What to do if an employee clicked a phishing link
If you clicked a phishing link but entered nothing, the risk is often low — still report it to IT. If you entered a password, act immediately: from a trusted device change it (and everywhere it was reused), enable 2FA, disconnect unknown sessions and inform IT. The most important thing — report it right away, even if you feel embarrassed.
Sooner or later someone will click a phishing link — it happens even in the most careful teams. What matters most is not the click itself, but what happens in the next minutes and hours. A fast, calm response often stops the damage entirely. Here is what the employee and the business should do.
What the employee should do immediately
If you clicked the link but entered nothing, the risk is often small. If you entered login details or downloaded a file — act without delay.
- checkStop filling in any forms and close the page.
- checkDisconnect the device from the internet if you downloaded or ran a suspicious file.
- checkReport to IT or your manager immediately — the sooner, the smaller the damage.
- checkIf you entered a password, change it from another, trusted device.
- checkDo not delete the email — it may be needed for the investigation.
If you entered login details
- checkChange that account’s password, and if the same password was used elsewhere — change it there too.
- checkEnable two-factor authentication (2FA) if it is not already on.
- checkReview the account’s active sessions and disconnect any unfamiliar ones.
- checkWatch the account for unusual activity over the coming days.
- checkIf you entered card details — call the bank and block the card.
What the business (IT or manager) should do
- checkImmediately determine the scope: what the employee clicked, what they entered, which account is affected.
- checkForce-disconnect the affected account’s sessions and change passwords.
- checkCheck whether emails were sent from that account to others — attacks spread internally.
- checkWarn the rest of the team not to open similar emails.
- checkIf finance or data are affected, decide about informing the bank and responsible authorities.
What NOT to do
- checkDo not punish or shame the employee — otherwise others will hide their mistakes.
- checkDo not ignore it with "nothing happened" — sometimes damage appears days later.
- checkDo not forward the phishing email to colleagues without warning that it is dangerous.
- checkDo not rush to delete evidence before the incident is assessed.
How to turn an incident into a lesson
Every click is a chance to strengthen the team. After an incident, briefly review which signs in the email were missed and assign relevant training. This is exactly why effective security programmes respond to a click with training, not punishment. Opsinel automates this: when an employee clicks a simulation link, a short lesson appears immediately, and the right course is assigned automatically based on the reaction — so a real mistake becomes a skill before a genuine attack.
Frequently asked questions
I clicked the link but entered nothing — is it dangerous?add
The risk is usually low, especially if you downloaded nothing and entered nothing. Still, it is worth reporting to IT and watching the device and accounts for a while.
I entered a password on a fake page — what first?add
Immediately change that account’s password from a trusted device, enable 2FA and inform IT. If the same password was used elsewhere, change it there too.
Should I punish an employee who clicked?add
No. Punishment encourages hiding incidents, and hidden incidents are the most dangerous. It is better to thank them for reporting and turn the mistake into a short lesson.
I clicked a link on my phone — is that dangerous?add
The risk is similar to a computer: a click without entering data or downloading is often harmless. Do not enter details, do not install apps, and check with IT.
How long until I can be sure nothing happened?add
Damage sometimes appears later, so watch your accounts, payments and unusual login notifications for a few days. If you entered data, it is safest to change the password and enable 2FA right away.