← All guides

I clicked a phishing link - what do I do now?

June 4, 2026 · 2 min read

Clicking a bad link is rarely game over - what matters is what you do in the next few minutes. Here is a calm, step-by-step plan.

First: don't panic, and don't enter anything

Simply clicking a link is usually not the disaster it feels like. The danger comes from what happens next - entering a password, downloading a file, or approving a prompt. If a page opened, close it now and don't type anything into it. What you do in the next few minutes matters far more than the click itself.

If you only clicked (and entered nothing)

You're most likely fine. To be safe:

  • Close the tab. Don't enter logins, card numbers, or codes on the page.
  • You don't need to "factory reset" your phone - just don't act on the page.
  • Want to know where the link actually led? Check the URL with our Link Checker instead of revisiting it.

If you entered a password

Act quickly:

  • Change that password now, from the account's real site or app - not the link.
  • If you reused that password anywhere else, change it there too. This is the biggest risk: one stolen password unlocks every account that shares it.
  • Turn on two-factor authentication so a stolen password isn't enough on its own.

If you entered banking or card details

  • Call your bank using the number on the back of your card and tell them. They can watch for or block fraudulent charges and reissue the card.
  • Watch your statements closely for the next few weeks.

If you downloaded or opened a file

  • Don't open it (or anything it prompts you to). Run a malware scan with your device's built-in security (such as Microsoft Defender) or a reputable tool.
  • If a prompt asked you to enable macros, grant access, or install something - and you did - disconnect from the internet and run a scan. On a work device, tell your IT team.

If you approved a login prompt or shared a one-time code

  • Go to the real account, sign out of all sessions, and change the password - the attacker may be logged in right now.
  • A one-time passcode you read out can let someone bypass your two-factor login, so re-secure the account immediately.

Then: slow down and report

  • Report the message - to your bank, your workplace, or the Canadian Anti-Fraud Centre (1-888-495-8501) - so others are warned.
  • Not sure how bad it was? Check the link first, and see our "I've been scammed" guide for the full recovery steps.

The takeaway: a click is a scare, not a sentence. Close the page, change any password you typed, and call your bank if money was involved.

Try it yourself

Open the Link Checker

June 4, 2026

Is this email really from my bank?

Banks are among the most impersonated brands in phishing. Here is how to tell a real bank email from a convincing fake - without clicking anything.

Read the guide

June 1, 2026

What is typosquatting? Look-alike domain scams explained

A zero instead of an "o", an extra word, a different ending - look-alike domains are built to catch you when you're moving fast. Here is how they work.

Read the guide

June 1, 2026

HTTP security headers explained (HSTS, CSP, and more)

Invisible to visitors but vital to safety: security headers tell your browser to refuse insecure connections and block risky scripts. Here is what each one does.

Read the guide