TLDR
If you clicked a link in a phishing email, the urgency depends on what happened next. Simply clicking usually loads a phishing page, but the real damage comes from entering information. The most critical step most guides miss: check your email for unauthorized forwarding rules. Attackers set these up within minutes of gaining access to silently intercept your messages.
Immediate Steps (Do These First)
Step 1: Disconnect and Stop
- Close the browser tab that opened
- Do NOT enter any information on the page (if you have not already)
- Do NOT open any files that may have downloaded
- Take a screenshot of the URL in your browser bar for reporting
Step 2: Assess What Happened
Scenario A: You clicked but entered nothing
- Risk is minimal. The page loaded but you did not provide any data.
- Clear browser data, run a scan, and move on.
Scenario B: You entered login credentials
- Your email/account password is compromised. Act immediately.
Scenario C: You entered financial or personal information
- Credit card, SSN, or bank details are in attacker hands. Highest urgency.
Scenario D: You downloaded or opened a file
- Malware may be on your computer. Disconnect from the internet immediately.
If You Entered Your Email Password
This is the most common phishing outcome and the most dangerous because it gives attackers access to everything connected to your email.
The Forwarding Rule Attack (Do Not Skip This)
This is the step most damage control guides miss. Within minutes of accessing your email, sophisticated attackers create a forwarding rule that silently sends copies of all incoming email to their address. This means:
- Even after you change your password, they continue receiving your emails
- They can intercept password reset emails for your other accounts
- They can read financial statements, personal messages, and business communications
Check for unauthorized forwarding rules immediately:
Gmail:
- Click the gear icon > See all settings
- Go to Forwarding and POP/IMAP tab
- Check if any forwarding addresses are set that you did not add
- Go to Filters and Blocked Addresses tab
- Look for any filters that forward, delete, or mark emails as read automatically
Outlook/Microsoft 365:
- Click the gear icon > View all Outlook settings
- Go to Mail > Rules
- Look for any rules that forward messages or move them to unusual folders
- Also check Mail > Forwarding for any forwarding addresses
Delete any rules you did not create.
Then: Change Your Password and Secure the Account
- Change your email password immediately (use a strong, unique password)
- Enable two-factor authentication (2FA) if not already active
- Revoke active sessions (Gmail: scroll to bottom of inbox > "Details" > "Sign out all other sessions")
- Check "sent" and "trash" folders for emails the attacker may have sent from your account
- Change passwords for any accounts that use the same password as your email
If You Entered Financial Information
- Call your bank or card issuer immediately - most have 24/7 fraud lines
- Request a new card number - the compromised one should be canceled
- Place a fraud alert with one credit bureau (they notify the others):
- Equifax: 1-800-525-6285
- Experian: 1-888-397-3742
- TransUnion: 1-800-680-7289
- Consider a credit freeze for maximum protection
- Monitor transactions daily for the next 30 days
If You Downloaded a File
- Disconnect from the internet (turn off Wi-Fi, unplug Ethernet)
- Do NOT open the file if you have not already
- Run a full antivirus scan (Windows Defender, Malwarebytes, or your security software)
- Delete the downloaded file (check Downloads folder)
- Change passwords for accounts you are logged into on that computer (from a different device)
- If you opened the file, consider having a professional scan the machine or performing a clean OS reinstall
Report the Phishing Email
After securing your accounts:
- Forward the phishing email to
reportphishing@apwg.org - Report to the FTC at ReportFraud.ftc.gov
- Report to your email provider:
- Gmail: Click three dots > "Report phishing"
- Outlook: Click "Report" > "Phishing"
- Check the sender's domain on ScamVerify and submit a report
Timeline for Recovery
| Timeframe | Action |
|---|---|
| First 15 minutes | Change password, check forwarding rules, enable 2FA |
| First hour | Contact bank if financial info shared, revoke sessions |
| First 24 hours | File FTC report, check credit report, monitor accounts |
| First week | Monitor all accounts daily, watch for follow-up phishing |
| First month | Review credit report, continue monitoring transactions |
FAQ
Can I get malware just from clicking an email link?
On a fully updated computer with modern browsers, simply visiting a webpage is unlikely to install malware. The real risk is downloading files or entering information. However, unpatched systems can be vulnerable to drive-by downloads from malicious sites.
How do I know if the phishing email was targeted at me specifically?
If the email includes your name, employer, or references to real transactions, it is likely a spear phishing attack. This means the attacker has some prior knowledge about you, possibly from a data breach or public social media. Be extra thorough in your damage control steps.
Should I respond to the phishing email to tell them I know it is a scam?
No. Replying confirms your email address is active and monitored. It also provides the attacker with additional metadata about you (email client, IP address from headers). Ignore and report.
