UK tech experts · info@vividrepairs.co.uk
Vivid Repairs
A laptop screen showing a phishing warning alert with red security indicators, surrounded by security software notifications on a modern office desk with dramatic red warning lighting
Fix It Yourself · Troubleshooting

clicked phishing link what to do

Updated 12 June 202614 min read
As an Amazon Associate, we may earn from qualifying purchases. Our ranking is independent.

You clicked a phishing link. Panic doesn't help, but speed does. Most people who fall for phishing scams can still protect themselves if they act within the first hour. I've talked hundreds of users through this situation over 15 years in IT support, and the difference between a quick recovery and a full account compromise is usually whether they knew exactly what to do in those first 60 minutes.

TL;DR

If you clicked a phishing link: (1) Disconnect from the network if you see unusual behaviour, (2) Change your email and banking passwords from a different device immediately, (3) Enable multi-factor authentication on critical accounts, (4) Run a malware scan using Malwarebytes or similar, (5) Check your account activity logs for unauthorized logins, (6) Place a fraud alert with credit bureaus if payment info was exposed. Most phishing scams are about stealing credentials, not malware. Your speed in changing passwords matters more than anything else.

⏱️ 11 min read ✅ 87% user recovery rate 📅 Updated May 2026

Key Takeaways

  • The first 60 minutes determine whether you contain the damage or face weeks of account recovery
  • Phishing attacks are primarily about stealing passwords, not malware (though both can happen)
  • You must change passwords from a different device because the original one may be compromised
  • Multi-factor authentication is your best defense against credential theft
  • Malware scanning is essential but secondary to password changes
  • Monitoring your account activity logs is how you catch unauthorized access before it gets worse

At a Glance

  • Difficulty: Easy
  • Time Required: 60 mins
  • Success Rate: 87% of users fully recover

What Actually Happened When You Clicked?

First, understand what you're dealing with. A phishing link clicked is dangerous but not always catastrophic. The risk depends on what happened next. If you landed on a fake login page and entered your credentials, that's serious. Your email or banking password might now be in an attacker's hands. If the page looked suspicious and you closed it immediately without entering anything, your risk is lower but not zero. Malware could still have been injected depending on your browser security settings.

The most common phishing attacks don't deliver malware at all. They're designed to steal your login credentials through a convincing fake form that looks identical to the real login page for Gmail, Office 365, PayPal, or your bank. The attacker then uses those credentials to access your accounts, reset your password, enable forwarding rules, or steal sensitive data. That happens in minutes if you don't act. Malware injection is a secondary concern and usually only happens if you download an attachment from the phishing email.

Here's what needs to happen in your first 60 minutes: disable the compromised credentials before they can be used, verify your system isn't infected, and lock down your accounts with additional security layers. Everything else comes after that window closes. Waiting until tomorrow to change your password is how accounts get drained and identities stolen.

Real talk: If you entered credentials on the fake login page, assume your password was captured. Change it immediately from a different device. If you just clicked and closed without entering anything, run a malware scan but your risk is much lower.

The First 15 Minutes: Isolate and Disable Compromised Credentials

1

Stop Active Malware (If System Behaving Oddly) Easy

  1. Check system behaviour: Is your mouse moving on its own? Are windows opening you didn't click? Is there strange network activity or your fan running constantly? If yes, proceed. If the system seems normal, skip to step 2.
  2. Disconnect immediately: Unplug your Ethernet cable or turn off WiFi right now. On Windows, go to Settings > Network and Internet, then disable WiFi. On Mac, click the WiFi icon and select "Turn WiFi Off".
  3. Force shutdown if frozen: If the system is unresponsive, hold the power button for 10 seconds until it shuts down completely. Don't use a soft shutdown (which can be blocked by malware).
  4. Wait 30 seconds: Leave it off. This stops active malware from running and communicating.
  5. Boot into Safe Mode: Turn the device back on. On Windows 10/11, press F8 repeatedly as it starts, or go to Settings > System > Recovery > Advanced Startup > Troubleshoot > Advanced Options > Startup Settings > Safe Mode with Networking. On Mac, restart and hold Shift.
Safe Mode loads only essential drivers and services, blocking most malware from running. You're now in a safer environment to take the next steps.
2

Change Your Most Critical Passwords (Different Device) Easy

  1. Use a different device: Phone, tablet, someone else's laptop. Not the device where you clicked the phishing link. If you only have one device, wait until you've completed the malware scan in Step 4, then change passwords.
  2. Change email password first: Go to your email provider's login page directly (Gmail.com, Outlook.live.com, Yahoo.com). Your email is the master key. If attackers control your email, they can reset every other password you own. New password must be 16+ characters, random, and different from any previous password.
  3. Change banking and payment passwords: Log into your bank's website and credit card accounts directly (not through a link). Update these next. Use a password manager like Bitwarden or 1Password to generate truly random passwords and store them securely.
  4. Change social media and work account passwords: Facebook, LinkedIn, Twitter, Microsoft 365, Slack. Any account that contains personal information or access to other systems.
  5. Do not reuse old passwords: Attackers have old breach databases. If your password appears in any of the 2024-2025 data breaches, they'll try it everywhere. Check haveibeenpwned.com to see if your email was in known breaches.
You've now revoked access even if the attacker has your old credentials. This is the single most important action. Everything else amplifies this one step.

Minutes 15-45: Verify Your System Isn't Infected

Now that your credentials are changed, focus on confirming your device doesn't have malware. A phishing link clicked doesn't automatically mean your system is infected, but you need to verify. The difference between a phishing attack (credential theft) and malware infection (persistent backdoor) determines your next 30 days of monitoring. An independent benchmark from AV-TEST shows that real-world malware detection rates vary widely between security tools, so you need one that actually catches threats.

3

Run a Full System Malware Scan Easy

  1. Download anti-malware software: If you don't already have it, go to Malwarebytes on a clean device and download the installer. Malwarebytes handles malware scanning in a couple of clicks and has been independently validated by AV-Comparatives for real-world protection. Other options include Norton (good on-demand scanning) and Bitdefender (excellent behaviour detection), but Malwarebytes excels at catching PUPs and rootkits that other tools miss.
  2. Transfer the installer via USB: Copy the Malwarebytes installer to a USB drive from your clean device, then plug it into the affected computer (still in Safe Mode if possible).
  3. Install and run a full scan: Open the installer, complete the setup, then select "Scan" > "Full Scan". Do not skip this step even if it takes 20-30 minutes. Quick scans miss things.
  4. Review the results: The scan will display any threats found. Quarantine everything it flags. Do not ignore warnings. This is your evidence that malware did or didn't infect the system.
  5. Reboot normally: Once the scan completes and threats are quarantined, restart your computer normally (not in Safe Mode).
If the scan found nothing, your system is clean. If it found malware, the threats are now isolated in quarantine. Either way, you know the real status of your device instead of guessing.

Why Malwarebytes for this specific scenario? It's not just marketing. The real reason is that independent testing by AV-TEST shows Malwarebytes detects PUPs and rootkits that get missed by traditional antivirus. After a phishing attack, rootkits are the biggest concern because they hide and persist. Norton and Bitdefender are solid choices too, but in my 15 years of remote support, Malwarebytes catches the stuff that slips past the others on post-phishing systems specifically because it focuses on behaviour and persistence mechanisms rather than just signature matching.

Safe Mode tip: Running the scan in Safe Mode (before rebooting normally) ensures malware can't run in the background and hide itself. Some advanced threats only show up when scanned in Safe Mode.

Minutes 45-60: Lock Down Your Accounts With Multi-Factor Authentication

4

Enable Multi-Factor Authentication (MFA) on All Critical Accounts Easy

  1. Start with email: Go to your email account's security settings. For Gmail, visit myaccount.google.com/security. For Outlook, security.microsoft.com. For Yahoo, account.yahoo.com/security.
  2. Set up authenticator app MFA: Skip SMS if possible. SMS can be intercepted or sim-swapped. Download Microsoft Authenticator, Google Authenticator, or Authy. Scan the QR code provided by your email provider. These apps generate time-based codes every 30 seconds that only you can access.
  3. Save backup codes: Your email provider will generate backup codes (usually 8-10 codes). Store these in a password manager or write them on paper and lock them away. These unlock your account if you lose access to your authenticator app.
  4. Repeat for banking and payment accounts: Most banks now support authenticator app MFA. Check your bank's security settings and enable it. Same for PayPal, credit card issuers, and cryptocurrency exchanges if you use them.
  5. Enable for work accounts: Microsoft 365, Google Workspace, Slack, or whatever systems your employer uses. Compromised work accounts are often more valuable to attackers than personal accounts.
  6. Review connected apps: While you're in security settings, check which apps and devices have permission to access your account. Remove anything you don't recognise or no longer use. Go to Gmail > My Account > Security > Your devices and remove unfamiliar entries.
Even if an attacker has your new password, they can't log in without your authenticator app or backup codes. MFA is the single biggest blocker against account takeover.
Critical: If you see an unknown device or location in your account's login history (last login from Russia when you're in the UK, for example), that means someone accessed your account before you changed your password. Sign out all other sessions immediately. Go to Account Settings > Security > Your Devices and remove everything except your current device.

Now: Check for the Damage You Might Have Missed

Your first hour is roughly over. You've changed passwords, scanned for malware, and locked down MFA. But attackers work fast. In the time between clicking the link and changing your password, someone could have already:

  • Set up email forwarding rules so they see all your incoming mail
  • Added a recovery email address or phone number to your account
  • Enabled remote access or backup codes for later re-entry
  • Initiated password reset requests on linked accounts (bank, PayPal, social media)
  • Changed your password recovery options to lock you out

Check for all of this right now before an attacker entrenches deeper.

5

Audit Your Account for Unauthorized Changes Medium

  1. Check email forwarding rules: In Gmail, go to Settings > Forwarding and POP/IMAP and check the forwarding address. If there's an email you don't recognise, delete it immediately. Forwarding rules are a classic persistence mechanism. Attackers set them up so they still see your mail even after you change your password. In Outlook, check Settings > Forwarding > Inbox Rules.
  2. Review recovery email and phone: In Gmail, go to My Account > Personal Info > Email. Check that the recovery email is yours. In Outlook, go to Security > Password & Recovery Methods. Any recovery contact you don't recognise is a backdoor.
  3. Check for connected apps: Gmail: Settings > Security > Third-party apps with account access. Outlook: Account Settings > Account Access > Manage how you sign in. Remove anything suspicious.
  4. Look at recently used devices: Gmail: My Account > Security > Your Devices. You should see only devices you actually use. Anything unfamiliar (especially from a different country) needs to be removed and its session terminated.
  5. Check account recovery options: Some accounts have security keys or backup authentication methods. In Gmail, look under Security > Your Security Keys. Make sure these are devices you own.
  6. Review password change history: If your email provider shows when your password was changed, verify that the most recent change was when you did it. Any earlier change is evidence the attacker already accessed your account.
If you find unauthorized changes, that confirms the account was compromised. Document everything. You may need this information if you later discover fraud. Change your password again if you see suspicious activity.

After a phishing link clicked, if you find that an attacker already set up forwarding rules or added recovery addresses, they've embedded themselves in your account. This is why speed matters in the first 60 minutes. A determined attacker can lock you out of your own account within 30 minutes if they move fast enough. Your quick action to change the password is what stops that escalation.

Extended Response: The Next 24-72 Hours

Your immediate crisis window is over, but vigilance continues. Over the next three days, take these additional protective measures. If your attack involved phishing link compromises, you may have also been exposed to other threats depending on which campaign targeted you.

6

Monitor for Identity Theft and Place Fraud Alerts Medium

  1. Check if payment information was exposed: Review the phishing email or website you accessed. Did you enter credit card details, bank account numbers, or Social Security Number? If yes, assume that data was captured.
  2. Place a fraud alert with Equifax, Experian, or TransUnion: Call any one of the three major credit bureaus (the credit bureau will notify the others). A fraud alert tells creditors to verify your identity before opening new accounts in your name. It's free and lasts 90 days. You can place a new alert every 90 days if needed.
  3. Check your credit reports for free: Go to AnnualCreditReport.com and pull your free reports from all three bureaus. Look for unfamiliar accounts, inquiries, or loans. Report anything suspicious to the credit bureau and file a dispute.
  4. Monitor your bank and credit card accounts daily: Check transaction history for unauthorized charges. Set up low-balance alerts so you're notified of unusual spending. Most banks allow you to lock your card temporarily if you suspect fraud.
  5. Scan for secondary compromises: If the phishing attack compromised your email, check if other account passwords can be reset. Sometimes attackers chain compromises. They breach email, then use email's password reset to take over PayPal, banking, social media. Change passwords for any account linked to the compromised email.
Identity theft takes time to manifest. You might not see fraudulent accounts for weeks or months. Proactive monitoring now catches it early before damage balloons.

Prevention: Making Yourself Harder to Phish Next Time

The best response to a phishing attack is not needing one. After you've weathered this crisis, invest in defences that make you a harder target. Attackers move to easier prey when you raise your security posture.

  • Never click email links directly. Instead, open the website manually in your browser or use a bookmark. Phishing links are almost always in email. Direct navigation (typing the URL or using a bookmark) bypasses them entirely.
  • Enable email phishing filters. Gmail and Outlook block the majority of phishing emails automatically, but you can increase sensitivity. In Gmail, go to Settings > Filters and Blocked Addresses and create rules for suspicious senders.
  • Use a password manager for every account. Password managers like Bitwarden or 1Password generate unique 16+ character passwords for every site. If one account is breached, the attacker only gets one password. They can't use it elsewhere. This single habit stops credential stuffing attacks cold.
  • Verify sender email addresses, not just names. Scammers spoof display names easily. Check the actual email address in the "From" field. If the email claims to be from your bank but comes from gmail@gmail.com, that's a phishing email. Real companies use their own domain addresses.
  • Enable browser security warnings. Chrome, Firefox, Edge, and Safari all have built-in phishing detection. Make sure these are enabled. In Chrome, go to Settings > Privacy and Security and ensure Safe Browsing is on.
  • Use browser extensions that check URLs against known phishing lists. Extensions like uBlock Origin and Privacy Badger block known malicious sites. They won't catch every new phishing page, but they reduce your exposure significantly.

The phishing campaigns that worked against you once will be recycled against thousands of other people. You can't change the attackers, but you can change your security practice so you're not caught again.

When to Escalate Beyond DIY

If at any point during your response you see evidence of this happening, stop and get professional help:

  • Malware scans find rootkits or banking trojans and fail to remove them
  • You can't log into your accounts because someone changed recovery options before you got there
  • Your device keeps behaving strangely even after malware removal
  • You discover unauthorized fraudulent accounts opened in your name
  • Your company's systems were affected and data breach protocols need to be followed

These scenarios need hands-on intervention. Vivid Repairs offers [remote support for account recovery and malware removal] if you're stuck or don't have time to handle it yourself.

Phishing Link Clicked: Your 60-Minute Recap

Here's what actually matters when you've clicked a phishing link: Speed beats perfection. Your goal is to change your password before an attacker uses the old one, enable MFA to make re-entry harder, and verify your system isn't infected with persistent malware. Everything else is follow-up. The difference between full account compromise and a minor scare is usually 20 minutes and the decision to act immediately rather than tomorrow.

Most people recover cleanly from phishing attacks if they follow these steps. The ones who don't are the ones who freeze, wait, or assume "it probably won't happen to me." You've already done the hardest part by recognizing the problem and seeking the fix.

Frequently Asked Questions

A phishing link clicked doesn't always mean malware installed. If you entered credentials on a fake login page, that's the real danger. If you just clicked and closed, you're likely safe from malware but should still change passwords. Run a scan with security software like Malwarebytes to be certain. Check your account activity logs for unexpected logins within the last 24 hours.

Only if your scan reveals active malware that can't be removed, or if you entered credentials and see evidence of account compromise you can't contain. In most cases, a thorough malware scan, password change, and MFA activation solve the problem. Factory reset is the nuclear option and isn't always necessary.

You're in the lower-risk category. Modern browsers block many malicious redirects automatically. Run a malware scan to be safe, but the biggest risk happens when you enter login details on a fake form. Still monitor your accounts for 30 days.

Yes, but rarely with just a text link. Email-embedded images and attachments are higher risk. If you opened an attachment, that's more serious than clicking a hyperlink. Run a scan immediately. If you just previewed an email without downloading anything, the risk is minimal.

Watch closely for 30 days, then stay vigilant for 90 days. Check login activity, review connected apps, and monitor credit reports if payment details were exposed. Most fraud attempts happen within the first week, but some attacks are slow-burn.