First, take a breath — clicking a link is rarely the end of the world, and most people who do this come out fine. What matters now is acting calmly, in the right order. Here is exactly what to do next.
Published 30 June 2026 · ~7 min read · By the Phixo team
If you just clicked a link in an email that turned out to be phishing, your heart is probably racing a little. That is a completely normal reaction — and the good news is that a single click, on its own, usually does not hand your accounts to an attacker. The damage almost always comes from what happens after the click: entering a password, downloading a file, or approving a prompt. So the most useful thing you can do right now is slow down and work through the steps below in order.
The single most important first move: do not enter any information on the page that opened. No passwords, no card numbers, no codes. If you have not typed anything yet, you have likely avoided the worst of it. Close the tab and keep reading.
In most cases, no. Opening a phishing link usually just loads a fake web page — a counterfeit login screen, a bogus “verify your account” form, or a page nudging you to download something. Modern browsers and phones are sandboxed, so simply viewing a page rarely installs anything by itself. The exceptions are rarer “drive-by” attacks that lean on out-of-date software, which is why keeping your browser and operating system updated matters.
So the honest answer is: clicking alone is low risk, but it is not zero risk, and it is a clear signal to tighten up your accounts. Here is how, step by step.
If clicking the link kicked off a file download, or your device started behaving oddly, disconnect it from the internet straight away — turn on airplane mode, switch off Wi-Fi, or unplug the network cable. This cuts off any program that might be trying to “phone home” or pull down more code, and it buys you time to run a scan. If nothing downloaded and the page just sat there, you can skip this step.
This is worth repeating because it is the whole game. A phishing page’s only goal is to get you to type something in. If you have not, close the tab now. Do not “just have a look” or test whether your password works — that is the trap. Do not approve any pop-up, browser permission request, or two-factor prompt that appears, especially one you did not trigger yourself.
If there is any chance you entered a password, or the link impersonated a service you use, change that password now. Two important details:
If you reused that same password anywhere else — and most people have, somewhere — change it on those accounts too. This is exactly why unique passwords and a password manager matter: they stop one stolen password from unlocking everything.
Two-factor authentication is the single best protection against a stolen password, because even if an attacker has your password, they still cannot get in without the second factor. Turn it on for your email first — your inbox is the master key that can reset every other account — then for banking, social media, and anything tied to money. An authenticator app or a hardware key is stronger than SMS codes, but any 2FA is far better than none.
If a file downloaded, or you are simply being cautious, run a full scan with reputable antivirus or anti-malware software. On Windows, the built-in Microsoft Defender does a solid job; Mac and mobile users are generally well protected by the operating system but should still avoid installing anything the page suggested. Do not install a “security tool” the phishing page recommends — that is a common second-stage scam.
Over the coming days and weeks, keep an eye on your important accounts. Check your email for password-reset messages you did not request, look at recent sign-in activity (Gmail and Outlook both show this), and watch for messages sent “from you” that you did not write. Stolen credentials are often used quickly, but not always — so stay alert for a while, not just the first hour.
Money is the one area where speed really counts. If you typed in card numbers, banking logins, or made a payment, contact your bank or card issuer right away. Explain what happened and ask them to monitor for or block fraudulent charges — many can freeze the card and issue a new number on the spot. Then keep checking your statements over the following weeks.
Reporting takes ten seconds and helps protect everyone else who received the same email:
If the email impersonated a government body, your bank, or a delivery service, you can also forward it to your country’s anti-phishing or cybercrime authority (for example, the FTC in the US or Action Fraud in the UK). Reporting feeds the threat-intelligence systems that get these senders blocked faster.
The same steps apply, with a couple of phone-specific notes. Close the browser tab, do not install anything the page prompts you to (a fake “update” or app is a classic mobile lure), and do not grant any permission pop-ups. Phones are tightly sandboxed, so a single tap very rarely installs malware on its own. Update your phone’s operating system to pick up the latest security fixes, change any password you may have entered, and switch on two-factor authentication. If you sideload apps outside the official store, be especially careful — that is the main way mobile malware actually lands.
The reassuring truth: clicking a phishing link is one of the most common mistakes online, and the vast majority of people who do it are fine — especially if they catch it early and never type anything in. The steps above exist to close off the small remaining risk, not because disaster is likely.
Once the immediate panic has passed, the best thing you can do is make the next phishing email easier to catch before you click. It helps to know the tells — mismatched sender addresses, urgency, lookalike domains, links that do not go where they claim. We wrote a full guide on exactly that: how to spot a phishing email next time, with examples and a quick checklist. And if the email that got you claimed to be from PayPal, see our dedicated guide to spotting a fake PayPal email; if it was a Google “security alert”, we’ve covered how to tell the real ones from the fakes.
The hardest part is not knowing the signs — it is remembering to check every email, every time, when you are busy and moving fast. That is precisely the moment phishing is designed to catch you, and it is why an automatic second set of eyes can help.
Usually not from the click alone. Opening a phishing page mostly just shows you a fake website. The real risk comes from what happens next — entering a password or details, downloading a file, or approving a prompt. If you only clicked and then closed the page, you are most likely fine, but it is still worth changing the relevant password and watching your accounts.
Close the browser tab, do not enter any information, and do not install anything it prompts you to. Turn on airplane mode briefly if a file started downloading. Then change the password for any account the page was imitating, enable two-factor authentication, and update your phone’s operating system. Phones are generally well sandboxed, so a single click rarely installs malware on its own.
Treat that password as compromised. Go directly to the real website (type the address yourself) and change it immediately. If you reused that password anywhere else, change it there too. Turn on two-factor authentication and sign out all other sessions. If it was a banking or payment login, contact your bank and watch for unfamiliar transactions.
Contact your bank or card issuer right away, explain what happened, and ask them to watch for or block fraudulent charges. Many banks can freeze the card and issue a new number. Keep an eye on your statements over the following weeks, and report the fraud to your national consumer-protection or cybercrime authority.
Watch your accounts closely for the first few weeks, since that is when stolen credentials are most often used. But keep an eye out longer term too — some attackers sit on information before using it. Two-factor authentication and unique passwords are what protect you in the meantime, even if a password was exposed.
Yes. In Gmail, open the message, click the three-dot menu and choose Report phishing. In Outlook, select the message and use Report then Report phishing. Reporting helps your provider block the sender for others, and you can also forward government-impersonation scams to your national cybercrime or anti-phishing authority.
Phixo can’t undo a click that already happened — but it’s built to stop the next phishing email from getting that far. It’s a browser extension that checks each email you open in Gmail or Outlook against several signals — sender and domain reputation, link mismatches, lookalike domains, and email authentication (SPF, DKIM, DMARC) — plus an AI read of the language, then flags anything suspicious with a plain-English reason. Free plan includes 10 scans a day, no credit card. A one-time Google or Microsoft sign-in keeps your scan count tied to your account.
Install Phixo free →Your email body is never stored. Analysis happens in real time and is discarded immediately.