What Happens If I Click Phishing?

You clicked a link in an email or text message and something felt off. Maybe the page looked strange. Maybe nothing loaded at all. Either way, you are now wondering what just happened — and whether your accounts, passwords, or device are at risk.

The good news: if you did not enter any information, the risk is lower than you might think. The less good news: there are still steps you should take right now. This guide covers exactly what happens when you click a phishing link, what the real risks are, and the precise actions to take depending on what you did after clicking.

What to do immediately after clicking a phishing link

Speed matters here. Work through these six steps as quickly as possible.

Step 1 — Do not enter any information

If a page has loaded after you clicked, close it immediately without typing anything — no email address, no password, no payment details, nothing. The primary goal of most phishing pages is to get you to voluntarily submit your credentials. If you close the page without interacting, you have already avoided the biggest risk.

Step 2 — Disconnect from the internet

Turn off Wi-Fi and mobile data on your device. This is a precautionary step: in rare cases where a link triggers a drive-by malware download, cutting your connection can interrupt the malware before it has fully installed or sent data back to the attacker. Reconnect only when you are ready to run a scan in step 3.

Step 3 — Run a malware scan

Reconnect briefly and run a full device scan. If you have antivirus software installed, open it and run a full scan now. If you do not, download Malwarebytes (free tier available for Windows, Mac, Android, and iOS) and let it scan your device. Remove or quarantine anything it flags before continuing.

Step 4 — Change your passwords

Change the password for any account you think was the target of the phishing link (e.g. if it looked like a Netflix login page, change your Netflix password). Critically, also change your password on any other account where you use the same password — attackers know that most people reuse passwords and will try the stolen one elsewhere immediately.

Step 5 — Enable two-factor authentication

If you have not already done so, enable 2FA on your email account, bank, and any other sensitive accounts right now. Even if an attacker has your password, 2FA means they cannot log in without the second verification step. Most major services support authenticator apps like Google Authenticator or Microsoft Authenticator.

Step 6 — Monitor your accounts for unusual activity

Check your email, bank account, and social media for anything you do not recognise — logins from new locations, sent emails you did not write, or transactions you did not make. Most banks allow you to set up instant transaction alerts via SMS. If you spot anything suspicious, report it to the service provider immediately and consider contacting your bank to put a temporary hold on your account.

What actually happens when you click a phishing link

Not all phishing links do the same thing. There are three main mechanisms, and understanding them helps you judge how serious your situation is.

Mechanism 1 — Fake login page (credential harvesting)

This is by far the most common type. The link takes you to a page that looks exactly like a real website — your bank, PayPal, Microsoft, Amazon, a parcel delivery notification — but is hosted on a fake domain. The page exists solely to capture whatever username and password you type in. If you closed the page without typing anything, your credentials were not stolen via this method.

Mechanism 2 — Drive-by malware download

In more sophisticated attacks, simply visiting the page can trigger a malicious file download or attempt to exploit a vulnerability in your browser or operating system. This is known as a drive-by download. These attacks are less common because they require an unpatched vulnerability to work — keeping your browser and OS fully updated is the single best protection against them. If your software is up to date, most drive-by attempts will fail silently.

Mechanism 3 — Tracking pixels and cookie theft

Some phishing pages are designed purely to confirm that your email address is active (by loading an invisible tracking image) or to steal session cookies already stored in your browser, which can allow the attacker to impersonate you on sites you are already logged into. This is a less dramatic but underappreciated risk.

What risk you actually face

I clicked a phishing link on my phone — is it different?

Yes, there are some meaningful differences depending on whether you are using Android or iOS.

iPhone and iPad (iOS)

iOS has a tightly sandboxed environment that makes drive-by malware downloads significantly harder to execute than on desktop operating systems. Apps cannot easily install themselves without going through the App Store, and browser exploits that work on Windows rarely work on iOS. That said, iOS users are just as vulnerable to credential-harvesting fake login pages — the sandbox does not stop you from voluntarily typing your password into a fake site.

What to do on iPhone after clicking a suspicious link:

• Close Safari or Chrome immediately
• Go to Settings → Safari → Clear History and Website Data
• Check Settings → Privacy → App Privacy Report for any unusual network activity
• Change your Apple ID password if the link looked like an Apple phishing page

Android

Android is more open than iOS and therefore slightly more vulnerable to drive-by downloads, particularly if you have allowed the installation of apps from unknown sources. After clicking a suspicious link on Android:

• Go to Settings → Apps and check for any app you do not recognise that was installed recently
• Check Settings → Apps → [any suspicious app] → Permissions and revoke any permissions that look unusual
• Run a scan with Malwarebytes for Android (free)
• Make sure Install unknown apps is turned off in settings

I clicked but didn’t enter any details — am I safe?

This is the most common question people ask after a phishing scare, and the honest answer is: probably yes, but it is worth taking a few precautions.

For the vast majority of phishing links, simply landing on the page without entering any information means your credentials are safe. The fake login page cannot steal a password you never typed.

The small residual risk comes from:

• Drive-by exploits — rare, and almost always blocked if your browser and OS are up to date
• Session cookie theft — possible if the page ran malicious JavaScript; clearing your browser cookies removes this risk
• Confirming your email is active — low impact, but the phisher now knows your address is real

Practical steps to take even if you entered nothing:

1. Run a quick malware scan
2. Clear your browser history, cookies, and cache (Ctrl+Shift+Delete on Windows, Cmd+Shift+Delete on Mac)
3. Check your browser extensions and remove any you do not recognise
4. Keep an eye on your email and any account linked to the address the phishing email targeted

If your browser and operating system are fully up to date and you did not download or open any file, it is reasonable to consider yourself low risk. But never skip the scan — five minutes now is worth the peace of mind.

I entered my password or personal details — what now?

Act fast. The attacker’s systems are often automated, and stolen credentials can be tested on other accounts within minutes of being submitted.

If you entered a password

1. Change the password on that account immediately — open the real website by typing its address directly into your browser (do not click any link), log in, and change the password.
2. Change the same password everywhere else you use it — if you reuse passwords (and most people do), every account with that password is now compromised.
3. Enable 2FA on the affected account if it is not already on.
4. Check your account’s recent activity — most services show recent login locations and times under Security settings.
5. Check Have I Been Pwned at haveibeenpwned.com to see if your email address has appeared in any data breaches.

If you entered bank or card details

1. Call your bank immediately using the number on the back of your card — not any number shown on the phishing page.
2. Ask them to freeze or cancel your card and issue a replacement.
3. Ask them to flag your account for potential fraud so any suspicious transactions are reviewed.
4. Check your recent transactions and report anything you do not recognise.

If you entered your National Insurance number, passport, or other ID

This puts you at risk of identity theft. Take the following steps:

• Report it to Action Fraud (UK: actionfraud.police.uk) or the FTC (US: identitytheft.gov).
• Consider placing a fraud alert or credit freeze with credit reference agencies (Experian, Equifax, TransUnion in the UK/US).
• Monitor your credit report for any new accounts opened in your name.

How to tell if your device has been infected

If you are worried malware may have been installed after clicking a phishing link, watch for these warning signs.

On a PC or Mac

• Your computer is noticeably slower than usual
• Pop-up adverts appear even when your browser is closed
• Your browser homepage or default search engine has changed without your input
• New browser extensions or toolbars have appeared that you did not install
• Your antivirus has been disabled or you are locked out of security settings
• Programmes are opening, closing, or installing themselves
• You are being redirected to unexpected websites when browsing

On a phone (Android or iOS)

• Battery draining unusually fast
• Mobile data usage has spiked unexpectedly
• Phone is warm even when not in use
• Apps you do not recognise have appeared
• You are seeing adverts inside apps that never showed them before
• Contacts report receiving strange messages from you

How to check and remove malware

How to report a phishing link

Reporting phishing helps protect others and contributes to takedowns of malicious sites. It takes less than two minutes.

How to avoid clicking phishing links in future

Once you have dealt with the immediate situation, it is worth reviewing a few habits that make phishing significantly harder to fall for.

Before you click any link

• Hover over the link first. On desktop, hovering shows the real destination URL in the status bar at the bottom of your browser. On mobile, press and hold the link to preview the URL. Look for misspelled domains (paypa1.com, arnazon.com) or unfamiliar domains entirely.
• Check the sender address, not just the display name. An email can show “PayPal Support” as the sender name while the actual address is something like [email protected]. The display name means nothing — the actual address is what matters.
• When in doubt, go direct. If an email asks you to log in to your bank, do not click the link. Open a new browser tab and type your bank’s address yourself. Legitimate services will never penalise you for doing this.
• Be suspicious of urgency. Phishing emails routinely use urgent language: “Your account will be suspended in 24 hours”, “Unusual activity detected”, “You have a parcel waiting”. Real services rarely demand instant action via email.

Protective tools to have in place

• A password manager (Bitwarden is free, 1Password and Dashlane are paid). Password managers only auto-fill credentials on the exact domain they were saved for — if you land on a fake PayPal domain, your password manager will not offer to fill in your password, which is an important safety net.
• Two-factor authentication on every account that supports it — especially email, banking, and social media. Even if your password is stolen, 2FA stops the attacker logging in.
• Browser phishing protection. Google Chrome, Microsoft Edge, and Firefox all have built-in phishing and malware protection enabled by default. Make sure it has not been turned off in your browser settings.
• Up-to-date software. The single best protection against drive-by malware is keeping your browser and operating system fully updated. Enable automatic updates so you do not fall behind.

Watch out for smishing and vishing

Smishing is phishing via SMS. Parcel delivery scams, bank fraud alerts, and HMRC/IRS tax refund texts are the most common. The same rules apply: do not click the link, go directly to the official website instead.

Vishing is phishing via voice call. Attackers impersonate your bank, HMRC, Microsoft support, or the police. Legitimate organisations will never ask for your full PIN, password, or ask you to transfer money to a “safe account” over the phone. Hang up and call back on a number from the official website.

Frequently asked questions

Final thoughts

Clicking a phishing link is something that happens to millions of people every year — including people who work in cybersecurity. It is not a sign of carelessness; phishing pages are often remarkably convincing.

What matters is what you do next. To recap:

• If you just clicked and closed the page without entering anything: run a scan, clear your cookies, and stay alert. The risk is low.
• If you entered a password: change it immediately everywhere you use it, enable 2FA, and check your account activity.
• If you entered payment details: call your bank right now.
• If you downloaded a file: disconnect, run a full scan, and consider a clean reinstall if threats persist.

Going forward, a password manager and 2FA on your key accounts will protect you against the vast majority of phishing attacks even if you do click a malicious link — because the attacker still cannot get into your account without the second factor.