What to Do If an Employee Clicks a Phishing Link
It happens to businesses of every size: an employee gets a convincing email, clicks the link, and maybe even types in their password before realizing something is wrong. The moment of panic that follows is normal — but what you do in the next few minutes and hours matters far more than the click itself. This is your step-by-step playbook for what to do after an employee clicks a phishing link. (For how to recognize and report suspicious emails before anyone clicks, see our guide on how to respond to a phishing email at work.)
Stay calm and don’t blame the employee
First, set the tone. Phishing attacks are engineered by professionals to fool people, and an employee who clicked and then reported it did exactly the right thing by speaking up. If you punish or humiliate them, you teach your whole team to hide the next incident — which is far more dangerous. Thank them for reporting, and move straight into response mode. Speed and honesty matter more than fault.
Step 1: Disconnect the device
If there is any chance the link installed something or the click led to a malicious download, disconnect the affected device from the network — unplug the ethernet cable or turn off Wi-Fi. This contains potential malware before it can spread to other machines or reach shared drives. Do not shut the computer down if you suspect serious malware and may need forensic evidence later; disconnecting from the network is usually enough to contain it while preserving the system state.
Step 2: Change the affected passwords immediately
If the employee entered credentials on the fake page, assume those credentials are now in criminal hands. Change the password immediately — and change it for any other account where the employee reused the same password (a great reminder of why a password manager and unique passwords matter). Do this from a known-clean device, not the potentially infected one. If the account is email, treat it as a hacked-email situation and follow our guide to recovering a hacked business email account.
Step 3: Turn on multi-factor authentication
If the compromised account did not already have it, enable multi-factor authentication (MFA) now. Even if criminals have the password, MFA can stop them from logging in. Where MFA was already on, check that the attacker did not register their own MFA method or app password during any brief access — remove anything you do not recognize.
Step 4: Scan the device and check for access
Run a full antivirus or endpoint (EDR) scan on the affected device to catch any malware the link may have dropped. Then check whether the account was actually accessed: review recent sign-in activity and locations, look for suspicious sent emails, new mailbox forwarding rules, or changed settings. Attackers who get into email often quietly add a hidden forwarding rule to siphon copies of your messages — look specifically for that and delete it.
Step 5: Watch for fraud and notify the right people
Phishing is often the first step toward financial fraud or business email compromise. Warn your finance team to be skeptical of any payment or wire-transfer requests, and alert other employees that a phishing campaign is active so they do not fall for the same email. If sensitive customer or employee data may have been exposed, you may have breach-notification obligations — see our guide on what to do after a data breach.
Step 6: Document what happened
Write down the timeline: when the email arrived, when it was clicked, what the employee entered, what you did in response, and when. This record helps if you need to file a cyber-insurance claim, report to authorities, or simply learn from the incident. It also feeds your incident response plan — and if you do not have one yet, this is the moment to build it.
Step 7: Learn and harden
Once the immediate fire is out, use the incident to get stronger. Share a sanitized version with your team as a teachable moment, run a refresher on spotting phishing, confirm MFA is on everywhere, and consider email-filtering and security-awareness training to reduce the next click. A single click does not have to become a breach — and a business that responds well to a near-miss is far better prepared for the real thing.
Watch for the follow-on attack
A phishing click is often the opening move, not the whole attack, so stay alert in the days that follow. Criminals who harvest a password frequently wait before using it, then strike with a follow-on scam — a fake invoice to your accounts-payable team, a wire-transfer request that appears to come from the boss, or a fresh phishing email sent from the now-trusted internal account. Brief your finance staff to verify any payment or banking-change request by phone using a known number, not by replying to the email. Keep an eye on the affected accounts for unusual logins for at least a couple of weeks, and consider dark web monitoring to catch the credentials if they surface for sale. Treating the click as the start of a campaign — rather than a one-off — keeps you from being caught off guard by the second wave.
When to get professional help
If credentials were entered, money moved, or you see signs the attacker actually got in — strange emails sent, data accessed, accounts changed — bring in professional help quickly. A managed security provider or incident-response specialist can confirm the scope, make sure the attacker is fully out, and guide your notifications. Veteran Forge Strategies helps small businesses respond to incidents and build the defenses that prevent the next one. The cost of an hour of expert help is tiny next to the cost of a missed compromise.
Key takeaways
- Don’t blame the employee — reward reporting so incidents surface fast.
- Disconnect the device, then change the password from a clean device.
- Enable MFA and remove any attacker-added MFA methods or forwarding rules.
- Scan for malware, check sign-in activity, and warn finance about fraud.
- Document the timeline and harden your defenses afterward.
Frequently asked questions
What should I do first if an employee clicks a phishing link? Disconnect the device from the network to contain any malware, then change the affected passwords from a known-clean device and enable MFA.
Is clicking a phishing link always a disaster? No — if no credentials were entered and no malware ran, the risk may be low. But you should still scan the device, change passwords as a precaution, and watch for unusual activity.
Should I report a phishing incident? If credentials or money were lost, yes — report it (for example to the FBI’s IC3) and notify your bank and insurer. Even minor incidents are worth documenting.