What happens if I clicked a phishing link?
Clicking a phishing link does not automatically mean your accounts are compromised, but the risk depends on whether the site loaded, whether you entered any information, and whether malware was installed. Act quickly to assess the damage.
Last reviewed: 10 June 2026
Explanation
The consequences of clicking a phishing link span a wide spectrum. At the low end, you loaded a malicious page but entered nothing and your device did not download any software — in this case your exposure is minimal, though a scan is still advisable. At the high end, you entered login credentials or payment details, or the page exploited a browser vulnerability to install malware silently.
Phishing sites are primarily designed to harvest credentials. If you typed your username and password into the fake login page, the attacker now has access to that account — and if you reuse passwords, potentially many others. Change the password immediately on all accounts where you use the same or similar credentials, starting with email (which is often the master key to resetting everything else) and banking.
Malware delivery via phishing links is less common on fully patched, modern devices but is not impossible. A page might trigger a download disguised as a PDF viewer or software update. Check your downloads folder and recent browser history for anything unusual. Run a reputable anti-malware scan.
For mobile devices, phishing links are generally less able to install software without user interaction, but the credential harvesting risk is identical. Enable two-factor authentication on all important accounts immediately — even if a password has been stolen, 2FA buys you time and often prevents a successful takeover entirely.
Common red flags
- You typed any password, email, or card details into the page before realising it was fake
- The page prompted you to download a file or install a browser extension
- Shortly after clicking, you notice unexpected activity in your accounts
- Your device behaves unusually — new apps appeared, battery drains faster, data usage spikes
- You received an unexpected two-factor authentication code you did not request (attacker testing your credentials)
What to do now
- Change passwords immediately on any account whose credentials you may have entered — start with email and banking
- Enable two-factor authentication on all key accounts if not already active
- Run a reputable malware scan on your device
- Check your downloads folder and installed apps for anything unexpected
- Contact your bank if any financial details were entered, and request card replacement if needed
- Review recent login activity on email, social media, and financial accounts for unrecognised sessions
- Report the phishing URL to your national cybercrime reporting centre
Frequently asked questions
I only clicked but didn't enter anything — am I safe?
If you did not enter any information and no download was triggered, your risk is low. However, run a malware scan and ensure your browser and operating system are fully updated to minimise the chance of an exploit-based infection.
Can clicking a link on my phone install malware?
On fully patched iOS or Android devices, simply visiting a page rarely installs malware without additional user interaction. The main risk on mobile is credential harvesting if you entered details. Keep your OS updated to protect against known browser exploits.