What To Do If You Click on a Phishing Link

What Happens When You Are Phished?

When you are phished, you receive fraudulent messages, often via email or SMS, that appear to be sent from a trustworthy source. Clicking on malicious links in these messages takes you to fake websites that request sensitive information. 

Any passwords or credit card numbers that you enter here are harvested by scammers. Identity theft, financial fraud, or account takeovers are just a few examples of what cybercriminals can then do with your data.

However, phishing schemes may not always be courting personally identifiable information (PII). For the writing community, Filippo Bernardini’s indictment was the crescendo of a long-awaited victory [*]. ​​

Bernardini registered more than 160 fraudulent website domains between 2016 and 2021, the indictment said.

He posed as big-name authors, publishers, and agents to steal unpublished manuscripts. And Bernardini’s spear phishing emails were impeccable — masquerading as though they were from Penguin Random House, and even punctuated with industry-speak.

{{show-toc}}

What Happens If You Click on a Phishing Link?

Like Bernardini, scammers invent new social engineering ploys every day. But these phishing schemes are a threat only if you click on links, download attachments, or disclose your PII. Nevertheless, clicking on a phishing link can:

Make you a valid target

Scammers only need one obliging victim to fall for their scheme. They are likely to narrow their pool of victims to the most unsuspecting people. Clicking on a phishing link, even once, signals to scammers that you are a trusting person or may even be unknowingly complicit in a larger scam.

And when that happens, you’ll be blitzed with more spam emails. Information that fraudsters collect with that first click may give them your phone number, allowing them to call you or send fraudulent text messages.

Trigger malware downloads

Clicking on a phishing link can sometimes set off a malware download that contains malicious files capable of harvesting information stored on your device. Hackers can steal credit card numbers, bank account numbers, usernames and passwords, and other PII.

While there’s little evidence that malware can cause physical damage to your devices, it can steal your data and commandeer device functions. 

If you suspect this is happening, close all programs and disconnect your device from the internet or ethernet. If you use anti-malware software, like the one included with every Aura plan, begin a scan. Aura can detect and remove various types of malware — including viruses, Trojans, worms, and spyware.

📌 Related: How To Remove Viruses and Malware From an Android →

Transmit basic information

Most phishing links can obtain your location and device statistics as soon as you click on them. Although it may not seem dangerous, this data can help scammers personalize other phishing campaigns or exploit vulnerabilities in your device's operating system.

To reduce the chances of further victimization, change your usernames, passwords, and security questions. You should also ensure that you’ve installed the latest version of your computer or phone’s operating system, which may include patches for known vulnerabilities.

Lead you to a fraudulent website

Scammers often lure people into clicking on links by making grandiose pronouncements. Common traps include claims that an online account has been terminated, or the intended victim has supposedly won a prize (like a car or vacation). 

Phishing websites can then implore visitors to enter their payment information, home address, or login credentials — all information that could potentially needle your identity.

If this happens, immediately call your credit card issuer or bank and report the scam to the Federal Trade Commission (FTC). To prevent future attacks, consider using an identity theft protection service that blocks known phishing and scam sites.

Grant remote access to your computer

Phishing links can open a joint browsing session that allow hackers to hijack your device. From there, they can use stored credentials to wire money from your online banking account. 

Further, they can navigate to a retail website and use your stored credit card information to make fraudulent purchases. Or worse, they can install malware poised to collect more PII for other cyberattacks.

In general, verify that any links you click on start with an “HTTPS.” These sites encrypt traffic to keep you safe; passwords or usernames cannot be stolen in transit. While the presence of an HTTPS can guarantee that your communication is encrypted, it doesn’t guarantee that all secure websites are trustworthy. 

Unless you’re expecting a legitimate support agent to contact you, do not click on links that relinquish remote access to your computer.

📌 Related: Have I Been Hacked? How To Recognize & Recover From a Hack →

If You Think You’ve Received a Phishing Email, Do This:

Merely receiving a phishing email does not put you in harm’s way. Even opening that email may not render you vulnerable. However, if you receive what you believe is a phishing email, consider taking these steps.

• Do not click on any links. Malware-laden downloads aside, phishing websites can be made to look like familiar websites that you trust. Such look-alike websites are no more than overtures to steal your personal information.
• Contact the person from whom the message appears to have been sent. Posing as a coworker or family member helps phishers appear more authentic. If you receive a suspicious email claiming to be from someone you know, confirm the sender’s identity  through a different channel (for instance, via telephone call). If the person seems surprised, a scammer is likely pretending to be your friend. 
• Go offline and scan for malware. Your internet connection could be the tenuous thread between your personal information and a scammer. Public Wi-Fi is particularly easy for hackers to intercept. Turning it off restricts their ability to access your information. Conducting a malware scan can also confirm whether your device or email has been compromised.
• Report the email to IT or the sender company. If the email came to your work inbox, report it as spam according to your IT department’s guidelines. If the email came to your personal inbox, report it to your email service provider and mark it as spam.
• Delete the email. For most email service providers (ESPs), reporting an email as spam automatically removes it from your inbox. But if that’s not the case, delete it. One wrong click could help scammers gain access to your computer.

If You’ve Clicked on Any Phishing Links, Do This:

Clicking on a phishing link automatically increases your risk exposure. But there are steps that you can take to minimize potential damage.

1. Do not provide any personal information
2. Close all browsers and tabs
3. Delete any automatic downloads
4. Scan all devices on the same network
5. Change passwords to sensitive accounts
6. Back up your files
7. Get verified tech support
8. Set up a fraud alert
9. Alert family and friends‍

1. Do not provide any personal information

A scammer’s primary objective is to extract personal information from you. Cybercriminals know you will hesitate to share information with strangers, so they masquerade as someone you know or trust. They contrive urgency, telling you that bills are overdue or that your passwords have been stolen.

In February 2023 for example, domain registrar Namecheap had its email account hacked [*]. Scammers used Namecheap’s SendGrid account to send phishing campaigns impersonating DHL and the crypto wallet, MetaMask.

Both of these emails pushed recipients to complete a next step — paying for delivery fees or setting up a verification method. And both emails contained phishing links that prompted users to enter payment details or their wallet keys.

The companies you know and trust will not elicit account credentials, credit card numbers, or any other personal information over email. If you notice any dissonant wording or requests, the best practice is to not reply.

📌 Related: How To Quickly Identify Phishing Emails (13 Warning Signs) →

2. Close all browsers and tabs

Most browsers like Google Chrome, Firefox, and Mozilla have built-in password vaults and can store credit card numbers. While this can speed up online checkout and sign-ins, it can also open you up to data breaches and identity theft.

Leaving unattended tabs open can also make you vulnerable to what is known as tabnabbing [*].

Scammers use scripts to hijack an inactive tab, making it look like your online banking or email login screen. When you log back in, unheeding, you give them access to your accounts.

There isn’t much an average user can do to prevent tabnabbing except follow general internet security practices. Aura’s Safe Browsing feature can, however, display pop-ups that warn you if you navigate to a hostile website. Start your free trial to see how →

3. Delete any automatic downloads

If you see a download starting from your browser or on the right-hand side of your computer, you may assume that it’s a system update. But you’re probably the victim of a drive-by download attack [*].

In these attacks, scammers install malicious programs without your consent. These programs are masked, meaning they can originate from legitimate websites to spy on your activity and hijack or disable your device.

When you see suspicious files downloading, send them straight to your trash folder. Remember, Microsoft Windows and macOS will alert you whenever a new download is available to install.

📌 Related: How To Remove Viruses From Your Computer (Mac and PC) →

4. Scan all devices on the same network

Most IT teams have a robust network security program, protecting your work activity. You need similar stumbling blocks at home. Scammers have been known to hack into Wi-Fi routers by using the manufacturer’s default administrative password. Or, they can snatch the credentials directly by sending you phishing links or installing malware.

Make it a habit to change your router’s administrative credentials and update your router’s firmware [*]. Your router setting can show all the devices connected to your network.

While you’re in the router settings, turn off remote administration, and disable Wi-Fi Protected Setup (WPS) as well. WPS will allow someone to connect to your network without your consent if they are in close physical proximity to your router.

📌 Related: How To Tell If Your Wi-Fi Is Hacked (And How To Fix It) →

5. Change passwords to sensitive accounts

Scammers frequently dupe victims into “signing in” to fake login pages.

Fake sites are designed to mimic login pages that you frequent to access day-to-day applications or webpages. Signing in by using such websites — that front as real login pages — lets hackers steal your credentials. And if you recycle passwords across accounts, you’ve just surrendered access to those, too.

Changing your passwords frequently and setting up two-factor or multi-factor authentication (2FA or MFA) is one way to circumvent phishing attempts.

📌 Related: Was Your Walmart Account Hacked? Do This! →

6. Back up your files

Phishers can also obtain your information by installing malware. And the most sinister types of malware can make your computer unusable. 

While there may be a way to recover some of your files, it’s likely you won’t get all of them back. Regularly uploading information to the cloud and even to exterior hard drives can preserve your data, even if you’re the victim of a malware attack.

7. Get verified tech support

Spoofed customer service sites can appear in Google search results and are often at the top. Triple-check all customer support phone numbers and chatbots before sharing any sensitive information.

Also, pay attention to customer support emails. Real tech support or computer companies typically don’t contact you out of the blue.

In 2022, the FTC was notified of a new type of phishing scam in which scammers pretended to be from Geek Squad, Best Buy’s tech support service.

The emails told recipients that their Geek Squad membership would be automatically renewed. Recipients were encouraged to call customer support if they wanted to cancel or dispute the charge. The phone number, however, belonged to scammers.

Always verify domain names, check for spelling and grammatical errors, and confirm the use of your real name in the email greeting.

8. Set up a fraud alert

Disclosing any personal data in a phishing attack can easily turn you into a victim of identity theft. If you’ve given any information away to a scammer, you might want to set up a fraud alert. 

Fraud alerts add a warning to your credit file, forcing lenders to take extra steps to confirm your identity. You can set one up by contacting Experian, Equifax, or TransUnion (the three major credit bureaus). 

The bureau you contact is legally obligated to instruct the other two bureaus to protect you from unlawful credit applications. Note that you’ll need to confirm your identity before every credit check (and renew your fraud alert each year).

9. Alert family and friends

If scammers have targeted you, chances are they’ll also target your friends and family. They may already have information that links you to your loved ones; or they could hack your social media to see whom you follow.

Further, they might send messages pretending to be you, saying that you’ve changed your number. Scammers may get their victims’ friends and family members to click on phishing links, like the one shown in the screenshot above. 

If you mistakenly click on a phishing link, tell your peers and family immediately. Teach your kids the warning signs of phishing, and implement parental controls to limit risky browsing behavior.

📌 Related: Top WhatsApp Scams in 2024 and How To Avoid Them →

What Does a Phishing Email Look Like?

According to the FTC, there are several telltale signs of phishing. These include:

• Claiming there is a problem with your payment information. Scammers purport to be customer service agents from retailers like Amazon or Apple, utility companies, or even your home security company. They’ll tell you that your payment has been declined or that someone has breached your account. 
• Asking you to confirm financial or personal information. The goal of phishing campaigns is to obtain personal data. For this very reason, banks, health insurance companies, and merchants won’t ask you for this kind of information over the phone.
• Telling you that they’ve noticed suspicious activity on your account. Fraudsters try all sorts of methods to make you react. Telling someone that they’ve been hacked elicits anxiety — to the point that victims will be afraid to ignore the warning and comply with a scammer’s instructions.
• Sending you a fake invoice. Another phishing tactic is to send you an invoice via email. Most recipients tend to be curious about such charges. When they can’t come up with an answer, their impulse is to dispute it using the scammer’s fraudulent links.
• Offering an unbelievable discount or free product. As the adage goes, if it’s too good to be true, it probably is. Clicking on suspicious links can inject malware into computers or phones that enable fraudsters to record account numbers and passwords.
• Saying that you’re qualified for a government refund. These types of phishing scams happen every year around late spring and early summer. At that time, people expect refund checks and are more likely to believe that any emails about refunds are coming from the Internal Revenue Service (IRS).
• Directing you to click on links. Scammers know that consumers are getting savvy. To bypass detection, scammers use HTML code obfuscation or phishing sites with HTTPS to camouflage phishing [*]. 
• Using unfamiliar greetings. Most scammers broadcast phishing campaigns to the masses. Because they don’t necessarily know everyone’s name, the greetings on these messages may be generic such as “Sir” or “Madam,” or otherwise unusual.

Disturbingly, the latest versions of ChatGPT and other AI tools have made it easy for anyone to produce instantaneous, high-volume phishing content [*].

Cybercriminals can recreate malware strains, tweak existing scripts, and even create marketplaces on the Dark Web — all without any coding experience. 

Have You Been Phished? Report Fraud Today

Clicking on phishing links on your iPhone or Android phone could infect your device, expose your contacts, or, at the very least, share device statistics. 

Spyware, for instance, collects confidential data stored in your phone or on your apps. Ransomware renders your phone unusable until you send the scammer money. 

Even if you pay, the scammer will likely have stolen your identity. If any of this has happened to you, report it as soon as possible. You can report phishing to the:

• FTC online at reportfraud.ftc.gov or by phone at 1-877-382-4357.
• Anti-Phishing Working Group (APWG) by forwarding the suspected phishing email to reportphishing@apwg.org.
• Internet Crime Complaint Center (IC3) at www.IC3.gov. 
• Cybersecurity & Infrastructure Security Agency (CISA) at 1-888-282-0870 or at www.us-cert.gov/report. You can also forward phishing emails or websites to phishing-report@us-cert.gov.

Beyond this, you might want to consider signing up for Aura to get robust phishing protection. Aura also offers Safe Browsing tools that can preemptively block malicious websites and pop-ups before you access them.

Plus, Aura sends useful reminders and near-real-time notifications to update weak passwords and review sensitive accounts.

Shop, browse, and work online safely. Try Aura free for 14 days →