Stop what you’re doing on that device and don’t interact any further with the page that opened. If a login page appeared, do not enter your credentials. If a file downloaded, do not open it. Disconnect the device from Wi-Fi or unplug the ethernet cable. Then contact your IT provider or the person who manages your company’s technology — they need to know this happened so they can assess the situation and respond appropriately.
That’s the immediate playbook. The rest of this article explains why each step matters and what to expect next.
First: Understand What You’re Dealing With
Not every phishing click is the same, and knowing the difference helps you and your IT provider respond proportionally.
The link opened a fake login page. This is credential harvesting — the most common phishing objective. The page looks like Microsoft 365, Google Workspace, your bank, a shipping carrier, or some other service you recognize. Its only purpose is to capture whatever username and password you type in. If you clicked the link but didn’t enter anything on the page, your credentials are not compromised. Close the tab and move on to the next steps below.
The link triggered a file download. This is more serious than a fake login page because the file may contain malware — ransomware, a remote access trojan, a keylogger, or other malicious software. If a file downloaded but you didn’t open it, the risk is lower. If you opened the file, your device may already be compromised. This is the scenario where disconnecting from the network immediately matters most, because malware often needs a network connection to communicate with an attacker’s server, spread to other devices, or begin encrypting files.
The link opened a normal-looking page and nothing obvious happened. This doesn’t necessarily mean you’re fine. Some phishing pages run scripts in the background that attempt to exploit browser vulnerabilities, drop tracking cookies, or fingerprint your device. The risk here depends on whether your browser and operating system are fully patched and whether your endpoint security caught anything. Your IT provider can check the device for indicators of compromise.
The link redirected you to a legitimate site. Some phishing links redirect to the real website after capturing data in transit or installing a browser extension. If the page you ended up on looks completely normal, that doesn’t confirm the link was safe — it may confirm the opposite.
What to Do in the Next Thirty Minutes
Once you’ve stopped interacting with the page and disconnected the device, work through these steps in order.
Don’t delete the email. Your instinct may be to get rid of it, but the email is evidence. Your IT provider will want to examine the email headers, the link itself, and any attachments to understand what kind of attack this was and whether other people in your organization received the same message.
Change your passwords from a different device. If there’s any chance you entered credentials on the page — even partially — change those passwords immediately. Do this from a different device, not the one that may be compromised. Start with the account the phishing page was imitating (Microsoft 365, email, banking) and then change passwords for any other accounts that share the same password. If you reuse passwords across accounts, this is the moment that habit costs you time.
Enable multi-factor authentication if it isn’t already on. If the compromised account has MFA enabled, the stolen password alone isn’t enough for an attacker to log in — they’d also need the second factor. If MFA isn’t enabled, turn it on now. This is the single most effective step you can take to limit the damage from a stolen credential — and stronger forms of MFA make a meaningful difference in how resistant your accounts are to these attacks going forward.
Check for unauthorized activity. Look at your email sent folder and deleted items for messages you didn’t send. Check for new inbox rules or forwarding addresses you didn’t create — a common attacker technique is to set up a rule that silently forwards copies of incoming emails to an external address. If you have access to your account’s recent sign-in activity, review it for locations or devices you don’t recognize.
Tell your team. If you’re in a business environment, let your coworkers know what happened and what the phishing email looked like. Phishing campaigns rarely target one person — if you received it, others in your organization probably did too, and one of them may not have read this article.
When Credentials Were Entered
If you typed your username and password into the fake page, treat the account as compromised until proven otherwise. This changes the urgency level.
A compromised email account is particularly dangerous because it gives the attacker the ability to reset passwords on other services, intercept two-factor authentication codes sent by email, read sensitive communications, and send phishing emails from your legitimate address to your contacts and clients. That last part is how phishing spreads through business relationships — an email from your real address carries significantly more trust than one from a stranger.
For businesses in regulated industries, a compromised email account may also trigger compliance notification requirements. A law firm whose attorney email is compromised has potential ethical obligations under ABA Model Rules around client confidentiality. A dental practice with patient information accessible through a breached mailbox has HIPAA considerations. A CPA firm that loses control of an email account during tax season is dealing with IRS Publication 4557 and FTC Safeguards Rule implications. These aren’t hypotheticals — they’re the real downstream consequences that start with one click.
Your IT provider should be leading the response at this point. What they’ll typically do: force-reset the compromised password, revoke active sessions so the attacker is logged out everywhere, audit the account for unauthorized changes (forwarding rules, delegated access, connected apps), review sign-in logs to determine the scope of access, scan the device for malware, and assess whether the attacker moved laterally into other systems or accounts.
When a File Was Opened
If you opened a downloaded file, the device should stay disconnected from the network until your IT provider has inspected it. Running a full antivirus scan is a reasonable first step, but it’s not sufficient by itself — modern malware is designed to evade signature-based antivirus tools, so a clean scan doesn’t guarantee a clean device.
This is where endpoint detection and response tools matter. Unlike traditional antivirus, which looks for known malware signatures, EDR tools monitor system behavior — processes calling home to external servers, files being encrypted in unusual patterns, registry changes, privilege escalation attempts. If your business runs managed endpoint security backed by a Security Operations Center, these tools may have already detected and contained the threat before you noticed anything.
If your business doesn’t have that layer, your IT provider will need to inspect the device manually — checking running processes, startup programs, scheduled tasks, browser extensions, and network connections for anything anomalous. In some cases, the safest response is to wipe and reimage the device rather than trying to verify that every trace of malware has been removed.
What Comes After the Immediate Response
Once the incident is contained, two things need to happen.
Determine the scope. Your IT provider should confirm whether the attack was limited to the device and account you know about, or whether it spread further. This includes checking other user accounts for signs of compromise, reviewing network logs for unusual traffic, and verifying that backups are clean and current in case a restoration is needed.
Understand how it got through. Not as a blame exercise, but as a practical question: did the phishing email bypass your email security filtering? Was it a targeted spear-phishing message crafted specifically for your organization? Did it exploit a gap in security awareness? The answer determines what needs to change — a filter rule, a training conversation, or an additional security layer.
Phishing is a persistent threat because it targets people, not systems. No email filter catches everything, and even careful, experienced employees click links occasionally. The goal isn’t to make clicking impossible — it’s to have enough layers in place that a single click doesn’t cascade into a significant breach.
How ForeverOn Responds to Security Incidents
ForeverOn Technology Solutions provides managed cybersecurity backed by a 24/7 Security Operations Center, with endpoint protection, threat hunting, ransomware response, and cloud security monitoring for Microsoft 365 and Google Workspace. When a client clicks a phishing link or experiences a security event, the SOC and ForeverOn’s technical team respond immediately — assessing the scope, containing the threat, and remediating the damage.
Darryl McPherson described his experience after being hacked: “Not only did Foreveron Tech find Malware, they found over 1,000 infected files and viruses. They removed the Malware and infected files and install software to help prevent future infections and improve security. Foreveron Tech’s service is superior. they gave me estimates up front, kept in touch with me about the progress of the job, and did exactly what they said they would do.”
James Marshall described a similar situation: “Most recently I had the unfortunate situation of someone hacking in to my desk top computer. Their response to my problem was quick and they stepped me through what they were going to do and resolved the issue in a minimum amount of time.”
If you’ve clicked a phishing link and need help assessing the damage, or if you want to evaluate whether your current security layers would catch this kind of attack, call ForeverOn at (301) 739-7311. A real person answers — no phone tree, no hold queue.