What to Do If You Click a Phishing Link: The 15-Minute Incident Response Checklist

You’re moving through your inbox. You click a link. A half-second later, something feels wrong. The page looks slightly off. The URL doesn’t match the sender. You close the tab immediately.

Now what?

The instinct to close the browser and hope for the best is common. It’s also one of the most costly reactions in a phishing incident. Attackers don’t need a long session to do damage. The first few minutes after a click determine whether this becomes a minor log entry or a formal breach notification.

According to Verizon’s Data Breach Investigations Report, phishing remains one of the leading initial access vectors in confirmed data breaches year after year. This article walks through a scenario-branching 15-minute checklist that covers every post-click outcome: no credentials entered, password submitted, attachment downloaded, or a mobile device involved. It also covers exactly what to tell your IT team when it happens at work.

What Actually Happens When You Click a Phishing Link

Not every click results in immediate compromise. The outcome depends entirely on which type of link you hit.

The four most common types are credential harvesters, drive-by download pages, redirect chains, and tracking pixels. Understanding how phishing attacks are constructed helps you identify the category and calibrate your response.

Credential-harvesting pages mimic real login screens and capture passwords the instant a user types them. They’re the most common attack vector against business accounts. Drive-by download pages take a different approach: they install malware silently on unpatched systems with no further user action required after the click.

Redirect chains and tracking pixels confirm to the attacker that your email address is active. That confirmation frequently triggers targeted follow-up attacks on the same account.

Three factors determine severity: what the link did, what you did after clicking, and how quickly your organization responds.

The 15-Minute Incident Response Checklist

Work through these steps in order. If you’re on a work device, complete steps one through three before doing anything else on the affected machine.

1. Minutes 0–2: Disconnect from the network. Pull the ethernet cable and disable Wi-Fi immediately. This halts any lateral movement or data exfiltration already in progress.
2. Minutes 2–3: Screenshot before you close anything. Do not close the browser tab. Capture the full URL bar and visible page content for the IT incident record before the session expires.
3. Minutes 3–5: Notify IT from a clean device. Report the incident to your IT team or managed security provider before touching the affected machine again. Use your phone or another workstation.
4. Minutes 5–10: Change passwords on a clean device. Reset every account associated with the link destination, starting with business email and your single sign-on (SSO) platform.
5. Minutes 10–15: Run a full malware scan. Use your organization’s managed endpoint security client. Do not use a personal or free consumer tool on a business device.
6. Post-checklist: Review account activity logs. Check email, cloud storage, and any business applications that were open or logged in at the time of the click.
7. Post-checklist: Document everything. Record the timestamp, device name, link URL, and every action taken so IT can build a formal incident record.

Clicked the Link but Didn’t Enter a Password

This is the most common scenario, and the risk is lower than most people assume. It is not zero.

On a fully patched device with active endpoint protection, visiting a phishing page without entering credentials typically causes no measurable harm. Drive-by exploits that execute silently in the browser require unpatched operating systems or outdated browsers to succeed.

Still required regardless of what was entered: disconnect the device, notify IT, run a scan, and log the event formally. Don’t skip these steps because you believe nothing happened.

Two additional checks after reconnecting:

• Review your browser’s extension list and recently installed applications for anything added or changed during the session
• Confirm no browser-saved passwords or session cookies were extracted; some phishing kits target stored credentials without requiring the user to type anything

You Entered a Password or Credentials: Act Immediately

If you typed credentials into the page, treat the account as compromised. Start here:

• Change the compromised password from a clean device right now. Priority order: business email, VPN, identity platform, banking portals, then business applications.
• Enable or verify MFA on every account where credentials were submitted. A changed password without multi-factor authentication (MFA) still leaves accounts open to credential-stuffing attacks.
• Alert IT without delay. They need to audit login activity, revoke active sessions in your identity platform, and check for tokens or OAuth grants created during the session.
• Check for inbox manipulation. Look for email forwarding rules, new delegate access grants, and inbox filters. Attackers plant these the moment they gain account access, preserving persistent visibility even after a password reset.
• Escalate if the account touches sensitive data. If the compromised account had access to shared drives, client records, or financial systems, self-remediation is not sufficient. Handle this as a formal security incident.

Business email compromise attacks that follow credential theft typically unfold within hours of the initial breach.

You Downloaded an Attachment: Scan and Isolate the Device

A downloaded and opened attachment is the highest-severity post-click scenario. Macro-enabled Office documents, executables, and password-protected ZIP files are the most common malware delivery formats in business-targeted phishing campaigns.

Isolate the device from the network before starting any scan. A connected device gives malware a path to network shares, backup agents, and other endpoints within minutes.

Back up your files before remediation begins. Work with IT to capture an isolated backup. If imaging is required later, that snapshot makes data recovery significantly faster.

Run a full system scan using your organization’s managed endpoint detection and response (EDR) tool. A standard consumer antivirus product is not the right primary remediation mechanism for a business device.

If the scan returns clean but the device shows unusual behavior, assume compromise and request a forensic review from your IT provider before returning it to production. Warning signs include:

• Slow or degraded performance with no clear cause
• Unexpected scheduled tasks appearing in system settings
• Anomalous outbound network connections

What to Do If It Happened on a Business Phone or Mobile Device

Mobile devices are high-value targets in business environments. Android devices face particular exposure to browser-delivered payloads and drive-by installs when OS patches are out of date or device protections are disabled.

Disconnect from Wi-Fi immediately and remove the device from corporate email. If the phone is enrolled in mobile device management (MDM), notify IT so they can push an isolation or lock command remotely without requiring physical access.

Review recently installed applications and revoke permissions granted during or after the session. Audit these specific access points:

• Camera access
• Contacts and storage access
• Configuration profiles installed without explicit user approval

If your organization uses VoIP phone systems, a compromised mobile endpoint exposes more than email. Call routing credentials and contact data stored on the device become part of the incident surface IT needs to audit.

For company-owned devices, IT may perform a remote wipe and re-enroll from a clean image. Personal devices used for work require a separate BYOD protocol, and that protocol should exist before an incident occurs, not be invented during one.

Telling Your IT Team and Reporting the Incident

Report the click immediately, and without fear of punishment. Delayed reporting is the single biggest factor that turns a containable incident into a confirmed breach. Organizations that self-report within minutes give IT the window needed to revoke credentials and halt lateral movement before data leaves the network.

Your IT team or managed security provider should log the event in the formal incident response record, assess whether regulated data was accessible, and determine whether external notification obligations apply.

Forward the original phishing email as an attachment, not inline, to:

• Your IT team
• Your email security platform
• The Anti-Phishing Working Group at reportphishing@apwg.org

The APWG shares threat intelligence across the industry, helping protect other organizations from the same active campaign.

If credentials to systems storing regulated data were exposed, such as HIPAA-covered records, PCI cardholder data, or FTC Safeguards-protected information, involve legal and compliance counsel early. Waiting until remediation is complete often creates compliance exposure that early involvement prevents.

Organizations using managed hardware solutions can accelerate device replacement and re-provisioning after a confirmed compromise, reducing the downtime gap between isolation and return to production.

Take Control Before the Next Click

A single phishing click rarely destroys a business. Slow, uncoordinated response does. The value of a 15-minute checklist is that it removes the paralysis. When every person on your team knows exactly what to do in the first quarter-hour, incidents stay small and containable. When no one does, a credential page visit becomes a full account takeover before lunch.

Post-click response is one layer of a functioning security posture. If your organization lacks documented incident response procedures, managed endpoint protection, or a fast process for isolating compromised devices, those gaps exist independent of any individual click.

When phishing incidents become a managed process rather than a recurring crisis, your team can focus on the work that actually moves the business forward.

LeadingIT provides managed IT and cybersecurity services to businesses with 25 to 250 employees across Chicagoland, including endpoint protection, 24/7 monitoring, incident response, vCIO guidance, and compliance support. We solve problems before they reach your inbox.

Contact our Chicagoland IT support team or call 815-788-6041 to schedule a free assessment.