Clicked a Suspicious Link? Here’s What to Do Next

by

A suspicious link can feel like a trap door. One second you’re checking a message, and the next you’re wondering if your phone, laptop, bank account, or email is now exposed.

Take a breath. One click doesn’t always mean disaster, but the next few minutes matter. Fast, calm action can stop a bad situation from getting worse.

Phishing and spoofing stayed the top reported cybercrime in the US, with 193,407 complaints in 2024 and about $70 million in losses. So if you clicked, you’re not alone, and there is a clear way forward.

Take these first steps right away to limit the damage

The goal is simple: stop the interaction before anything else happens. If you clicked a suspicious link, don’t keep reading the page to figure it out. Don’t test buttons. Don’t try to “see what it does.”

Do these steps in order:

  1. Stop interacting with the page.
  2. Don’t enter passwords, payment details, or codes.
  3. Close the tab or browser.
  4. If something downloaded or the page redirected, disconnect from the internet.

If the message claimed there was a problem with your account, a missed delivery, or a prize waiting, treat that as part of the trick. Phishing works by creating urgency, fear, or excitement. The FTC’s guide to recognizing phishing scams shows how often fake messages copy trusted brands and push people to act fast.

Close the page and do not click anything else

Don’t log in. Don’t fill out a form. Don’t approve a browser prompt. Also, don’t click pop-ups that say your device is infected or your session expired.

Those screens often try to pull you deeper. Think of them like quicksand. The more you move around, the worse your odds get.

If you already typed something in, stop anyway. Closing the page still helps because it prevents more clicks, more downloads, and more data from being handed over.

Disconnect your device if a file may have downloaded

This matters most if you saw a file download, a fake software update, a strange redirect, or a browser warning. In that case, turn off Wi-Fi, unplug Ethernet, or disable mobile data right away.

A person in a dimly lit home office urgently closes a laptop lid while reaching to unplug an ethernet cable, with focused expression, dramatic side lighting, high contrast, and cinematic depth of field.

Disconnecting won’t erase malware, but it can limit what it does next. For example, it may stop a malicious file from calling home, pulling down more code, or sending data out.

Speed matters here more than perfection. You can sort out the details after the device is isolated.

Check your device for malware before you sign in anywhere

Once the device is offline, check whether anything harmful landed on it. This is the point where many people rush to change passwords on the same device. That’s risky if the device is already compromised.

Start with a full scan, not a quick one. Use your built-in protection first, such as Microsoft Defender on Windows, then consider a trusted second-opinion scanner. If you want one, Malwarebytes Free is a well-known option for an extra check.

Don’t change passwords on a device you haven’t checked yet.

Run a full security scan and review recent downloads

Scan the whole device and let it finish. If the tool finds anything, quarantine or delete it, then restart and scan again if needed.

After that, look at what changed right after the click. Open your Downloads folder. Check recently installed apps. Review browser extensions. On a phone, look for any new app you didn’t mean to install.

Close-up of a desktop computer screen showing an antivirus scan in progress with a progress bar, keyboard and mouse nearby, illuminated by soft window light creating strong contrast and shadows in a cinematic high-contrast style. Clean modern setup with generic progress indicators, no readable text, people, logos, or watermarks.

You don’t need to be a forensic expert. You’re looking for obvious changes, such as a new extension, a fake “update” app, or a file with a strange name. If the computer starts acting odd, slower than normal, throwing pop-ups, or opening pages on its own, take that as a warning.

Use a clean device if your phone or computer seems unsafe

If the device still looks suspicious after scanning, stop using it for anything sensitive. That includes email, banking, password resets, and cloud accounts.

Instead, switch to another device you trust. A work laptop managed by IT, a family computer you know is clean, or a secondary phone can be safer for account recovery. If you’re not sure how to remove the threat, get help before signing in again. A local security pro or workplace IT team can save you from making the problem worse.

Change passwords and lock down your most important accounts

Change passwords only after the device looks clean, or do it from another safe device. Start with the accounts that can unlock everything else.

That means email first. If someone gets into your inbox, they can often reset passwords for shopping sites, social apps, cloud storage, and even banking tools.

Start with email, banking, and any account that shares the same password

Reused passwords turn one bad click into a chain reaction. If you entered a password on the fake page, assume any other account using that same password is also at risk.

Begin with email, then banking and credit card accounts, then shopping, cloud storage, and social media. Use long, unique passwords for each one. A password manager helps because it creates and stores strong passwords without making you memorize them all.

Also, check your email settings after you log back in. Look for forwarding rules, filters, or backup addresses you didn’t add. Attackers like to hide there because those settings let them keep watching your inbox.

Turn on two-factor authentication for extra protection

Two-factor authentication, or 2FA, adds a second lock. So even if someone has your password, they still need the code or approval prompt.

Smartphone held in two relaxed hands entering a two-factor authentication code on a login screen, with blurred office desk background, dramatic overhead lighting, high contrast shadows, and cinematic depth of field.

Turn it on for email, banking, and any account tied to payments or identity. If the service offers app-based codes or passkeys, use those instead of relying only on text messages. For a plain-language walkthrough, see this 2FA setup guide.

One more rule matters: only approve sign-in prompts you started yourself. If a random code request shows up, deny it.

Watch for signs of fraud and report the phishing attempt

The danger doesn’t end when the scan finishes. Over the next 30 days, and sometimes longer, keep an eye on your accounts.

Look for charges you don’t recognize, password reset emails you didn’t request, login alerts from unknown devices, or messages sent from your account that you never wrote. Recent FTC guidance on protecting yourself from phishing scams points out that email remains one of the main ways scammers reach people.

Look for unusual charges, login alerts, and account changes

A few warning signs deserve quick action:

  • New charges or withdrawals: Even small test purchases can signal fraud.
  • Locked accounts: Someone may have tried the wrong password too many times.
  • Changed account details: Watch for new phone numbers, recovery emails, or mailing addresses.
  • Email forwarding rules: Attackers may silently forward your messages elsewhere.
  • Sent messages you don’t recognize: Your contacts may be getting phish from your account.

If you spot any of those, contact the company right away. Banks can freeze cards, email providers can help secure an account, and cloud services can log out other devices.

Report the link so it can do less harm to others

Reporting matters because it helps take bad links and fake senders out of circulation. First, mark the email or text as phishing in the app you received it in. If it happened at work, tell your IT or security team right away, especially if you used a work device or work account.

You can also file a report with the FTC fraud reporting portal and the Internet Crime Complaint Center if money, stolen credentials, or other harm is involved.

If the message pretended to be your bank, delivery company, employer, or another real business, notify that company too. And if your own account may have sent similar messages, warn your contacts so they don’t click next.

How to avoid clicking the next suspicious link

You don’t need to become paranoid. You only need a few habits that slow scams down.

First, pause when a message creates pressure. Phishing often sounds like a smoke alarm: act now, verify now, pay now, fix now. That urgency is the point.

Check for common phishing signs before you trust a message

Look for the usual red flags, including odd sender addresses, mismatched links, spelling mistakes, and requests for passwords, one-time codes, gift cards, or payment details.

Hover over links on a computer to preview the real address before clicking. On phones, take extra care because it’s harder to inspect a link. If a message claims your bank or retailer needs something, go to the site directly instead of using the link.

Build a few simple habits that make phishing less effective

Go to websites by typing the address yourself or using a saved bookmark. Verify unusual requests through another channel, such as a phone call or official app. Keep your browser, phone, and operating system updated, because patches fix holes scammers like to use.

Use unique passwords everywhere, then add 2FA to the accounts that matter most. Those small habits don’t stop every scam, but they make one bad click much less damaging.

That first click feels scary because it happens in a second. Recovery takes longer, but the pattern is simple: stop, disconnect if needed, scan, secure your accounts, and watch for trouble.

If anything looks off, get help fast. Contact your bank, your email provider, your workplace IT team, or a trusted security pro.

The best next step is the one you take right now.

Leave a Comment