Clicked a Phishing Link at Work? Do This Immediately

Knowing what to do after clicking a phishing link at work could be the difference between a contained five-minute incident and a company-wide data breach. Phishing attacks account for over 90% of successful data breaches, and one wrong click on a work device can give an attacker a foothold in your entire network within seconds.

If you just clicked something suspicious, take a breath. Panic is the enemy of good decisions right now. The damage is not done yet — and in many cases, fast action means no real damage happens at all. What you do in the next few minutes matters more than the click itself.

This guide walks you through every step: how to isolate your device, what to report and to whom, how to scan for malware, and how to lock down your accounts so attackers cannot move any further. Follow these steps in order, and you give yourself the best possible shot at walking away from this clean.

What Happens When You Click a Phishing Link at Work

Not every phishing link works the same way. Understanding what the link may have done helps you respond appropriately instead of either overreacting or underreacting.

Most phishing links do one of three things. They redirect you to a fake login page designed to steal your username and password. They trigger a drive-by download, silently installing malware on your device without you clicking anything else. Or they redirect you to a page that launches a script exploiting a vulnerability in your browser or operating system. Some sophisticated attacks combine all three.

The workplace context makes every one of these outcomes worse. On a home computer, a compromised device affects you. On a work network, it can affect everyone. Shared network drives, connected printers, cloud file systems, and colleague devices are all potentially reachable once an attacker gets a foothold. Industries handling health records, financial data, or client information also face legal exposure under frameworks like HIPAA, GDPR, and PCI-DSS if a breach goes unreported.

Here is the reassuring part: not every click causes immediate harm. Many phishing pages simply load a fake site that does nothing if you close it without entering anything. The speed of your response is often the deciding factor between a near-miss and an actual incident.

Phishing also arrives through more than just email. SMS phishing (called smishing) and voice phishing (vishing) are increasingly common, but the steps after clicking a suspicious link are essentially the same regardless of how it reached you. What matters now is what you do next.

Step 1 — Disconnect and Contain the Device Immediately

This is the single most important action you can take right now. Disconnect your device from the internet immediately. Every second you stay connected is a second malware can use to call home, download additional payloads, or start spreading across your workplace network.

Here is how to cut the connection:

• If you are on a wired connection, physically unplug the Ethernet cable from the back of your computer or the wall.
• If you are on Wi-Fi, enable Airplane Mode or go into your network settings and disconnect from the Wi-Fi network.
• If your device has both, disable both.

This stops several dangerous processes cold. Ransomware needs a live connection to encrypt files and send the decryption key to attackers. Keyloggers transmit stolen credentials in real time. Trojans phone home to receive instructions. Cutting the connection interrupts all of it.

One critical rule: do not restart or shut down the device yet. This feels counterintuitive, but powering off can destroy volatile memory (RAM) that contains evidence of what the malware was doing. Your IT team may need that forensic data to understand the full scope of the attack. Leave the device on, disconnected, and untouched until a professional can assess it.

If you are working on a shared terminal or a public-facing work computer, step away from it and alert a supervisor or colleague immediately before touching anything else. The more hands on a compromised shared machine, the messier the investigation becomes.

Step 2 — Stop All Interactions and Close the Browser

Once the device is isolated, your next job is to stop any additional exposure from happening. Do not enter any information on any page the phishing link redirected you to — no passwords, no email addresses, no payment details, nothing.

Close the browser tab or window. If the page is displaying popup prompts asking you to click “OK,” “Cancel,” “Allow,” or anything else, do not interact with them. On Windows, use Task Manager (Ctrl + Shift + Esc) to force-close the browser entirely. On a Mac, use Force Quit (Command + Option + Esc).

Next, check your downloads folder. Open it and look for any files that arrived in the past few minutes that you did not intentionally download. Common malicious file types include:

• .exe (Windows executables)
• .zip or .rar (compressed archives that may contain malware)
• .docm or .xlsm (Office files with macros)
• .js or .vbs (script files)

Delete any suspicious files immediately — but do not open them first to check. Also review your browser’s download history (usually Ctrl + J in most browsers) and clear anything that appeared during or after the click. Do not open any attachments or files from the original suspicious email while you are investigating.

Step 3 — Report the Incident to IT and Management

Reporting feels uncomfortable, especially if you are worried about how it reflects on you. Do it anyway, and do it fast. Knowing what to do after clicking a phishing link at work means understanding that reporting is not optional — it is often legally required.

Contact your IT security team or your managed security provider immediately. Give them:

• The full URL or text of the link you clicked (from the original email if possible)
• The phishing email itself — forward it without clicking anything in it again
• The exact time and date of the click
• The device name, type, and operating system
• What happened on screen after you clicked (redirected to a page, a download started, nothing visible)

Many industries have strict timelines for breach reporting. Under GDPR, organizations must report qualifying breaches to regulators within 72 hours. HIPAA breach notification rules require covered entities to report breaches to affected individuals and the Department of Health and Human Services within specific windows. Do not attempt to handle this quietly on your own — bypassing the chain of command can create compliance violations on top of the security incident.

If you are a sole proprietor or run a very small business without dedicated IT staff, report the phishing email to the FTC at reportfraud.ftc.gov and file a complaint with the FBI’s Internet Crime Complaint Center at ic3.gov. These reports help law enforcement track phishing campaigns and can assist your own documentation if the incident escalates.

Consider also looping in your business owner or office manager even if IT is handling the technical side. Leadership needs to know so they can make decisions about client notifications, legal obligations, and internal communications.

Step 4 — Scan for Malware and Assess the Damage

Before running any scans, take one protective step: back up your critical files to an external drive that has not been connected to the potentially infected machine. This protects your data in case ransomware activates during the scan process. Avoid syncing to cloud storage until you have a clean bill of health — some ransomware deliberately targets connected cloud drives.

Now run a full malware scan. Use your device’s primary antivirus software with updated definitions. Good options if you do not have enterprise-grade tools include:

• Malwarebytes — effective at catching threats other tools miss
• Windows Defender — built into Windows 10 and 11, more capable than its reputation suggests
• Bitdefender or ESET for small business environments

Run a two-pass scan: your primary antivirus first, then a secondary scanner. No single tool catches everything, and a second pass dramatically improves detection rates. Some advanced malware disguises itself as a legitimate system file, which is why a second opinion scanner matters.

Quarantine or delete anything flagged. If the scan returns clean but you still have a bad feeling — or if your IT team suspects a more sophisticated attack — escalate to a cybersecurity professional. Managed detection and response services exist specifically for small businesses that do not have in-house security expertise.

If ransomware is detected, stop everything. Do not pay. Isolate the machine further, restore from your most recent clean backup, and involve law enforcement. Paying a ransom does not guarantee file recovery and may make you a repeat target.

Step 5 — Secure Your Accounts and Change Credentials

Here is a mistake many people make: they change their passwords from the device that was just compromised. Do not do this. If a keylogger is running, it will capture your new passwords the moment you type them.

Move to a clean, unaffected device — a different computer, a personal phone on cellular data, or a colleague’s machine — and start changing credentials from there. Prioritize in this order:

1. Work email and single sign-on (SSO) credentials
2. VPN and remote access accounts
3. Any password you entered on the suspicious page
4. Any account where you reuse the same password
5. Financial accounts linked to your work identity

Enable multi-factor authentication (MFA) on every critical account that supports it. MFA means that even if an attacker has your password, they cannot log in without access to your phone or a physical key. This single step stops the majority of credential-based attacks cold.

Use a password manager to generate and store strong, unique passwords for every account. Reusing passwords is one of the most common ways a single phishing incident spirals into multiple account takeovers. Good password managers for small businesses include Bitwarden, 1Password, and Dashlane.

After changing credentials, monitor your accounts closely for the next 72 hours. Watch for unauthorized login attempts, emails you did not send, profile changes, or unfamiliar transactions. Set up login alerts wherever possible so you hear about suspicious access in real time.

Step 6 — Investigate the Incident and Strengthen Defenses

Once the immediate threat is contained, shift into investigation and prevention mode. Understanding how this happened is the only way to stop it from happening again.

Ask your IT team to review:

• Email headers from the phishing message to identify the true sending domain
• Firewall and DNS logs to see if the compromised device communicated with any external servers
• Account activity logs to catch any unauthorized access that happened before the device was isolated

If the phishing email was impersonating a real company — a vendor, a bank, a software provider — contact that company directly. They need to know their brand is being spoofed so they can alert their own customer base and work with cybersecurity researchers to take down the campaign.

On the prevention side, knowing what to do after clicking a phishing link at work is valuable, but the goal is to stop the click from happening in the first place. Implement these defenses:

• Email filtering with spam and phishing detection (Google Workspace and Microsoft 365 both include solid built-in options)
• DNS-layer protection such as Cisco Umbrella or Cloudflare Gateway, which blocks connections to known malicious domains at the network level
• Browser extensions like uBlock Origin that block malicious scripts and redirect attempts
• Phishing simulation training — services like KnowBe4 send fake phishing emails to your team and track who clicks, turning the exercise into a learning moment rather than a disciplinary one

Employees who receive regular phishing simulation training are significantly less likely to click on real attacks. Building a “report, don’t ignore” culture in your workplace is just as important as any technical tool you deploy.

Common Mistakes to Avoid After Clicking a Phishing Link at Work

Even well-intentioned responses can make things worse. Here are the most common errors and how to avoid them.

Mistake: Ignoring the click and hoping nothing happened. The absence of visible symptoms does not mean nothing occurred. Many malware infections run silently in the background for days before triggering. Always report and scan, even if everything looks normal.

Mistake: Changing passwords from the compromised device. If a keylogger is running, your new passwords go straight to the attacker. Always use a clean, separate device for credential updates after a potential compromise.

Mistake: Restarting or wiping the device before IT can analyze it. A restart can clear forensic evidence stored in RAM. A wipe destroys everything IT needs to understand the attack’s scope. Preserve the device’s current state and let security professionals lead the forensic process.

Mistake: Paying a ransom if ransomware activates. Paying does not guarantee you will get your files back. It funds criminal operations and signals that you are a viable target for future attacks. Isolate the affected machine, restore from your most recent clean backup, and report the attack to ic3.gov and local law enforcement.

Mistake: Handling it alone without telling management or IT. Solo remediation that bypasses company policy can turn a security incident into a compliance violation. Transparency protects you and gives the organization the best chance at a full recovery.

Frequently Asked Questions About What to Do After Clicking a Phishing Link at Work