What to do after clicking a phishing link at work

A phishing click is not the end of the story. What matters next is how quickly the situation is reported and contained.

Many people freeze after clicking a suspicious link because they are worried they have already caused damage. That reaction is understandable, but it is the wrong one. Fast reporting is one of the best things an employee can do after a suspected phishing incident.

First: do not keep interacting with the page

If you clicked a suspicious link and the site opens, stop there.

Do not keep browsing the page, do not download anything else, and do not type in credentials, payment details, or company information. Close the tab if needed and move on to the next steps.

If you entered a password, change it immediately

If you typed your password into a suspicious site, assume it may now be compromised.

Change the password for that account as soon as possible. If you have reused the same password elsewhere, change those accounts too. Password reuse turns one compromised login into a much bigger problem.

If the device is a work device, tell IT straight away

Do not wait to see whether anything bad happens.

If the message was opened on a work laptop or phone, report it to your IT or security contact as soon as possible. Early reporting gives the team a chance to:

• reset accounts
• review logs
• scan the device
• block malicious domains
• warn other employees if the same message is circulating

A fast report is useful even if you are not sure the message was malicious.

If you opened a file or installed something, run a full security scan

If the phishing email led you to download a file, install software, or open a suspicious attachment, the risk is higher.

Use your antivirus or endpoint protection tools to run a full scan and follow the instructions to clean up any problems it detects. If this is a company-managed device, tell IT before you start making major changes.

If you shared banking or payment details, contact the bank immediately

If card details, banking information, or payment credentials were entered, contact your bank or provider without delay.

That is a different risk level from a suspicious click on its own. Financial institutions may be able to help block or monitor fraudulent activity if they are informed quickly.

Report the phishing message itself

Do not just report the impact. Report the message too.

Forward the suspicious email using your company process if one exists. External reporting can also help, depending on your region and situation. For example, FTC guidance recommends reporting phishing to the Anti-Phishing Working Group and to ReportFraud.ftc.gov.

Do not hide the incident

This is one of the most important points.

A healthy security culture depends on people feeling able to report mistakes quickly. Delayed reporting increases risk. Early reporting reduces it.

That is why good phishing training should be practical and judgment-free. The goal is not to shame people for clicking. The goal is to reduce the time between a click and a response.

A simple response checklist

If someone clicks a suspicious link at work:

1. Stop interacting with the page
2. Do not enter more information
3. Change exposed passwords immediately
4. Report it to IT or security
5. Run a full scan if a file was opened or software was installed
6. Contact the bank if payment details were entered
7. Report the phishing email itself

Why rehearsal matters

In a real incident, employees rarely respond perfectly from memory.

That is why simulations matter. They turn abstract awareness into a habit. When staff have already practised what happens after a click, they are more likely to report quickly and respond correctly under pressure.

Sources

• FTC: How to Recognize and Avoid Phishing Scams
• FTC Small Business: Phishing
• NCSC: What to do if you've shared sensitive information
• NCSC: Phishing