You Got Phished. Now What?

It happens. You clicked a link that looked legitimate. Maybe you even entered your password before realizing something was off. Your stomach drops, panic sets in.

Take a breath. What you do in the next hour matters more than beating yourself up. Here's exactly what to do.

First: What Did You Actually Do?

Be honest with yourself. The response depends on what happened:

Level 1: Just clicked a link If you only clicked but didn't enter any information or download anything — you're probably fine. Modern browsers are pretty good at sandboxing. Close the tab, clear your browser cache, and move on. Maybe run a malware scan to be safe.

Level 2: Entered credentials This is the most common scenario. You put in a username and password before realizing it was fake. This requires action.

Level 3: Downloaded and ran something This is more serious. You may have malware on your device.

Level 4: Entered financial info Credit card, bank details, SSN. Time to move fast.

Let's walk through each scenario.

If You Entered Login Credentials

You have about a 30-minute window before attackers typically try your stolen credentials. Move fast.

Step 1: Change That Password (Right Now)

Go directly to the real website — type it yourself, don't click any links — and change your password immediately. If you can't log in because they already changed it, use the "Forgot Password" flow.

Step 2: Enable 2FA If You Haven't

While you're logged in, turn on two-factor authentication. This way, even if they have your password, they can't get in without your phone. Use an authenticator app, not SMS if possible.

Step 3: Check for Damage

Look at:

Recent account activity
Connected devices or sessions (log them all out)
Email forwarding rules (attackers love to set these up)
Recovery email/phone changes
Any purchases or changes you didn't make

Step 4: Change Passwords Elsewhere

If you reused that password anywhere else (I won't lecture you, but please stop doing this), change it on those accounts too. Attackers will try the same credentials on common services.

Step 5: Check Your Email

If it was your email account that was compromised, check:

Sent folder for emails you didn't send
Trash for deleted evidence
Filters/forwarding rules
"Undo send" or similar features

If You Downloaded Something

Step 1: Disconnect from the Internet

Unplug the ethernet cable or turn off WiFi. This stops the malware from communicating home or spreading.

Step 2: Don't Turn Off Your Computer Yet

Some malware installs itself on startup. Keep it running but disconnected.

Step 3: Run Malware Scans

From another device, download Malwarebytes (free version is fine) onto a USB drive. Plug it into the infected machine and run a full scan.

On Windows, also run Windows Defender offline scan:

Settings → Update & Security → Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline scan

Step 4: Consider a Full Reset

If you're not sure the malware is gone — or if you deal with sensitive data — a full factory reset is the only way to be certain. Yes, it's a pain. Yes, it's worth it.

Reinstall your OS from official media, not a recovery partition (which could be compromised).

If You Entered Financial Information

Step 1: Call Your Bank/Card Company

Right now. Not in an hour. The fraud department's number is on the back of your card. Tell them you may have been phished.

They'll likely:

Cancel your card and send a new one
Flag recent transactions for review
Set up fraud monitoring

Step 2: Watch Your Statements

Check daily for the next month. Report anything suspicious immediately.

Step 3: Consider a Credit Freeze

If you gave up enough information for identity theft (SSN, date of birth, address), freeze your credit at all three bureaus:

This is free and prevents anyone from opening new accounts in your name.

If It Was a Work Account

Do NOT try to handle this quietly.

Tell your IT department immediately. I know it's embarrassing. Do it anyway.

Why this matters:

They can check if the attackers pivoted to other systems
They may need to revoke sessions, reset credentials, or alert others
If it's a targeted attack, others in your organization may be getting the same phishing email
Delayed reporting makes everything worse

Many organizations have policies that protect employees who report promptly. Trying to hide it is usually what gets people fired.

After the Immediate Crisis

Report the Phishing

Help prevent others from falling for the same attack:

Forward phishing emails to reportphishing@apwg.org
Report to your email provider (Gmail: the three dots → Report phishing)
If it impersonated a company, report to their security team

Document What Happened

Write down:

What you clicked
What information you entered
What you did to respond
Approximate times

This helps if you need to deal with fraud claims later.

Learn From It

What made this phishing attempt convincing enough to catch you? Understanding that helps you spot the next one.

Common tricks:

Urgency ("Your account will be suspended!")
Authority (looks like it's from your boss/IT/bank)
Familiar-looking domains (microsoftt.com, arnazon.com)
Links that show one URL but go to another

Prevention for Next Time

Use a password manager. It won't autofill your credentials on a fake site because it checks the actual URL.

Enable 2FA everywhere. Even if they get your password, they can't get in.

Be suspicious of urgency. Legitimate companies rarely demand immediate action.

Check URLs carefully. Before entering credentials, look at the address bar. Is it really bankofamerica.com or bank0famerica.com?

When in doubt, navigate directly. Don't click email links. Open a new browser tab and go to the site yourself.

The Uncomfortable Truth

Even security professionals get phished sometimes. These attacks are sophisticated and constantly evolving. Getting phished doesn't make you stupid — it makes you human.

What matters is what you do next. Fast, calm response can turn a potential disaster into a minor inconvenience.

Now go change that password.