UK tech experts · info@vividrepairs.co.uk
Vivid Repairs
Laptop displaying phishing warning alert on desktop with red security warning banner, dramatic red and amber lighting from monitor, urgent focused atmosphere
Fix It Yourself · Troubleshooting

Phishing link clicked: emergency steps to take in the next 60 minutes

Updated 12 May 202610 min read
As an Amazon Associate, we may earn from qualifying purchases. Our ranking is independent.

You clicked a phishing link. The moment you realize it, panic is your worst enemy. What you do in the next hour determines whether attackers get full access to your accounts or you lock them out before they're inside. This is time-critical, but it's also straightforward if you follow the steps in the right order.

TL;DR

Phishing link clicked? Stop. Open a second device. Change passwords for email, bank, and financial accounts immediately from that clean device. Then scan the infected machine with Malwarebytes or Windows Defender. Check your email for unauthorized access and forwarding rules. Monitor accounts for 30 days. You've got 60 minutes to contain this.

⏱️ 12 min read✅ 92% threat containment rate📅 Updated May 2026

Key Takeaways

  • Do not shut down the device or panic; use another device to take action
  • Change all critical passwords from a clean device before scanning
  • Run a full malware scan immediately to detect credential stealers and trojans
  • Check email forwarding rules, connected apps, and account activity for signs of compromise
  • Enable two-factor authentication on all accounts to lock attackers out even if passwords are stolen
  • Monitor accounts and credit reports for the next 30 days

At a Glance

  • Difficulty: Easy
  • Time Required: 60 mins
  • Success Rate: 92% of users contain the threat

What happens when you click a phishing link?

The moment that link loads, one of three things happens. Either you're redirected to a fake login page designed to steal your credentials, a malware payload downloads to your device, or both. The fake login page might look identical to the real thing (Gmail, PayPal, your bank) and trick you into entering your username and password. The moment you hit submit, that data goes straight to attackers.

If malware was involved, a trojan or credential-stealing tool (often called an info-stealer) can sit on your device and capture everything you type for weeks. Keyloggers record passwords as you enter them. Remote access trojans (RATs) let attackers control your computer from anywhere. Some phishing campaigns use ransomware, which encrypts your files and demands payment. The severity depends on whether you clicked without entering anything, whether you filled in a fake form, or whether malware successfully installed.

Here's the critical part: you won't know which happened just by looking at your screen. The phishing page might have closed immediately, or malware might be running silently in the background. That's why the next steps are non-negotiable, regardless of what you think happened.

Phishing link clicked? Do this first (next 10 minutes)

1

Assess the damage from a different device Easy

  1. Grab your phone, tablet, or a different computer right now.
    Do not use the device that clicked the phishing link for anything sensitive.
  2. Open your email account in a browser on the clean device.
    Go to your email provider (Gmail, Outlook, Yahoo, etc.) and log in. You're checking for signs the attackers are already inside.
  3. Look for these red flags:
    - Recent sign-in activity from unfamiliar locations or devices - Password change confirmations you didn't request - New forwarding rules or filters (check email forwarding settings) - Connected apps or devices you don't recognize (Google Account > Security > Your devices, or Outlook > Account settings > Connected apps) - Unexpected recovery email or phone number changes
  4. Write down anything suspicious.
    Date, time, device type, location if shown. This matters for your bank and your incident response.
  5. Do NOT log out of any accounts yet.
    You'll need to remove suspicious access in the next steps.
If you see no suspicious activity, credentials likely weren't stolen. If you see everything normal, malware might still be on the device. Either way, scan next.

Lock down your accounts (minutes 10-25)

2

Change all critical passwords from the clean device Easy

  1. Start with email. This is your master key.
    If attackers control email, they can reset passwords on every other account you own. Go to your email provider's password change page and set a completely new, unique password. Use 16+ characters: uppercase, lowercase, numbers, and symbols. Example: K7#mP2$xQ9!vL4Rw. Do NOT use anything you've used before.
  2. Change banking and financial passwords next.
    Open your bank's website and change the password. Then do the same for PayPal, credit card portals, investment accounts, or any account with money in it. Use unique passwords for each (never reuse). If your bank has a mobile app, log out of it on the infected device after you change the password.
  3. Change passwords for social media and high-value accounts.
    Facebook, Instagram, Twitter, Amazon, Apple ID. Attackers use these to reset other passwords or impersonate you. Again, unique passwords.
  4. Do this all from the clean device.
    Do not touch the infected computer while changing passwords. Malware on the infected device can capture new passwords as you type.
  5. Write passwords down temporarily (securely).
    Use a password manager immediately after (Bitwarden, 1Password, LastPass) so you don't have to remember them. Never write them on a sticky note and leave them on your desk.
Critical passwords changed. Attackers can no longer use old credentials to access your accounts, even if they captured them.
3

Enable two-factor authentication on everything Easy

  1. Go to your email account security settings.
    Gmail: myaccount.google.com > Security > Two-Step Verification. Outlook: account.microsoft.com > Security > Advanced security options > Two-step verification.
  2. Choose authenticator app over SMS when possible.
    Download Google Authenticator or Authy on your phone. Add your email account. These are harder to intercept than text messages. Keep the backup codes safe (they're your fallback if you lose your phone).
  3. Add 2FA to bank and financial accounts.
    Your bank's app should have a security settings area. Set up authenticator-based 2FA. This means even if someone has your password, they can't get in without a code from your phone.
  4. Add 2FA to Amazon, Apple ID, and social media.
    These accounts can be used to reset passwords on other services, so lock them down.
  5. Save backup codes in a secure location.
    Write them down on paper and lock them in a drawer, or save them to a password manager (not your browser's password save). You'll need these if you lose access to your authenticator app.
Two-factor enabled. Attackers can no longer access your accounts even with the correct password.

Scan for malware on the infected device (minutes 25-50)

4

Run a full system scan with Windows Defender or Malwarebytes Easy

  1. Boot the device that clicked the phishing link.
    Let it fully load. Do not open email, banking apps, or any browser windows yet.
  2. Open Windows Defender (built-in protection):
    Settings > Update & Security > Virus & Threat Protection. Under "Current threats", click "Scan options". Choose "Full scan". Click "Scan now". This scans your entire hard drive for malware and takes 20-40 minutes depending on drive size.
  3. OR use Malwarebytes Premium for faster, more comprehensive detection.
    If you'd rather skip the manual route, Malwarebytes handles this in a couple of clicks. Malwarebytes is real-time anti-malware that specializes in detecting phishing trojans and credential stealers that Windows Defender might miss. According to AV-TEST's independent benchmarks, Malwarebytes detects 99.8% of phishing-related malware variants, outperforming Norton and Kaspersky in credential-stealer detection specifically. Download Malwarebytes, run a full scan, and let it quarantine anything it finds.
  4. While the scan runs, do not use the device.
    Let it finish. Background activity can slow it down. Go grab a coffee.
  5. Review scan results when it completes.
    If threats are found, approve removal and quarantine. If nothing is found, that's good news (but monitor the account anyway).
Full system scan complete. Any malware installed via the phishing link has been detected and removed (or is in quarantine).
If the scan finds trojans, info-stealers, or keyloggers, assume all passwords typed on this device since the click have been compromised. Change them again from the clean device after removal is complete. Any financial transactions made from this device in the past week should be monitored closely.

Check email for unauthorized access (minutes 50-60)

5

Remove suspicious account access and connected apps Easy

  1. Log back into your email from the clean device.
    Go to Account Activity or Security settings.
  2. Review all active sessions and devices.
    Gmail: myaccount.google.com > Security > Your devices. Remove any unfamiliar device or location.
  3. Check connected apps and authorizations.
    Gmail: Security > Third-party apps with account access. Outlook: Account settings > Connected apps. Remove anything you don't recognize or haven't used in months.
  4. Check forwarding rules.
    Gmail: Settings > Forwarding and POP/IMAP. Outlook: Settings > Mail > Forwarding. If you see forwarding to an email address you didn't create, delete it immediately.
  5. Verify your recovery email and phone number.
    Make sure attackers haven't changed these. Update them to your current, secure contact details.
Email account cleaned. Attackers cannot use forwarding rules to intercept future password reset emails.

What happens after the first 60 minutes

The emergency window has closed. Now you're in monitoring mode. Here's what you do over the next 30 days:

Check accounts daily for the first week. Log into email, banking, and credit accounts every day. Look for unauthorized transactions, sign-in notifications from new devices, or password change requests you didn't make. Attackers sometimes wait before using stolen credentials, hoping you've let your guard down.

Monitor your credit report. Go to annualcreditreport.com (free annual credit report in the US and UK) and check for accounts opened in your name. Set up fraud alerts with Equifax, Experian, or TransUnion so lenders contact you before opening new accounts. Consider a credit freeze if you're concerned about identity theft.

Check for your email in breach databases. Visit Have I Been Pwned and enter your email address. This tells you if your credentials have appeared in known breaches (phishing attacks often feed stolen data to breach databases). You can also set up notifications so you're alerted if your email appears in future breaches.

Review browser extensions and installed software on the infected device. Open your browser's extension menu. If you see anything you didn't install or don't recognize, remove it (malware often hides as browser extensions). In Windows, go to Settings > Apps > Apps & features and look for unfamiliar programs. Uninstall anything suspicious.

If malware was found during the scan and you're concerned about the device's integrity, consider doing a full Windows reinstall from USB or taking the device to a technician. For most phishing incidents, a good scan and password reset is enough, but if the malware was advanced or financial data was involved, a fresh OS install is the safest option.

Preventing phishing attacks going forward

You now know how much damage a single click can do. Prevention is far easier than recovery, so let's make sure this doesn't happen again.

Check the sender's email address before clicking anything. Phishing emails often impersonate legitimate companies but use addresses like paypa1-confirm@suspicious-domain.com (notice the 1 instead of l). Hover over links in emails to see the real URL before clicking. If it doesn't match the company's real domain, it's phishing.

Enable two-factor authentication on everything right now. You did this for critical accounts, but extend it to every account that matters: social media, online shopping, cloud storage, work accounts. Two-factor stops most account takeovers cold.

Use a password manager and never reuse passwords. A password manager like Bitwarden or 1Password generates unique, strong passwords for every site and fills them in automatically. If one site gets breached, attackers can't use that password on your bank or email (because they're all different). This is the single biggest defense against phishing.

Keep your operating system and browser patched. Enable automatic updates on Windows, macOS, or Linux. Outdated software has known security holes that malware exploits. Update your browser (Chrome, Firefox, Safari, Edge) weekly.

Install anti-malware protection and keep it active. Malwarebytes Premium runs in the background and blocks malicious downloads and phishing sites in real-time. Unlike Windows Defender alone, Malwarebytes is specifically designed to catch credential-stealing trojans and info-stealers before they install. It's $40-60 per year and worth every penny if you do any banking or shopping online. Alternatives like Bitdefender and Norton offer similar real-time protection, but Malwarebytes is the standard for phishing-related threats because it focuses on behavioral detection rather than signature matching.

Be skeptical of urgency. Phishing emails almost always create artificial urgency: "Your account will be locked in 24 hours!", "Confirm your identity immediately!", "Unusual activity detected!". Real companies rarely pressure you this way. When you see an urgent email asking you to log in or confirm information, log in separately using the company's official website or app, don't click the link in the email.

Summary: you've got this

A phishing link clicked is scary, but it's containable. The first hour is critical because that's when attackers move fastest. Change passwords from a clean device, scan for malware, lock down email access, and enable two-factor authentication. You've probably stopped them before they got in. Even if malware was installed, scanning catches most of it, and two-factor authentication keeps them out of your accounts.

For absolute peace of mind after a phishing incident, run Malwarebytes Premium on the infected device. Its real-time protection layer is specifically built to catch the trojans and info-stealers that standard antivirus misses, and it runs continuous scans in the background so you don't have to worry about cleanup later. Monitor your accounts for 30 days, stay alert for unusual activity, and trust that you've done everything right. Most people who act fast after a phishing click walk away with zero damage.

Frequently Asked Questions

Run a full system scan with Malwarebytes or Windows Defender immediately. Look for unexpected browser toolbars, pop-ups redirecting to ad sites, or new processes in Task Manager. If you entered credentials on a fake login page, assume accounts are compromised regardless of scan results.

No. Unplugging doesn't stop malware that's already installed, and it prevents you from changing passwords while connected. Instead, keep the device online, change passwords from a different device, then run scans. Unplugging is only useful if you suspect active network-based attacks, which is rare from a single phishing click.

Yes. Some phishing links install keyloggers, info-stealers, or trojan backdoors just by visiting the page, especially if your browser or plugins are unpatched. Others require you to download an attachment. Either way, assume infection if you clicked a malicious link and scan immediately.

Phishing is a targeted social engineering attack where you're tricked into revealing credentials or installing malware. A data breach is when attackers access a company's database and steal records in bulk. You can experience both: phishing tricks you into giving credentials, then attackers use those credentials to breach your account.

Not necessarily. If malware was installed before you changed the password, keyloggers can capture the new one as you type it. If a credential-stealing form was involved, the old password is already in attacker hands. Run a full malware scan after any phishing incident, even if you've changed passwords.