What to Do If You Clicked a Phishing Link or Signed In on a Fake Page

If you clicked a link in a suspicious email, text, or pop-up — or worse, signed in on what turned out to be a fake login page — your account credentials and possibly more are now in the hands of a scammer. The good news: in most cases, fast action limits the damage to almost nothing. The bad news: “fast” means in the next hour. This guide walks you, your spouse, or your adult children through the exact steps to take, in order.

Do this in the next hour. From a different device (your phone, a tablet, a family member’s computer), sign in to the account you typed credentials into. Change the password and sign out all other sessions. Then turn on two-factor authentication. Most accounts give a “sign out everywhere” button under security settings.

Step 1 — Change the password from a different device

Use a different device than the one you clicked the link on. The original device may have downloaded malware that records keystrokes or screen contents.

• Open the official website yourself — type the URL, don’t click any link.
• Sign in. Change the password to something new (not similar to the old one).
• Look for a setting called “Sign out of all sessions” or “Sign out everywhere”.
• Repeat for any account that uses the same password.

Step 2 — Turn on two-factor authentication (2FA)

2FA is the single most effective protection against stolen passwords. Even with your password, a scammer can’t sign in without the code on your phone.

• Look in account settings for “Security,” “Two-Step Verification,” or “2FA.”
• Use an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) — better than text-message 2FA.
• Save the backup codes the system gives you.
• Prioritize: email, banking, brokerage, Medicare, Social Security, Amazon, and any account where money or personal information lives.

Step 3 — Check your bank, credit, and key accounts

Phishing for one account often leads to attacks on others. Log into and check (from the secure device):

• Bank and credit-card accounts — look for unfamiliar charges in the last 24-48 hours.
• Brokerage and retirement accounts — look for unauthorized trades or transfers.
• Email — check the “sent” folder for emails you didn’t send.
• Email forwarding rules — scammers often add a rule that forwards all your email to them.
• Medicare and Social Security online accounts.
• Amazon, PayPal, Venmo, Zelle — look for new shipping addresses or payment methods.

Step 4 — Place a fraud alert on your credit

A free 90-day fraud alert with one credit bureau spreads to the other two. Use: Equifax 1-888-766-0008, Experian 1-888-397-3742, or TransUnion 1-800-680-7289. If you also gave up your SSN on the fake page, place a free credit freeze with all three bureaus instead — much stronger. See our SSN emergency guide.

Step 5 — Scan the device for malware (if you clicked from a computer)

If you clicked a phishing link from a computer (rather than a phone), there’s a small but real chance malware was downloaded. Run a malware scan with at least one tool — Microsoft Defender (built in on Windows), Malwarebytes (free), or your existing antivirus. If anything is found, consider taking the computer to a trusted local repair shop for a full clean.

Step 6 — File reports

• FTC ReportFraud at reportfraud.ftc.gov
• FBI IC3 at ic3.gov if money or accounts were compromised
• Your bank or institution — they have anti-phishing teams that work with law enforcement
• Report the phishing email to [email protected] (Anti-Phishing Working Group)
• If the link impersonated the IRS, report to [email protected]

Why phishing pages are so effective

Modern phishing pages are pixel-perfect copies of real bank, Microsoft, Apple, Amazon, IRS, or Social Security login pages. AI now writes phishing messages without the grammar errors that used to warn us. Phishing texts and emails arrive with believable urgency: “your package can’t be delivered,” “unusual sign-in detected,” “refund pending.” The combination of perfect-looking page plus urgency is what catches most victims.

How to prevent this happening again

• Never click a link in an email or text claiming to be from a bank, government agency, or shipping company. Open the website yourself by typing the URL.
• Real banks, the IRS, SSA, and Medicare don’t send emails or texts with login links.
• Use a password manager — it auto-fills only on the real domain, refusing on fakes.
• Turn on 2FA on every account that supports it — strongest protection against stolen passwords.
• Hover over links before clicking on a computer — the real URL appears in the corner of the screen.
• If a message creates urgency, slow down. Real urgency is rare.

When to call for help

National Elder Fraud Hotline: 1-833-FRAUD-11 (1-833-372-8311). Free, confidential, DOJ-staffed. Open Monday–Friday, 10 a.m.–6 p.m. Eastern Time. English, Spanish, and other languages available. They will help you identify what type of fraud occurred, document the incident, and connect you to the right reporting agencies.

Related guides

• First 24 Hours After Being Scammed — Emergency Guide
• How to Report an Online Scam: FBI, FTC, DOJ Hotlines
• Elder Fraud Help Center — Find Protection by Audience
• Caregivers: How to Protect a Senior From Fraud
• Scam & Cybersecurity Glossary

Two rules that prevent most scams

Rule 1. If they called you, emailed you, or messaged you — hang up. Call back at a number you find yourself.

Rule 2. Never pay anyone in gift cards, wire transfers, cryptocurrency, or by mail. Real bills are not paid these ways.