Don't panic. Clicking a phishing link doesn't mean you're immediately compromised — but you need to act quickly. Here's exactly what to do in the next 60 minutes.
Act within the next 60 minutes
The sooner you act, the less damage an attacker can do. Follow these steps in order before doing anything else.
Disconnect from the internet immediately
Turn off Wi-Fi on your device or unplug the ethernet cable. Do this right now, before anything else. If malware was downloaded, disconnecting cuts its ability to communicate with the attacker's server and prevents your data from being sent out. You can reconnect in a few minutes once you've checked for downloaded files.
Close the page — do not enter anything
If the phishing page is still open, close it immediately without entering any information. Do not type your username, password, phone number, or payment details — even if the page looks completely legitimate. Close the tab or browser entirely.
Check your Downloads folder
Some phishing pages automatically download files to your device without asking. Open your Downloads folder and look for anything you don't recognise — especially .exe, .zip, .dmg, or .pdf files. Do not open any suspicious files. Scan them first with SafeSearchScan's free file scanner.
Scan a suspicious file →Change passwords for any affected accounts
If you entered your password on the phishing page, change it immediately on the real site. Also change your password on any other site where you reuse that same password — attackers will try your stolen credentials across every major platform within minutes (credential stuffing).
Check password strength →Enable two-factor authentication (2FA)
Even if your password was stolen, 2FA stops attackers from logging in. Enable it immediately on your email (this is most critical), banking accounts, and social media. Use an authenticator app (Google Authenticator, Authy) rather than SMS if possible.
Monitor your accounts for the next 30 days
Check your bank statements, email sent folder, and social media for any activity you don't recognise. Attackers often wait days or weeks before using stolen credentials to avoid immediate detection. Set up login notifications on your email and banking apps.
Check if your email was breached →Not all phishing links do the same thing. The attack depends on what the phishing page is designed to do:
Credential harvesting
The most common type. A fake login page that looks exactly like Gmail, PayPal, your bank, or a government site. You type your details — they go straight to the attacker. You are often redirected to the real site afterwards so you don't notice.
Drive-by download
The page silently downloads malware to your device when it loads — no click required. More sophisticated, requires an unpatched browser vulnerability. Less common but more dangerous.
Tracking pixel / fingerprinting
The simplest type. Confirms your email is active, records your IP address and location, and may send your browser type and OS to the attacker. Low immediate harm but marks you as a target.
OAuth hijacking
The page asks you to "connect" with Google, Facebook, or another platform. If you approve, the attacker gets lasting access to your account without needing your password.
If you entered your email on a phishing site, find out if it appeared in known breach databases — instantly.
Check Email Breaches Free →Clicking a phishing link can do several things depending on the type of attack: (1) Open a fake login page that harvests your username and password. (2) Automatically download malware to your device (drive-by download). (3) Redirect you through tracking servers that collect your IP address and browser fingerprint. (4) In rare cases, exploit browser vulnerabilities to install software without any further interaction. If you just clicked and did not enter anything, your risk is lower — but you should still scan your device.
You are at lower risk if you did not enter any information, but not entirely in the clear. Some phishing sites use drive-by download attacks that silently install malware when the page loads, without any action from you. Close the browser tab, run a full file scan, and check if any files were downloaded to your Downloads folder during that time. If nothing was downloaded and your browser is up to date, you are likely safe.
Signs your phone may have been compromised: battery draining faster than usual, unexplained data usage, apps you didn't install, your contacts receiving strange messages from you, phone overheating, or being logged out of accounts. On iPhone: check Settings > Privacy for apps with unusual permissions. On Android: check Settings > Apps for unfamiliar applications, especially any with Device Administrator access.
Yes — reporting phishing links protects other people. Report to: (1) Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish — this blocks the site in Chrome, Firefox, and Safari for everyone. (2) The organisation being impersonated — if it's a fake PayPal, bank, or government site, report it to the real organisation. (3) Your email provider if it arrived by email. (4) The Anti-Phishing Working Group at reportphishing@apwg.org.