Clicked on a phishing link? Here’s what to do

Clicking on a phishing link is far from ideal, but it doesn’t always spell disaster either. 

Sometimes the risk is low and you get away unscathed. Other times, attackers could steal your data, install malware, or gain access to your online accounts. In any case, taking the right steps quickly can make all the difference. 

In this guide, I’ll walk you through what could happen when you click on a phishing link, what to do immediately after, and how you can avoid these attacks in the future.

What happens if you click on a phishing link?

Phishing links are designed to trick you into clicking — whether by impersonating trusted brands, mimicking legitimate websites, or hiding behind misleading URLs. One wrong click can set off a series of security headaches, often without you even realizing it.

Let’s take a look at what may happen when you click on a phishing link.

You might hand over personal data without realizing it

Some phishing links take you to generic or official-looking forms that ask for seemingly harmless details like your name, date of birth, or email address. Often, they claim it’s for updating your account or verifying your identity. And because you’re not asked to log in, you might let your guard down. 

But this info can sometimes be all cybercriminals need to commit identity theft, make fraudulent purchases, reset your passwords, or run social engineering scams. They might also collect bits of data over time to build a full profile on you. 

In some cases, simply clicking the link can expose your location and device details. With that information, attackers can launch location-based scams or exploit vulnerabilities in your operating system.

You could unknowingly land on a fake login page

Clicking a phishing link might send you to a fake login page, which is a convincing copy of a legitimate site, like your email, bank, or social media account. 

These pages are designed to trick you into sharing sensitive information, with everything from the logo to the layout and color scheme carefully made to look authentic. Since every detail mirrors the real thing, you might not realize anything’s wrong until you notice strange activity or find yourself locked out of accounts. 

Once you’re on one of these pages, you’re prompted to enter your username and password. If you do, hackers grab those credentials. From there, they can:

• Access your real accounts;
• Change your password to lock you out;
• Read and harvest your sensitive messages, financial data, or personal files;
• Use your accounts to target others, like family or coworkers.

You might accidentally install malware

Not all phishing links rely on tricking you into providing your info. Some go on the offensive and drop malicious code onto your device the moment you click. These attacks are especially dangerous because they give you little to no time to realize or react as the malware starts spreading almost immediately. 

Here are a few types of malware that often use phishing links as the delivery mechanism:

• Keylogger: records everything you type, including passwords, credit card numbers, and private messages;
• Spyware: tracks your browsing, keystrokes, and app usage for surveillance or identity theft;
• Ransomware: locks or encrypts your files and demands payment for release; 
• RAT (Remote Access Trojan): lets the attacker control your compromised device remotely.

You could lose access to your email or accounts

If a phishing attack gets hold of your email logins, the bad actor now likely holds the master key to your other accounts. That’s because most apps and services — including banks, social platforms, and even online stores — use your email to manage logins and password resets. 

Once the attacker is in, here’s what they might do:

• Lock you out: the first thing most hackers do is change your email password so you can’t get back in;
• Make recovery harder: some might enable 2FA (Two-factor Authentication) using their own phone number or app, making it harder for you to recover your account;
• Reset passwords: with access to your inbox, they can kick you out of your other accounts by using the Forgot Password option;
• Impersonate you: they might send targeted scam emails to your family, friends, and coworkers as part of a spear phishing campaign;
• Steal sensitive information: they could dig through your inbox for things like bank statements, tax documents, or personal conversations;
• Sell your email access: the hackers might sell access to your inbox on the dark web or even hold it for ransom.

Immediate steps to take if you clicked a phishing link

If you’ve clicked on a phishing link, act fast — but don’t panic. 

Below is a step-by-step guide to what you should do right away to contain the damage.

1. Don’t enter any information

If the link takes you to a page or form asking for your details, don’t interact with it. Don’t type anything, tap buttons, or click links — not even to go back or cancel. Immediately close the page. 

On desktop, press Ctrl + W (on Windows) or Command + W (on Mac) to close the tab. On mobile, carefully swipe away the app.

If you’re on Android, you can also force close the app through the App Manager. Here’s how:

1. Open Settings and select Apps & notifications.
2. Select See all (#) apps and scroll down to the app you want to shut down. In this case, it’s most likely your browser, like Chrome, Firefox, or Samsung Internet.
3. Select the app and tap Force stop.
4. Tap OK to confirm.

If you’ve already started entering info, hit the brakes and exit the page right away. The goal is to cut off contact fast so the site doesn’t have a chance to capture your sensitive data.

2. Disconnect from the internet

Get your device off the internet as soon as you can to stop any malware from sending or receiving data. If you’re on your phone, head to your Control Center or Settings and switch on Airplane Mode. Keep your device offline until you’ve finished removing any potential threats. 

Disconnecting is important because it interrupts whatever the malware is trying to do. It can help:

• Stop malware from fully downloading: some malware types are delivered bit by bit, and cutting the connection quickly can prevent the rest from reaching your device;
• Block contact with its command-and-control server: malware often tries to phone home to fetch new instructions or additional payloads, and killing the connection can shut that down;
• Disrupt ransomware activity: without internet access, ransomware may not be able to retrieve encryption keys or spread to other devices on the network;
• Prevent outgoing data leaks: staying offline can stop malware from sending your files, keystrokes, or login details to the attacker.

3. Run a full malware scan

One of the best things you can do after clicking a phishing link is to run a full malware scan. Even if you didn’t enter any personal info or notice anything strange, a deep scan with a reliable antivirus — like Surfshark Antivirus — can help detect and remove any threat that may have slipped in. 

Don’t settle for partial or quick scans — they only check the usual spots like memory, startup files, and system folders. They may miss malware buried deeper in your system, such as in temporary folders or scheduled tasks. A full scan takes longer but goes through everything, including files, folders, running processes, and settings. 

This is especially important with drive-by attacks, which exploit browser vulnerabilities or auto-download malware as soon as a malicious page loads. A full scan also gives you a better shot at catching threats that lie low at first or pretend to be something harmless, like rootkits or trojans.

4. Back up important files

Before making any more changes, back up your important files just in case the malware caused silent damage that shows up later. Since you’re not connected to the internet, the safest way to do this is with an external hard drive or a USB stick. Make sure to do so only after removing any malware, so you don’t accidentally copy the threat into your backup. 

Focus on your personal documents, photos, spreadsheets, and work folders. Skip things like system files or installed programs, as they could be compromised. Doing this now gives you a clean copy to restore from later. If you do end up needing to reset or wipe your system, this ensures you won’t lose your vital files.

5. Change your passwords

Next, secure your online accounts by changing all your passwords. Do this from a clean device — one you didn’t use when you clicked the phishing link. Start with your primary email, then move on to high-stakes accounts like online banking. 

Here are a few quick tips for stronger passwords:

• Aim for 12–16 characters minimum;
• Mix upper and lowercase letters, numbers, and special characters;
• Skip clichés like “password” and “opensesame”;
• Avoid weak swaps like “p@ssw0rd”;
• Create unique passwords for each site;
• Use a password manager;
• Regularly change your passwords.

Whenever possible, enable 2FA. It adds an extra layer of security to your logins by requiring an additional form of verification.

6. Monitor your accounts for suspicious activity

Log into your accounts — email, banking, social media, and cloud services — and check for anything that appears odd. Review activity or security logs for login attempts from unknown locations or devices, or password changes you didn’t make. 

In your email account, check the sent and trash folders to see if anything was forwarded without your knowledge. For financial accounts, go through recent transactions and login history for anything unfamiliar. 

Continue to keep a close eye on these accounts for the next few weeks. If that feels overwhelming, see if the services offer real-time alerts for logins, transactions, and other account activity, so you don’t have to keep checking manually.

7. Report the phishing attempt

Once your device is clean, report the phishing link to prevent others from falling for the same scam. If it came from an email, go back to the message and use the Report spam or Report phishing button. Just be careful not to click the link. 

If the scam email impersonated a big-name company, report it via their official help page or forward the email to their phishing address. For example, phishing@paypal.com for PayPal or reportascam@amazon.com for Amazon. You can also report it to government agencies like the FTC (Federal Trade Commission) in the US or the National Cyber Security Centre in the UK. 

Don’t forget to warn your friends, family, coworkers, and other contacts too. If bad actors have access to your account, they might use it to send phishing emails to people you know, making the scam more convincing.

How to prevent phishing attacks in the future

The best way to protect yourself from phishing scams is to avoid clicking on them in the first place. That means learning to spot warning signs, protecting your identity, and using every cybersecurity tool at your disposal to stay ahead of phishing.

Recognize phishing red flags

Phishing scams can be deceptive and convincing, but they all tend to follow the same playbook. Here’s what to look out for: 

Mismatched URLs  
Take a good look at the sender’s email address and make sure it matches the official website of the company it claims to be from. Slightly tweaked or misspelled domain names are a classic scammer move. For example, surfsahrk.com or sharksurf.com instead of surfshark.com. 

Scare tactics
Phrases like “Act now!”, “Your account will be deactivated today,” or “Final warning” are all about creating panic and rushing you into a snap decision. The goal is to get you to click, reply, or share info before you’ve had a chance to think things through or notice that something’s off.  

Poor spelling and grammar
Pay close attention to how the message is written. Phishing emails are often chock-full of spelling mistakes and grammar issues. In some cases, scammers even include these errors on purpose to screen out more careful users.

While sloppy language is common in phishing attacks, it’s worth remembering that scammers can also use AI tools to try to improve their writing. If a message sounds like ChatGPT wrote it, be careful. Double-check the sender before clicking any links.

Generic greetings
Most phishing emails and text messages are blasted out to the masses since it’s a numbers game. That’s why they often start with vague — and sometimes cringey — openers like “Hi Dear” or “Dear Customer.” Legitimate companies, in contrast, usually use your name to make them feel more personal.

Suspicious links or files
If an email or text urges you to click a link or download a file you weren’t expecting, tread very carefully. Real companies don’t usually send login links or attachments out of the blue. And if the file ends in .exe, .zip, or .scr, it’s best to just steer clear.

Too-good-to-be-true offers 
Phishing scams often promise things like free iPhones, instant refunds, or limited-time rewards — anything under the sun to grab your attention and get you to click right away. If it sounds overly generous, it’s safer to assume it’s a scam.

Use protection tools

Even the most careful users can stumble, which is why it’s important to layer your defenses against phishing links. 

A reliable ad blocker, like Surfshark’s Clean Web, is a good place to start. Clean Web tackles phishing risks by blocking ads, fake virus alerts, and sneaky trackers before they even load. That means fewer phishing traps pop up while you’re online. 

Pair it with Surfshark Antivirus to double down on your phishing protection. Its web protection feature runs in the background, checking every URL you open and blocking anything flagged as unsafe.

Protect your identity

The less personal data phishers can dig up about you, the harder it is for them to target you. So, don’t share your real details online unless you absolutely have to. Instead, consider using Surfshark’s Alternative ID to generate an online persona. You can then use it to surf, register for services, and receive emails without exposing your identity or contact info.  

Meanwhile, Surfshark Alert helps you keep tabs on your personal information. If your email, passwords, or other sensitive info show up in a data breach, it notifies you right away. This means you can quickly change compromised passwords, enable 2FA, and be on guard for phishing attacks.

Final thoughts: stay calm, stay safe

If you accidentally click on a phishing link, keep your cool and jump into damage control right away. Disconnect from the internet, run a full malware scan, and update your passwords as a precaution. 

Still, it’s much better to avoid the mess altogether. So, learn the warning signs of phishing attacks, keep your real identity off the web, and use online security tools. For around-the-clock protection, check out Surfshark One — an all-in-one cybersecurity suite with Clean Web, Antivirus, Alternative ID, and more.

Better to shield up than clean up

Stay ahead of phishing attempts

Get Surfshark