Don't panic – here's what to do if you accidentally click a scam link

Accidentally clicking a link in a phishing email can be worrying. Although it doesn't automatically mean your device is compromised, some malicious websites may attempt to download malware in the background, so it's worth taking a few precautionary steps.

Using a Which?-recommended antivirus, enabling two-factor authentication (2FA) on your accounts and checking for signs of suspicious activity can all help give you peace of mind and keep your personal information hidden from prying eyes.

Below, we round up the practical steps you should take and the warning signs to look out for.

Get a year of super-useful advice

Solve your tech issues and get a year of our super-useful tech support for only £49 a year.

Join Which? Tech Support

Already a Tech Support member? For more help and 1-2-1 technical advice, including buying advice, go to our Tech Support online booking tool.

I clicked a link in a scam email – what should I do?

'I received an email claiming that my Outlook account was going to be deleted. It was clearly a scam, as it was full of spelling mistakes and the sender was not Microsoft. The issue is that, while reading the email, I accidentally clicked on the link it contained. I didn't enter any information, but I'm really worried that something may have happened to my device.

'Is there anything I should do to protect my device?'

Which? Tech Support member

1. Close the page and disconnect from the internet

If you've just clicked a suspicious link, stop interacting with the page immediately. Don't click any buttons, fill in any forms or call any phone numbers shown onscreen. 

Instead, close the browser tab or window right away.

In some cases, a malicious website might attempt to trigger an automatic download – this is so hackers can install malware (such as a virus) on your device. If you suspect this has happened, switch off your device immediately to help disrupt any download or remote connection. 

After restarting it, disconnect from the internet by turning off wi-fi or enabling Airplane mode on a PC or smartphone.

2. Check your device for threats

Once you've closed the website that opened after you clicked the phishing link, run a full scan using your device’s security software. If you're given a choice, select a full system scan rather than a quick scan. A full scan is more thorough and checks all files and running programs.

If your antivirus identifies any issues, follow the on-screen instructions to remove or quarantine the files.

• On Windows – if you don’t already have third-party antivirus software installed, you can use Microsoft Defender, which is built into Windows. Open the Start menu and type Windows Security, then select Virus & threat protection. Click Scan options, choose Full scan, and select Scan now.
• On Mac – Apple includes built-in protections which update automatically with macOS. You can make sure your machine is updated by going to System Settings > General > Software Update. If you use additional security software, run a full scan there too.

On smartphones, full system antivirus scans aren't always necessary. Instead, do this:

• On Android –open the Google Play Store, tap your profile icon, and run a scan using Play Protect, or use a trusted mobile antivirus app. If you clicked the link in Chrome, you can also open Chrome, tap the three dots > History > Delete browsing data.
• On iPhone – traditional antivirus scans aren't possible, so focus on clearing your Safari or Chrome browsing data and ensuring iOS is up to date. Go to Settings > Safari > Clear History and Website Data. If you use Chrome, open the app, tap the three dots > History > Delete browsing data.

Thanks to our lab tests, we know the built-in security in Windows and macOS isn't a patch on the best antivirus when it comes to protecting you from phishing attacks. We've even discovered free software that's better.

3. Secure your online accounts

Update your passwords

Once you’ve run a full scan and confirmed your device is safe, you can reconnect to the internet.

In cases where you entered personal information or login details on the phishing website, act quickly. Change the password for that account straight away, especially if you entered your email password. Your inbox is particularly important because it can be used to reset passwords for other services.

If you reuse the same password elsewhere, update those accounts too. Make sure each account has a strong, unique password. Consider using a reputable password manager to create and store secure passwords.

• To change your Gmail password, for example, you can go to myaccount.google.com, then Security and sign-in > Password. 
• On Outlook, it's account.microsoft.com > Change password.

Activate two-factor authentication

As an additional layer of protection, enable two-factor authentication (2FA). When you activate 2FA, attempting to access an account from a new device will prompt the service to send a unique code to your smartphone or another trusted device. That means you have the power to approve or deny new logins.

To set up 2FA, you’ll likely need to provide your mobile number or use an authentication app. The service will then send you a confirmation code to verify the setup.

If you want to enable 2FA on your Google account from a computer, for example, follow these steps:

1. Head to myaccount.google.com and sign in with your email and password
2. On the left, choose Security, then scroll to the How you sign in to Google heading
3. Select 2-Step Verification and follow the on-screen instructions.

Keep your personal information secure with strong passwords, Which? Best Buy antivirus and more. See 12 things every laptop or PC owner should do to keep their data safe.

4. Check for signs of suspicious activity

Even if your antivirus scan didn't detect any threats, it’s still worth keeping an eye on your device over the next few days. Be wary of unusual behaviour such as unexpected pop-ups, browser redirects, new toolbars, or warnings claiming your device is infected. These can sometimes indicate unwanted software or malicious extensions.

If your device suddenly becomes much slower than usual or crashes frequently, that could be a sign that something isn’t right (See also: My computer keeps crashing – what should I do?).

You should also manually review installed apps and browser extensions to remove anything suspicious or unfamiliar.

Review installed apps

• On Windows – go to Settings > Apps > Installed apps and sort by Date installed. If you spot anything you don’t recognise, select the three dots and choose Uninstall.
• On Mac – open System Settings > General > Storage > Applications to see a list of installed apps. You can also check via Finder > Applications. Drag unwanted apps to the Bin, then empty it.
• On Android – go to Settings > Apps > See all apps to scroll through everything installed on your device.
• On iPhone – swipe to the very last page of your home screen to check the App Library, or scroll through the app list at the bottom of your main Settings menu. Delete anything you don't recognise.

Review browser extensions

• In Google Chrome or Microsoft Edge – click the three dots in the top right corner, select Extensions, and remove anything unfamiliar.
• In Safari – go to Safari > Settings > Extensions and uninstall any extensions you don't recognise.

5. Report the scam

By reporting scam emails, you can prevent others from falling victim. 

Most email providers allow you to mark a message as phishing, which helps improve their filtering systems. On Gmail, for example, open the message, click the three dots next to the Reply button, and select Report phishing. In Outlook, open the message and select Report > Report phishing in the toolbar at the top of the screen.

In the UK, phishing emails and online scams can be reported to Report Fraud (formerly known as Action Fraud). It gathers intelligence on scams and passes it on to the National Fraud Intelligence Bureau for analysis by the police.

You can also report the scam to the company being impersonated.

Reporting a scam is important to help stop criminals and to prevent others from falling victim. Explore our guide on how to report a scam.

How to spot a phishing email

• Check the sender's email address – this may consist of random numbers, letters or words that have nothing to do with the organisation the scammer is impersonating.
• Find out if the linked website is legitimate – the domain information checker Who.is will show you when the website was created. If the site was created recently, it's likely to be dodgy.
• Look for a sense of urgency – if the email asks you to update or re-enter your personal information or bank details out of the blue, it's likely to be a scam.
• Watch for generic greetings – messages with 'Dear customer' or 'Dear user' instead of your name can be a red flag, especially if the company normally addresses you personally.

If you're unsure, avoid clicking links in emails. Instead, type the official website address directly into your browser and log in there.

For more details, see our guide on how to spot an email scam. 

Join Which? Tech Support

Get a year of super-useful advice

Solve your tech issues and get a year of our super-useful tech support for only £49 a year.

Join Which? Tech Support

Which? Tech Support can help you keep on top of your home tech. Our experts explain things clearly so that you can resolve issues and feel more confident using your devices.

Get unlimited 1-2-1 expert support:

• by phone – clear guidance on choosing, setting up, using and resolving issues with your home tech devices.
• by email – outline the issue, and we’ll email you our answer.
• by remote fix – we connect securely from our office to your home computer and resolve issues while you watch.
• in print – Which? Tech magazine – six issues a year delivered to your door.

Join Which? Tech Support.