Clicked a Phishing Link? What to Do Right Now

If you have clicked a phishing link, the most important thing to do right now is disconnect your device from the internet, do not turn it off, and contact your IT team or managed security provider immediately. Speed matters, but so does what you do not do. The wrong response in the first five minutes can make a recoverable situation significantly worse.

This guide reflects what we actually do at Otto IT when a client calls us after a phishing click. It is not a generic checklist. It is the real incident response sequence we use, including the steps most guides miss and the Australian legal obligations your business may need to meet.

It Happens More Often Than Anyone Admits

An employee at a Melbourne accounting firm clicks a link in what looks like a routine supplier email. The email matches the supplier’s usual format, uses their logo, and references a real invoice number from a previous job. The link opens a Microsoft 365 login page. The employee enters their credentials and only notices something is wrong when the page fails to redirect properly.

That scenario is not unusual. We see variations of it several times a month across our client base. The phishing emails targeting professional services firms in Australia have become remarkably convincing. They are personalised, they reference real business relationships, and they arrive at moments when staff are busy and moving quickly.

The good news is that a phishing click, even one where credentials were entered, does not have to become a breach. What you do in the next ten minutes largely determines the outcome.

What to Do If You Clicked a Phishing Link: The Real Sequence

The steps below are ordered by priority. Do not skip ahead. Each action is taken in this sequence for a reason.

Step 1: Disconnect from the Internet, Not the Power

Turn off Wi-Fi or unplug the ethernet cable from the device you clicked on. Do this immediately. Cutting the network connection stops any malware from communicating with its command-and-control server, which is where it receives instructions and sends your data. This single action limits the blast radius more than almost anything else you can do in the moment.

Do not shut down or restart the device. This is critical and explained further in the section below on what not to do. Volatile memory on a running machine contains forensic evidence that disappears the moment you power off. Your IT team needs that evidence to understand what happened.

Step 2: Do Not Touch the Keyboard Until IT Is on the Line

If your organisation has a managed IT or security provider, call them now. Use your phone, not the potentially compromised device. While you wait for guidance, do not open any other applications, do not attempt to run antivirus manually, and do not browse to any other sites. Every additional action on a potentially compromised machine creates more noise that complicates the investigation.

If you are the IT person, or there is no IT support available, continue with the steps below and document every action you take with a timestamp.

Step 3: If You Entered Credentials, Change Them from a Different Device

If you typed a password into the page before realising it was fake, that password is compromised. Use a completely separate device, your personal phone on mobile data is ideal, to change the password for the affected account. Change it for any other account that uses the same password. If you reuse passwords across services, treat every one of those accounts as compromised until proven otherwise.

Enable multi-factor authentication on the affected account immediately if it is not already active. Even if the attacker has your password, MFA stops them from using it in most cases.

Step 4: Report It Immediately, Including to Management

Notify your IT team, your manager, and if there is any indication of a serious incident, your organisation’s leadership. The instinct to quietly resolve it and hope nothing happened is understandable but dangerous. Many breaches escalate because the person who clicked the link waited hours before telling anyone, allowing the attacker time to move laterally through the network.

Reporting it quickly is not an admission of failure. It is the responsible action that gives your business the best chance of containing the damage.

Step 5: Preserve Everything and Begin Documentation

Take a photo of the phishing email on your screen if it is still visible. Screenshot the URL in the browser. Write down the exact time you clicked the link, what the email said, who it appeared to come from, and what happened after you clicked. This documentation is essential for your incident response process and may be required for regulatory notification obligations.

Forward the original phishing email to your IT team before deleting it. Do not just delete it without preserving a copy, as the email headers contain valuable information about where it originated.

What NOT to Do After Clicking a Phishing Link

Most guides focus on the right actions. The wrong actions matter equally. These are the mistakes we see businesses make that turn a contained incident into a serious breach.

Do Not Turn Off the Device

Powering off a machine wipes the volatile memory (RAM), which is where forensic evidence of what the malware did lives. If your security team needs to investigate what happened, that evidence is gone the moment you shut down. Keep the device running, keep it isolated from the network, and let your security provider guide the next steps.

Do Not Change Passwords from the Compromised Device

If the device has malware on it, that malware may be logging your keystrokes. Changing your password from the compromised machine could hand the new password directly to the attacker. Always use a separate, trusted device for credential changes after a suspected compromise.

Do Not Handle This Without Telling Management

IT resolving an incident quietly, without informing the business, is a pattern we see regularly and it consistently makes things worse. Management needs to know because they may need to make decisions about client communication, regulatory notification, and business continuity. IT does not have the authority or the full picture to make those calls alone.

Do Not Ignore It Because Nothing Seems Wrong

Some malware is designed to be invisible. It sits dormant, exfiltrates data slowly, or waits for a trigger. Just because nothing obvious happened after the click does not mean nothing happened. A proper investigation is required regardless of what you can see on screen.

How to Tell If the Click Caused a Breach

Not every phishing click results in a compromise. Here are the specific indicators your IT team will look for to determine whether the click led to a breach.

Signs That Credentials Were Stolen

Sign-in alerts from unfamiliar locations or devices appearing in your account activity log. Password reset emails you did not request arriving in your inbox. Colleagues receiving suspicious emails that appear to come from your account. Changes to email forwarding rules or account settings that you did not make. All of these are indicators that your credentials were captured and are being actively used by an attacker.

Signs That Malware Was Installed

Unusual CPU or disk activity on the device, particularly if the machine is slow or running hot when idle. New programs or browser extensions that you did not install appearing on the system. Antivirus alerts that appear after the click event. Files being modified or encrypted, which is an indicator of ransomware beginning its work. Network traffic to unusual external destinations showing up in your firewall logs.

Signs That Lateral Movement Has Occurred

Other machines on the same network exhibiting unusual behaviour at the same time. Failed login attempts on other accounts within your organisation. Access to internal file shares or systems from the compromised account outside of normal business hours. These signs indicate the attacker has moved beyond the initial compromise and is exploring your broader network environment.

If any of these indicators are present, the incident has escalated beyond a simple phishing click and requires a full incident response engagement. Otto IT’s managed cyber security services include 24/7 monitoring and incident response for exactly these situations.

Australian Legal Obligations After a Phishing Incident

Depending on what was accessed and the size of your business, a phishing incident may trigger specific legal obligations in Australia. This is an area many businesses are not prepared for, and the consequences of missing a notification deadline can be significant.

The Notifiable Data Breaches Scheme

If your business is covered by the Privacy Act 1988 and personal information was accessed or likely accessed as a result of the incident, you may be required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals. The threshold is whether a reasonable person would conclude that the access is likely to result in serious harm to any of the individuals whose information was involved. The notification must be made as soon as practicable after becoming aware of the eligible data breach.

Mandatory Ransomware Payment Reporting

If the phishing click led to a ransomware infection and your business has an annual turnover of $3 million or more, you are required to report any ransomware payment to the Australian Signals Directorate (ASD) within 72 hours of making the payment. This reporting obligation was introduced under the Security of Critical Infrastructure Act and its related amendments. Failure to report is a civil penalty matter and cannot be treated as optional.

Even if ransomware payment is not involved, reporting the incident to the Australian Cyber Security Centre (ACSC) via ReportCyber is strongly encouraged and provides your business with access to government support and intelligence resources.

Cyber Insurance Notification Windows

Most cyber insurance policies require you to notify your insurer within a specific timeframe after discovering a potential incident. This window is commonly 24 to 72 hours. Failing to notify within the required window can jeopardise your ability to make a claim. Notify your insurer early, even if you are still assessing the scope of the incident, rather than waiting until you have the full picture.

How Otto IT Responds to a Phishing Incident for Clients

When a client calls us after a phishing click, our response follows a structured sequence designed to contain the incident quickly while preserving the evidence needed for investigation and potential legal obligations.

We begin with remote isolation of the affected device while it is still running. We pull logs from the endpoint, email system, and network before anything is disturbed. We assess whether credentials were entered and whether any post-click activity occurred on the device or the associated account. We check for lateral movement across the client’s broader environment. We then work with the client’s leadership to determine notification obligations and next steps.

The entire initial triage typically takes between 30 and 90 minutes depending on the scope. The faster the client calls us after the click, the better the outcome. If your business does not have a managed security partner with a clear incident response process, the time to establish that relationship is before an incident occurs.

Visit our managed cyber security services page to understand what a proper security engagement looks like for a Melbourne professional services firm, or contact our team directly to discuss your current security posture.

After the Immediate Incident: Building a More Resilient Organisation

Once the immediate response is complete, there are several important follow-up actions that determine whether your organisation is more resilient going forward or simply waiting for the next incident to happen.

Conduct a phishing simulation with your team within the next 30 days. Understanding how the phishing email got through your filters, why it was convincing, and what staff awareness gaps exist is essential context for improving your defences. A one-off incident becomes a pattern without this kind of structured review.

Review your email filtering configuration thoroughly. Most phishing emails that reach inboxes could have been blocked with more aggressive filtering rules, additional DNS-based protections, or better sender verification enforcement such as DMARC, DKIM, and SPF. We regularly find that client environments have email security gaps that have not been revisited since initial setup years earlier.

Update your incident response documentation. If this incident exposed gaps in your process, address them now while the experience is fresh. If you do not have a documented incident response plan, create one as a priority. A phishing click is a relatively low-stakes way to discover that gap. A ransomware attack is not.

Frequently Asked Questions

Can you get compromised just by clicking a phishing link without entering anything?

Yes, in some cases. A small number of phishing links exploit browser vulnerabilities to execute code without any user input beyond the initial click. This is less common than credential-harvesting attacks but it does occur. Modern browsers and regular patching significantly reduce this risk. This is why disconnecting from the internet immediately after clicking is important regardless of whether you entered any information.

How long does an attacker have access before you can stop them?

If credentials were stolen, attackers typically attempt to use them within minutes. Automated systems test stolen credentials against multiple services almost immediately. This is why changing passwords and enabling MFA from a different device, as quickly as possible, is so important. The longer the window of access, the more the attacker can do, including changing account recovery options to lock you out.

Do you need to tell clients if a staff member clicked a phishing link?

That depends on what data was accessible on the compromised account or device. If client personal information was stored in systems the attacker could have accessed, and a reasonable person would conclude serious harm is possible, then notification under the Notifiable Data Breaches scheme may be required. This is a legal question that should be assessed with input from your legal team and your IT provider, not a judgement call made by the person who clicked the link.

Is a phishing click considered a notifiable data breach in Australia?

Not automatically. A phishing click becomes a notifiable data breach when it results in the unauthorised access to or disclosure of personal information, and a reasonable person would conclude that this access is likely to cause serious harm. The assessment requires understanding what information was accessible, what the attacker likely did, and the sensitivity of the data involved. Your legal team and managed security provider should make this assessment together.

What should you do if your business cannot afford a managed security provider?

At a minimum, ensure you have multi-factor authentication enabled on every account, particularly email and cloud services. Use a reputable cloud-based email security product that provides additional filtering beyond what Microsoft 365 or Google Workspace offer by default. Conduct basic phishing awareness training with staff at least annually. And document a simple incident response procedure, even a one-page document with five steps, so that when an incident occurs, people know what to do rather than improvising. These measures do not require a large budget but they meaningfully reduce your risk.

How is a phishing link different from a malware attachment?

A phishing link typically directs you to a fake website designed to steal your credentials or, in some cases, exploit your browser. A malware attachment is a file that, when opened, installs malicious software directly on your device. Both arrive via email but the immediate risk and response differ slightly. A phishing link that only harvested credentials is generally more contained than a malware attachment that installs a remote access tool. Both require immediate response and investigation.

If your business needs a clearer incident response process, or you want to understand how well your current security stack would detect and respond to a phishing attack, we would be glad to walk you through it. Book a conversation with our team here.