page or email handed you. Or you installed an app or a program.
The first is usually a non-event. The last can hand over your whole device. Find your situation below and you can skip the rest.
If the page just loaded and nothing else
This is where most people are, and it’s the best place to be. When a phishing page opens, the server on the other end records that you showed up. It can see your rough location from your IP address, the kind of device and browser you’re using, and a few similar basics. That’s the extent of it, as long as you didn’t type anything or download anything.
The fear here is the “drive-by” install, where simply viewing a page infects you. That can happen, but it needs a security hole your device hasn’t patched yet, and on a phone or computer that’s reasonably current it’s rare. Phones especially won’t install anything without you tapping to approve it.
What to do is short. Close the tab. Don’t enter anything, don’t tap any download, don’t “verify” anything the page asks you to. Then make sure your phone or computer is running the latest updates, because that’s the real protection against the rare drive-by case. You don’t need to change passwords or wipe anything. The one thing you’ve learned is that someone now knows your address is live, so expect a few more attempts and give the next suspicious message the same suspicion.
If you entered a password or personal info
This is the scenario that actually matters, and it’s worth being blunt about. If you typed a username and password into that page, it went straight to whoever built it. There’s often no malware involved at all. The compromise is simpler than that. They have your login, and they can use it.
The account you signed into is the one at immediate risk. The bigger problem is password reuse. If that same password also unlocks your email, your bank, and three other accounts, every one of them is now exposed, because the first thing attackers do with a working password is try it everywhere else.
Move fast, but move from a device you trust, especially if a file was involved too. Change the password on the account you exposed. If you reused that password anywhere, change it there as well, starting with your email and anything financial. Turn on two-factor authentication, which adds a second step like a code or a tap so a stolen password alone isn’t enough to get in. Then open the account’s security settings and sign out all other sessions, which kicks the attacker off if they’re already logged in. Keep an eye on your inbox for password-reset or new-login messages you didn’t start.
One honest caveat. Some sophisticated phishing pages can capture a two-factor code too, or nudge you into approving a login on your own phone. Two-factor is still far better than none, so turn it on anyway. And if the reason you reused a password is that nobody can remember a unique one for every account, that’s the real fix worth making. A password manager handles it for you, and it’s the single change that shuts down most of this category of attack.
If you opened a file or installed an app
Opening an attachment or installing something is a different kind of problem. Entering a password risks an account. Running a file risks the device itself, because you may have run the attacker’s code rather than just handed over a login. Treat this scenario as a compromised device until you’ve confirmed otherwise.
First, disconnect. Turn off Wi-Fi and cellular data, or unplug the network cable. That cuts off anything trying to phone home or spread. Then the response splits by device.
On a phone
On an iPhone, you’re in better shape than you’d guess. iOS keeps apps walled off from each other, so a malicious file usually can’t do much on its own. The thing to check is whether you were talked into installing a “profile” or an app from outside the App Store. Open Settings, then General, then VPN and Device Management, and delete anything there you don’t recognize. Restart the phone.
On Android, open Settings and scroll through your installed apps for anything you don’t remember adding, especially anything holding device-administrator rights, and remove it. Booting into safe mode (your phone’s manual lists the exact steps) stops third-party apps from running while you clean up. If something installed itself and won’t leave, a factory reset followed by restoring from a backup made before today is the clean solution.
On a computer
On Windows or a Mac, run a full scan with the security tool already built in, Microsoft Defender on Windows or the protections baked into macOS, and quarantine whatever it flags. Then change the passwords for any account you’ve logged into on that machine, because if something was installed, it may have been watching you type. If the scan turns up something serious, or the computer acts strangely afterward, the honest answer is to reinstall the operating system and restore your files from a backup you trust. It’s more work than anyone wants, but a half-cleaned machine isn’t worth trusting with your bank login.
A quick map by device
Here’s the same guidance compressed, if you just want to confirm you’re already doing the right thing.
| What happened | On your phone | On your computer |
|---|---|---|
| Page loaded, nothing typed | Close it, install the latest OS update, carry on | Close the tab, update your browser and OS, run a quick scan to be safe |
| You entered a password | Change that password and any reused ones from a trusted device, turn on two-factor, sign out all sessions | Same, plus clear saved logins for that site in your browser |
| You opened a file or installed something | Disconnect, delete unknown profiles or apps, factory reset if it persists | Disconnect, run a full security scan, reinstall the OS if anything serious turns up |
The honest bottom line
Clicking a phishing link feels like one catastrophic mistake. It almost never is. The link is just the door. The damage, if there’s any at all, comes from what you did on the other side of it, and most of the time the fix is one or two specific steps rather than a week of dread.
If you typed your email password into that page, treat your email as the priority, because it’s the master key that resets everything else. If your email account itself has been taken over, that’s a different and more urgent job, and I’ve written a separate guide for recovering a hacked email account. If this click landed right after a company told you your data had leaked, the data-breach response steps are the right next read. And whatever happened today, the password manager is still the change that turns the next phishing link into a non-event.
One last thing once you’re safe. Report the message. You can file with the FTC at ReportFraud.ftc.gov or with the FBI’s Internet Crime Complaint Center. It won’t undo your day, but phishing was the single most reported internet crime in the FBI’s 2024 Internet Crime Report, with more than 193,000 complaints, and those reports are how the patterns get spotted and shut down.
Tom Reardon spent over 20 years in product and operations at major identity protection providers. He writes at MyScamGuide.com to give consumers the honest picture the industry’s marketing never did.
Recommended resources:
- IdentityTheft.gov: the FTC’s official recovery resource if your information was stolen
- ReportFraud.ftc.gov: report the phishing attempt to the FTC
- FBI Internet Crime Complaint Center: file an internet crime report