What Happens If You Click a Phishing Link? (And What to Do Immediately)

You clicked something. Maybe it was a text message claiming your package was delayed. Maybe it was an email that looked almost exactly like it came from your bank. Maybe you clicked it before you really thought about it, and now you’re reading this article with a slight knot in your stomach.

Take a breath. Here’s what you actually need to know.

What Can Actually Happen After Clicking a Phishing Link

The consequences depend on what type of phishing link it was, what you did after clicking, and what device you used. “Clicking a link” covers a wide range of scenarios with very different risk profiles.

Credential Harvesting Pages

The most common type of phishing link leads to a fake login page — a site designed to look exactly like your bank, Gmail, Microsoft account, or another service you use. The page doesn’t do anything malicious by itself. It just looks real and has a form.

If you click the link and close the tab without entering anything, your risk is minimal. You’ve visited a website. That’s it.

If you enter your username and password, those credentials are sent to the attacker. They now have your login information for that account, and given how often people reuse passwords, potentially for other accounts too.

Malware Downloads

Some phishing links trigger an automatic file download. You may see a file appear in your downloads folder, or your browser may prompt you to save or open something. In some cases, you may not notice anything at all — though this depends heavily on your browser settings and operating system.

The downloaded file isn’t dangerous unless you open it. A malicious PDF, Word document, or executable that sits in your downloads folder and is never opened cannot harm your system.

Drive-By Downloads (The Rare But Real Threat)

A drive-by download requires your browser or a browser plugin to have an exploitable vulnerability — and it deposits malware on your device simply from visiting the page, without any further action from you.

This is significantly less common than credential harvesting because it requires attackers to maintain working browser exploits, which are patched quickly. Keeping your browser updated is the main defense. If you’re running a reasonably current version of Chrome, Safari, Firefox, or Edge, your exposure to this type of attack is low.

Session Cookie Theft

If the malicious page uses certain techniques, it may attempt to steal authentication cookies from your browser — the data that keeps you logged into websites without requiring you to re-enter your password every visit.

This requires a specific class of attack and is more commonly deployed against targeted individuals than in mass phishing campaigns. It’s mentioned here for completeness.

What Can’t Happen Just From Clicking

Let’s correct some common fears:

Clicking a link cannot, by itself, install malware on an up-to-date device in the vast majority of cases. Drive-by downloads require exploitable vulnerabilities that modern, updated browsers don’t have.

Clicking a link cannot give attackers your passwords unless you type them into a form on the resulting page.

Clicking a link cannot drain your bank account unless you then log in to a fake banking page and enter your credentials (or authorize a transaction).

Clicking a link on a mobile device is not inherently more dangerous than on a desktop, contrary to popular belief. Modern mobile operating systems are sandboxed in ways that make malware installation from a browser link very difficult.

This is not to say clicking is harmless — the credential harvesting scenario is genuinely dangerous. But the fear that one misclick has irrevocably compromised your device is usually unfounded.

The 5 Steps to Take Right Now

Step 1: Don’t Enter Any Credentials

If the page loaded and is asking you to log in to something — stop. Do not enter your username, password, or any personal information. Close the tab. You haven’t given anything away yet.

Step 2: Disconnect From Wi-Fi (If You Think a File Downloaded)

If you saw a file download, or if your antivirus fired an alert, or if the site seemed to do something unexpected — disconnect your device from the internet immediately. Pull the Wi-Fi toggle, or physically unplug if you’re on ethernet.

This prevents any potential malware from communicating with its command-and-control server, which is where most of the real damage happens. Malware that can’t phone home is significantly less dangerous.

This step is precautionary for most users who clicked a link and saw a normal-looking page. It’s urgent if you observed any file download activity.

Step 3: Run a Malware Scan

Use your existing security software to run a full scan. If you don’t have any:

• Windows: Windows Defender (built-in) is legitimately good. Run a full scan from Windows Security.
• Mac: Malwarebytes for Mac has a free scanner. The built-in XProtect handles known malware automatically.
• Mobile: Your app store settings (Google Play Protect on Android, App Store review on iOS) handle most threats. Third-party scanners for mobile add minimal value.

Download any security software you use directly from the official developer’s website — not from a pop-up or recommendation from the suspicious page you just visited.

Step 4: Change Passwords for Accounts You Accessed After Clicking

Even if you didn’t enter credentials on the phishing page itself, if you logged in to any accounts on that same device after clicking the link (in a period when malware might theoretically be running), change those passwords.

Prioritize: email accounts, banking and financial services, social media, and anything you use your email to log in to (because email access enables password resets on everything else).

Use a different device — your phone while connected to mobile data, a different computer — to do this, in case your primary device is compromised.

Step 5: Enable Two-Factor Authentication

If you haven’t already, enable 2FA on every account that offers it, starting with email and banking. Even if an attacker has your password, 2FA means they need a second factor (your phone) to log in.

This is the single most impactful security change most people can make, and it’s free.

If You Entered Your Credentials on a Fake Page

Act immediately:

1. Change the password on the real account — go to the real website directly (type the URL, don’t click a link) and change your password now.
2. Enable 2FA if you haven’t.
3. Check recent account activity for anything you don’t recognize: logins from unfamiliar locations, emails sent from your account, password resets for other services.
4. Check other accounts that use the same password and change those too.
5. Notify your contacts if your email was compromised — attackers often use compromised email to send phishing to everyone in your address book.

If it was your email that was compromised, be especially thorough. Email access allows password resets on nearly everything else and gives attackers access to years of potentially sensitive information.

If You Entered Payment or Identity Information

If you entered credit card numbers, bank account details, Social Security Number, or other sensitive personal information:

Financial accounts:

• Contact your bank or credit card issuer immediately. Explain what happened. They can monitor for fraudulent activity and, in many cases, issue you new card numbers proactively.
• File a dispute if any unauthorized transactions appear.

Identity information (SSN, driver’s license, passport):

• Consider placing a credit freeze at all three bureaus: Equifax, Experian, and TransUnion. A credit freeze is free and prevents anyone from opening new credit accounts in your name.
• Consider an identity theft monitoring service. If your SSN is now in criminal hands, it may be used to open accounts, file tax returns, or apply for benefits in your name over the coming months and years — not just immediately. Aura monitors your SSN, all three credit bureaus, and the dark web for evidence that your data is being used, and alerts you immediately when something appears. Given that identity theft can surface more than a year after the initial data compromise, ongoing monitoring is considerably more reliable than a one-time check.

The Honest Takeaway

Most people who click a phishing link and don’t enter any information will be completely fine. Most people who enter credentials but act within the first hour — changing passwords and enabling 2FA — will catch it before serious damage is done.

The scenarios that become genuinely damaging are: waiting several days to act, using the same password everywhere, not having 2FA enabled, or entering financial and identity information rather than just a login.

The fact that you’re reading this quickly is itself a good sign. The window for effective response is widest immediately after the click.

Read our complete guide to how to spot phishing emails so you can recognize these attempts before clicking. And if you want to understand how identity monitoring fits into your longer-term protection plan, our review of the best identity theft protection services covers what to look for and why it matters.