10 steps to take after clicking a phishing scam

July 26, 2018 by Stephen Moramarco

We all make mistakes. Even clicking on a phishing link can happen to the best of us – sometimes we are in a hurry, or sometimes the phishers are exceptionally clever with their ruse. Whatever the reason, it’s important to be safe and salvage as much of the situation as you can. Here’s a list of steps to follow after follow after clicking on a phishing scam.

The ten steps to protect yourself

  1. Don’t panic! First, make sure that you have been phished. Merely opening a phishing email and reading it will not affect your computer. Nor will accidentally downloading a .zip file that contains malware. It’s only when you unzip the file and then open the document or program inside then you are likely compromised. Knowing the difference can save you from unnecessary stress.
  2. If you believe you have indeed been phished, immediately disconnect the computer or device from the Internet or network. If it’s a desktop or laptop connected via ethernet cable, unplug it. If you are on WiFi, pull up the menu and turn it off or forget the network.
  3. Notify your supervisor if you have one. This is the difficult part, as many people are embarrassed about their mistake and worry they will get in trouble. Don’t be afraid: a company with a good phishing policy should not blame the employee. Additionally, every second you delay can potentially make the problem worse.
  4. Scan your computer for viruses, especially if you opened an attachment. Many phishing emails contain malicious code that can capture keystrokes or take over computers or networks. Microsoft has a free tool, and for Mac there is a free version of Malwarebytes.
  5. Change usernames and passwords. If the phishing email sent you to a phony site and asked you to enter your credentials, it probably captured that info. To be on the safe side, change all user/passwords for important sites like work email, bank accounts and social media.
  6. Forward the email to IT, if you have one. If you work for a large company, there may be a specific email address to send phishing emails. You’ll want to include the header information, which shows where the email was sent from; the easiest way to do so is to drag and drop the phishing email into a new email and send.
  7. Flag the email as phishing. In programs such as Outlook, there are options to flag the email, which sends the info to Microsoft. Check your program’s email instructions for further info.
  8. Forward the email to the Federal Trade Commission at You should also forward to the Anti-Phishing Work Group at Again, include the headers by dragging and dropping the email. If you think your identity has been stolen, go to and follow the instructions.
  9. Alert the business or person the email appeared to be from. This could prevent further attacks, especially if the phishers have hacked into their system and are using their account.
  10. Evaluate the vulnerabilities of your business. Are there others in the company that can or have made similar mistakes? It may be time to implement stronger anti-phishing policies and add real-world simulations to help prevent further breaches.

How to evaluate your vulnerabilities

To help you with the final step, Infosec has created Infosec IQ, a platform that contains training, simulation and mitigation tools that can be used by businesses of any size. AwareEd includes interactive videos and tests designed to educate employees about phishing scams and how to avoid them; PhishSim allows administrators to test the vigilance of their workforce by sending fake phishing emails and monitoring the results.

Want to try Infosec IQ for free? Open your free account today and prevent an accidental click tomorrow!


Posted: July 26, 2018
Stephen Moramarco
View Profile

Stephen Moramarco is a freelance writer and consultant who lives in Los Angeles. He has written articles and worked with clients all over the world, including SecureGroup, LMG Security, Konvert Marketing, and Iorad.