Online safety

What to Do If You Clicked a Phishing Link (Step-by-Step Recovery)

A calm, practical recovery plan — what to do in the next ten minutes, what to watch for over the next few weeks, and when to report it.

If you clicked a phishing link, take a breath — you can recover. Close the page or tab immediately, disconnect from Wi‑Fi if you downloaded anything, and do not enter any more information on that site. Change passwords for any account you typed into on that page, starting with your email. Run a full antivirus scan, turn on multi-factor authentication (MFA) on your most important accounts, and report the message to your email provider and the FTC. The steps below walk you through exactly what to do, in order, so you can limit the damage and move on.

First: clicking a link does not automatically mean your accounts are stolen. Many phishing pages harvest credentials — if you closed the page before typing anything, your immediate risk is lower. But "lower" is not "zero," which is why the recovery steps below still matter. Phishing is the most reported internet crime category year after year; the FBI's IC3 received more than 193,000 phishing and spoofing complaints in 2024 alone (IC3 annual report). Not sure which type of attack you faced? See our overview of smishing, phishing, and other phishing attack types. The people who recover fastest act calmly and methodically instead of panicking or ignoring it.

Do this in the next 10 minutes

Your emergency checklist

  1. Close the page — do not click anything else on it.
  2. Disconnect from Wi‑Fi if you downloaded a file or entered a password (use mobile data to look up help if needed).
  3. Change passwords for any account you typed into on that page — email first.
  4. Turn on MFA on your email, banking, and cloud accounts.
  5. Run a full antivirus scan on your device.
  6. Report the message — forward the email to your provider's abuse address and file a report at reportfraud.ftc.gov.

Step-by-step recovery after clicking a phishing link

Work through these steps in order. If you only clicked and closed the page without entering anything, you can move faster — but still complete the scan and MFA steps.

1. Close the page and stop interacting

Do not click "unsubscribe," "confirm," or any other button on the suspicious page or email — those can trigger additional tracking or downloads. Close the browser tab. If you're on a phone, force-quit the browser app. If you already entered a password, treat that account as compromised right now and skip ahead to the password section.

If you downloaded a file or clicked "Allow" on a permission prompt, disconnect your device from the internet immediately. Pull the Ethernet cable, turn off Wi‑Fi, or enable airplane mode. This stops any malware from "phoning home" while you scan.

2. Scan your device for malware

Run a full (not quick) scan with your built-in security tool or trusted antivirus software. On Windows, use Windows Security. On Mac, check for unfamiliar apps in Applications and run a scan if you have security software installed. On iPhone or Android, check recently installed apps and remove anything you don't recognize.

Also clear your browser cache and cookies for the past 24 hours — this removes any session tokens the phishing site may have stored. In most browsers: Settings → Privacy → Clear browsing data.

3. Change passwords — starting with email

Your email account is the master key to most of your other accounts. If a scammer controls your email, they can reset passwords everywhere else. Change it first, using a device you trust and a network you trust (not the one you were on when you clicked the link, if possible).

Change passwords for any account where you entered credentials on the phishing page. Use a strong, unique password for each one — not a variation of your old password. A password manager makes this much easier.

Go directly to your account security settings — type the URL yourself or use a bookmark, never a link from the suspicious message:

4. Enable multi-factor authentication (MFA)

MFA — also called two-factor authentication or 2FA — adds a second verification step beyond your password. Even if a scammer has your password, they can't log in without the second factor. Turn it on for your email, banking, social media, and any cloud storage accounts.

Use an authenticator app (Google Authenticator, Authy, or your password manager's built-in option) rather than SMS texts when possible. SMS is better than nothing, but it's more vulnerable to SIM-swap attacks. The same security pages linked above let you set up MFA for each provider.

5. Review recent account activity

Log into your most important accounts and look for signs someone else accessed them:

  • Unknown devices or locations in "Recent activity" or "Sign-in history"
  • Forwarded-email rules you didn't create (a common trick — scammers silently forward your mail)
  • Password-reset emails you didn't request
  • New recovery phone numbers or email addresses you don't recognize

If you find anything suspicious, change the password again, revoke all active sessions, remove unknown devices, and contact the provider's support team.

6. Report the phishing attempt

Reporting helps authorities track scam campaigns and protects others from the same attack. Here's where to report:

  • FTC: File a report at reportfraud.ftc.gov. The Federal Trade Commission collects fraud reports and shares them with law enforcement.
  • CISA: Review official guidance on recognizing and reporting phishing at cisa.gov/phishing. The Cybersecurity and Infrastructure Security Agency publishes resources for individuals and organizations.
  • Your email provider: Forward the suspicious email to the abuse address (e.g., phishing@apple.com, report_spam@google.com, or phishing@outlook.com depending on your provider).
  • Your employer: If the phishing message came to a work email, report it to your IT or security team immediately — they may need to check whether other employees received the same message.

If you entered credentials or payment information

The recovery steps above are the baseline. If you typed a username and password, or entered a credit card number, on the phishing page, treat it as a confirmed compromise and escalate:

  • Passwords: Change them immediately from a clean device. Assume the scammer has them already.
  • Credit or debit cards: Call your bank or card issuer and report potential fraud. Ask for a new card number. Monitor statements for unauthorized charges over the next several billing cycles.
  • Social Security number or government ID: File a report at reportfraud.ftc.gov and consider placing a fraud alert or credit freeze with the major credit bureaus.
  • Work credentials: Contact your IT department immediately. Do not wait — a compromised work account can give attackers access to company systems, customer data, and payroll.

If money was taken, document everything: screenshots of the phishing message, timestamps, amounts, and your correspondence with the bank. This documentation helps if you need to dispute charges or file a police report.

If you downloaded a file or installed something

Downloading an attachment or running an installer from a phishing link is more serious than just visiting a page. The file may contain malware — ransomware, spyware, or a remote-access tool that lets an attacker control your device.

With your device still offline, run a full antivirus scan. If the scan finds threats, follow its removal instructions. If you're unsure whether the scan caught everything — or if the file was an executable (.exe, .dmg, .apk) — consider restoring your device from a backup made before the download, or getting help from a professional.

Do not reconnect to the internet until you're confident the threat is removed. After cleanup, change all passwords from a different, trusted device.

How to avoid the next phishing link

Phishing mimics real messages from companies you trust — banks, delivery services, tax agencies, even your boss. The link often leads to a fake website that looks nearly identical to the real one. Before you click any link in an unexpected message, check three things: Does the sender's email address match the company it claims to be from? Does the link URL (hover over it without clicking) go to the company's real domain? Is the message creating artificial urgency?

For a deeper walkthrough of spotting fake websites, read our guide: How to Spot a Fake Website Before You Get Scammed. And if you're wondering whether AI tools are safe to use with sensitive information, see Is It Safe to Paste Into ChatGPT? What AI Tools Store.

CISA maintains an up-to-date resource page on phishing tactics and prevention at cisa.gov/phishing — worth bookmarking.

Frequently asked questions

Is my computer infected if I only clicked a phishing link?

Not always. Simply visiting a malicious page is less dangerous than downloading a file or entering your password. Still run a full antivirus scan, clear your browser data, and monitor your accounts for unusual activity over the next few weeks.

Should I change all my passwords after clicking a phishing link?

Change passwords for any account you typed credentials into on the suspicious page, plus your primary email — because email is often the key to resetting other accounts. If you did not enter any passwords, focus on your most important accounts (email, banking) and enable MFA.

Do I need to report phishing to the FTC or CISA?

Reporting helps authorities track scam campaigns and warn others. File a report with the FTC at reportfraud.ftc.gov. CISA also publishes guidance on recognizing and reporting phishing at cisa.gov/phishing.

Can scammers access my accounts if I didn't enter a password?

Usually no — but it depends on what happened after the click. If you only viewed a page and closed it, the risk is lower. If you downloaded software, allowed browser permissions, or entered any personal information, treat it as a potential compromise and follow the full recovery steps above.

How long should I monitor my accounts after clicking a phishing link?

Watch for suspicious login alerts, unexpected password-reset emails, and unfamiliar charges for at least 30 days. If you entered financial details, contact your bank or card issuer immediately and continue monitoring statements for several billing cycles.

The bottom line

Clicking a phishing link is frightening, but it's not a disaster if you act quickly. Close the page, scan your device, change compromised passwords, turn on MFA, and report the message. Most people who follow these steps recover fully within a day or two. The ones who get hurt are usually the ones who ignore it or hope it goes away — don't be that person. Take ten minutes now, and you'll sleep better tonight.