Vilkax
Get early access
Incident guide

Clicked a phishing link? Do these things, in this order.

Vilkax team · 15 July 2026 · 7 min read

First: breathe. Clicking a bad link is not the disaster it feels like in the moment, and what you do in the next ten minutes matters far more than the click itself. This guide sorts the situations from harmless to serious and gives you the exact order of steps.

Step 0: work out which situation you are in

Step 1: change the password you exposed, from a clean device

Go to the real website by typing its address yourself, and change the password immediately. If you reuse that password anywhere else, change it there too, starting with your email account. Your email is the master key: whoever controls it can reset everything else. If the service offers an option to sign out all other sessions or devices, use it right after the change.

Step 2: call your bank before anything else if money data is exposed

If you entered card numbers or bank credentials, contact your bank through the number on the back of your card or its official app. Ask them to block the card and watch the account. Banks handle this constantly; acting within minutes rather than hours is the single biggest factor in whether money is recoverable.

Step 3: check and reset your 2FA

If you gave away a one-time code, or approved a login prompt you now regret, treat the account as compromised even after a password change. Review the account's security page: active sessions, recovery email and phone number, connected apps, and any new 2FA devices you do not recognise. Attackers add their own recovery routes so they can come back later. Remove anything you did not set up.

Step 4: if you installed or opened something, isolate the device

Disconnect it from the internet, then run a full scan with the security software built into your system. Do not use that device to change passwords; use another one. If the device belongs to your employer, tell your IT team immediately. They would always rather hear about it now than discover it later, and reporting fast is the professional move, not the embarrassing one.

Step 5: report the message

Use the report button in your mail or messaging app, and if the message impersonated a real company, forward it to that company's abuse address. Reporting is not just civic duty: it trains the filters that protect you next time, and takedowns triggered by reports shorten every campaign's life.

Step 6: watch for the follow-up scam

Data from phishing gets resold. In the weeks after an incident, expect the sequel: a caller claiming to be your bank's fraud department, an email about a refund you are owed, a message that references the original incident. Anyone who contacts you about the incident is unverified by default. Hang up and call back on an official number you find yourself.

The one thing not to do: do not keep it a secret out of shame. Phishing works on IT professionals, lawyers, and security researchers. The people who get hurt worst are the ones who wait, not the ones who clicked.

Make the next click a non-event

The steps above are what you do after. Vilkax exists so there is no after: links are checked before you commit, impersonation is flagged in the moment, and the pressure tactics that make people type passwords into fake pages are called out in plain language while it is happening. Early access is open.