You clicked the link. You typed your password. And now you realize it wasn't the real site. Don't panic — but do act fast. The next 15 minutes matter more than you think. Here's exactly what to do, in order.
If this is about a financial account (bank, credit card, PayPal), skip to Step 1 and do it right now. Automated tools can drain accounts within minutes of getting credentials.
Go directly to the real website — type the URL yourself, don't click any links — and change your password immediately. If the attacker hasn't already changed it, you're cutting off their access.
If you can't log in because the attacker already changed your password, use the "Forgot Password" flow. If that doesn't work, contact the service's support team directly.
This is the painful one. If you used the same password on other sites — email, banking, social media — change all of them. Attackers know people reuse passwords. The first thing they'll do is try your stolen credentials on every major service. That's credential stuffing, and it happens automatically within minutes.
If this feels overwhelming, prioritize: email first (an attacker with your email can reset everything else), then financial accounts, then everything else.
If the compromised account supports 2FA and you haven't set it up yet — do it now. Even if the attacker has your password, 2FA adds a barrier they'll need to bypass. Use an authenticator app (Google Authenticator, Authy) over SMS when possible. SMS-based 2FA is better than nothing, but it's vulnerable to SIM swapping.
If 2FA was already enabled and the attacker still got in, they may have phished your 2FA code too. In that case, check if the account lets you regenerate your recovery codes or switch to a hardware key.
Look at your account's recent activity, login history, or security log. Most major services show this:
If you see logins from locations or devices you don't recognize, sign out all other sessions. Most services have a "Sign out everywhere" button.
If you entered credit card numbers, bank login credentials, or any payment information on the phishing site, call your bank immediately. They can freeze your card, reverse unauthorized transactions, and issue new credentials. Most banks have 24/7 fraud hotlines — the number is on the back of your card.
Don't wait to see if unauthorized charges appear. By the time you notice them, the damage is done.
Reporting helps protect other people. It takes about 60 seconds:
If you're not already using one, this is the push you needed. A password manager generates a unique, strong password for every site. You never type passwords manually, which means phishing pages can't capture them — the password manager won't autofill on a domain that doesn't match.
Bitwarden (free, open source), 1Password, and Dashlane are all solid options. The specific tool matters less than actually using one.
If you clicked a phishing link but didn't enter any credentials, download any files, or grant any permissions, you're probably fine. Modern browsers are sandboxed, and simply loading a page is rarely enough to cause harm.
That said, check a few things:
The best defense is not needing this guide at all. A browser security extension like PhishClean detects phishing pages before you enter your credentials — by analyzing form behavior, domain mismatches, and 12 other signals in real time.
Can a phishing attack install malware just from clicking a link?
In most cases, clicking a phishing link alone doesn't install malware — the attacker typically needs you to enter credentials or download a file. However, some sophisticated attacks use exploit kits that target browser vulnerabilities. Keeping your browser updated is the best defense.
Should I report a phishing attack?
Yes. Report phishing emails to your email provider (Gmail has a "Report phishing" button). Report phishing websites to Google Safe Browsing. If you lost money, file a report with the FTC (US) or Action Fraud (UK). Every report helps protect other people.
How long do I have to act after being phished?
Act immediately. Automated credential stuffing tools can test stolen credentials within minutes. The faster you change your password and enable 2FA, the less likely the attacker can use your information. For financial accounts, contact your bank right away — most have 24/7 fraud lines.
PhishClean detects phishing pages before you enter your credentials — 15 detection signals, all running locally. 3-day free trial, no credit card required.
Install PhishCleanIf this helped, save it for later, share it with someone who would benefit from it, or subscribe for new browser-security guides from PhishClean.
Get practical phishing and browser-safety articles in your inbox. No salesy drip, just new guides and product updates when they are worth sending.