What to Do If You Clicked a Scam Link: Step-by-Step Guide to Stay Safe

Clicked a scam link? Treat it as a security incident, not a mistake to hide. Phishing URLs are often built to look legitimate, and researchers have shown that attackers can camouflage malicious links with patterns that resemble real sites. The FTC says scammers can be very convincing, and if you gave them money, personal information, or access to your computer or phone, you should act quickly to protect your accounts, device, and identity. 

The right response depends on what happened after the click. If you only opened the page, the danger may be lower. If you entered a password, clicked “allow,” downloaded a file, typed card details, or gave remote access, the risk is much higher. This guide walks through the steps in the order that matters most so you can stop damage fast, secure your accounts, clean your device, protect your money, and report the scam properly. Google’s account help pages and the FTC’s scam guidance both emphasize that fast action, password changes, security scans, account reviews, and reporting are the key moves after a compromise. 

1. First, understand what a scam link can actually do

A scam link is not just a bad website. It can be a fake login page designed to steal your password, a page that asks for card or bank details, a download that installs malware, or a form that tricks you into sharing personal data. The FTC warns that scammers use email, text messages, and other messages to get money or sensitive information, and Google’s account help says that if your Google Account or Gmail has been hacked, you should review security events, devices, and related settings right away. 

The biggest danger is often not the click itself but the chain reaction after the click. If the page stole your password, the attacker may try to break into your email, cloud storage, shopping accounts, social media, or bank apps. If the page installed malware or got remote access, the attacker may be able to spy on the device, intercept codes, or control the computer or phone. That is why you should think of the click as the start of a response, not the end of the story. FTC guidance specifically tells people to update security software, run scans, change passwords, and protect financial accounts when a scammer has access to a device or personal information. 

2. The first 10 minutes: stop the bleeding

Your first job is to stop giving the scammer more information. Close the page, stop replying to any messages that led you there, and do not enter anything else on the site. If you are still on the page, assume it is trying to push you toward a second mistake, such as a fake sign-in prompt, a “security update,” a payment request, or a download button. The FTC’s scam guidance is built around the idea that scammers can be persuasive, so the safest move is to break the interaction as soon as you realize something is wrong. 

If the page tried to make you download a file, run software, or approve a device connection, stop immediately and do not continue the installation. If the scam looked like a support page or a “your device is infected” warning, treat it as suspicious until proven otherwise. Technical support scams often use fake error pages and pressure tactics to convince people to download remote-access tools or pay for nonexistent fixes. The FTC specifically tells victims to update their computer’s security software, run a scan, and remove anything it identifies as a problem if a scammer has remote access or suspicious software is involved. 

3. If you only clicked the link and did nothing else

If you clicked but did not type any information, the situation is often less severe than a full credential theft incident, but it is not harmless. Phishing campaigns are designed to deliver malicious pages, harvest information, or funnel people into a second step where the real damage happens. Academic work on phishing URLs shows that many attacks start with a clicked link and can still leak private information even when the link is disguised to look benign. 

After a simple click, focus on containment and monitoring. Close the page, inspect whether anything downloaded automatically, and check whether the browser opened a login prompt you did not expect. Then watch your email, bank, and major accounts for sign-in notices or unusual activity. Google’s Security page says its Security Checkup is designed to help you secure your data and devices, add extra protections, and check recent security events, which makes it a good place to start if the clicked link was tied to your Google Account or Gmail. 

4. If you entered your password or other login details

If you typed a username and password into a fake page, treat it as a credential theft incident. FTC guidance is direct: if you gave a scammer your username and password, create a new, strong password and change it anywhere else you used the same password. Google’s hacked-account help says the same thing in a broader form: if someone may be using your Google Account, change your Google password immediately and change passwords anywhere else that reused the same one or that contact you through your account email. 

Do the password change from a trusted device, not from the suspicious page or the same browser tab that you just used. After the password change, review whether your recovery phone number, recovery email address, alternate email, or account name was altered. Google’s account-help page specifically says to correct unfamiliar changes to your recovery phone number and recovery email address, review apps with access, and review recent security events if you think someone else is using your account. Those steps matter because attackers often change recovery settings first so they can lock you out later. 

5. Secure the most important account first: your email

Your email account is usually the key to everything else. If a scammer gets into email, they can request password resets for banking apps, social media, shopping accounts, cloud storage, and even work systems. That is why the first account to secure is usually the email account tied to your digital identity. Google’s hacked-account guidance says to review security events, your devices, recovery settings, and access permissions; it also tells you to turn on 2-Step Verification so a stolen password does not become a full takeover. 

Inside Gmail, check for unfamiliar forwarding rules, filters, labels, delegated access, or automatic replies. Google’s help page explicitly says to remove any Gmail labels, filters, or forwarding rules you did not set up. It also tells you to review access settings, uninstall unrecognized Chrome extensions, update Chrome, review Google Drive activity and file versions, stop unknown Google Photos album sharing, and turn off suspicious location sharing. Those are all places attackers commonly hide after a phishing attack. 

6. Turn on two-step verification right away

A password alone is not enough after a phishing link. Google says 2-Step Verification helps keep hackers out of your account by requiring something you know, such as your password, and something you have, such as your phone, a security key, or a printed code. That means even if your password was stolen, the account can still stay protected. Google’s Security Checkup is designed to help users add extra protections and check recent security events, which makes 2-Step Verification one of the most important follow-up steps after a scam link. 

This is also the point where you should strengthen every account that reuses the same password, especially email, cloud storage, social media, payment apps, and online shopping. The FTC says to change the password anywhere else you used the same one, and Google says to do the same for apps and sites that sign in with the same email or password. If the scammer got one password, assume they may try it everywhere. 

7. Revoke third-party access and suspicious connections

Phishing is not always about passwords. Sometimes a scam link leads to a fake consent screen or a suspicious authorization flow that gets a third-party app access to your account data. Google’s third-party access help says you can review or remove third-party apps and services that have access to your Google Account data at any time, and it warns that if you revoke access, those apps can no longer access your data. It also says that third-party apps may request access to Gmail, Drive, Calendar, Photos, and Contacts, so the damage can extend beyond email alone. 

This matters because a scammer does not always need your password if they can trick you into granting access another way. Google says third-party apps and services should only be trusted if you trust the provider, and it warns not to share your Google Account password on a third-party app or service. If you see anything unfamiliar in your Google Account connections, remove it immediately and ask the third party to delete any data they already received if necessary. That cleanup step is a common blind spot after a phishing link. 

8. If the scam link asked for bank or card details

If you entered a debit card, credit card, bank account, or payment-app detail, treat it as a financial security issue. The FTC says to contact the company or bank that issued the card, report the charge as fraudulent, and ask them to reverse it. It also says to contact your bank if a scammer made an unauthorized transfer from your account, and to report fraudulent transactions through money transfer apps or wire services as quickly as possible. 

If the payment was through a money transfer app linked to a card, report it both to the app provider and to your bank or card issuer. If the payment was by wire transfer, contact the wire-transfer company and ask for reversal. If the scam involved cryptocurrency, the FTC says those payments are typically not reversible, which means speed matters even more because the recovery chances are usually much lower. This is why bank and payment alerts should be checked right away after a scam link. 

9. If you gave the scammer your Social Security number or identity information

If you entered your Social Security number or other identity documents, the issue becomes identity theft, not just phishing. The FTC tells victims who gave a scammer their SSN to go to IdentityTheft.gov to see the steps to take, including how to monitor credit. It also says to check financial accounts for unauthorized charges and to report suspicious activity to the company or institution involved.

Identity theft can show up later, not instantly. That is why it is important to monitor credit, keep an eye on account openings, and watch for unexplained bills or changes to your information. Even if nothing is wrong today, identity information can be used later to open accounts or impersonate you. The FTC’s guidance makes clear that if personal information like an SSN was exposed, you should not wait for a problem to appear before acting.

10. If you downloaded a file, app, or attachment

If the scam link triggered a file download or asked you to install an app, the priority is to check for malware. The FTC says to update your computer’s security software, run a scan, and delete anything the software identifies as a problem. Google’s hacked-account page also says to remove harmful software if you think your account has suspicious activity, and it recommends trusted antivirus software. If the situation is serious, Google says you can reset the computer to factory settings and reinstall the operating system, but only after backing up the files you need. 

Do not assume that a file is harmless just because it opened without errors. Malicious links often rely on social engineering more than technical exploits, which means the page may look ordinary while the download is doing the real damage. Phishing research shows that attackers continuously adapt URL structures and web pages to evade detection, and malware or credential theft may be built into pages that look legitimate at a glance. 

11. If the scammer got remote access to your device

If you allowed remote access, or if you installed software that gave someone control of your computer or phone, treat it as a high-risk incident. The FTC says to update your security software, run a scan, and remove anything the scan identifies as a problem. It also says to take additional steps to protect your personal information and to contact your service provider if a scammer took control of your cell phone number and account. That is important because remote access can expose passwords, files, text messages, and security codes. 

Google’s hacked-account help adds more cleanup steps after suspicious access: remove harmful software, uninstall unrecognized Chrome extensions, update Chrome, review Gmail security settings, review Drive activity and file versions, and check Photos sharing and Location Sharing. If you are not sure whether the device is safe, factory reset may be the cleanest path after backing up essential files. The goal is to remove any persistence that could let the attacker come back later. 

12. Lock down your browser and device

Once the immediate danger is handled, clean up the browser and device itself. Google advises using a more secure browser like Chrome, turning off less secure app access, using a device screen lock, uninstalling extensions you do not recognize, and keeping Chrome up to date. It also says Password Alert in Chrome can notify you if you enter your password on a non-Google site, which is helpful for stopping repeat phishing mistakes before they turn into account takeovers. 

This is also the time to check your browser’s saved passwords, payment info, and autofill settings. If the scam page had access to the browser or if a malicious extension was installed, anything saved in the browser may be at risk. Review what is stored, remove anything unfamiliar, and make sure the device itself has a strong screen lock. A strong account can still be undermined by a weak browser or an unlocked device. Google’s account help specifically calls out device screen lock and Chrome updates as part of securing apps and devices. 

13. Check every financial account you use

After a scam link, do not limit your review to the account that was targeted. Check credit cards, debit cards, bank accounts, money-transfer apps, online wallets, and any shopping accounts with saved payment methods. The FTC says to review your credit card, bank, and other financial accounts for unauthorized charges or changes, and to report anything suspicious to the company or institution immediately. Google’s hacked-account guidance similarly tells you to check Google Pay, Chrome payment info, Google Play purchases, and other financial activity for unauthorized changes. 

If you see an unfamiliar card, account, or transfer destination, remove it and contact the financial institution. If you see pending purchases you do not recognize, flag them before they settle. If you use payment apps, check whether the app is linked to a credit card or debit card so you know which institution must also be alerted. The key is to treat every money-moving service as part of the same incident response chain. 

14. Watch for account recovery abuse

A common scam link outcome is account recovery abuse. If the scammer has your email, password, or device access, they may try to change your recovery phone number, recovery email, alternate email, or 2-Step Verification settings so they can keep control. Google’s hacked-account help specifically tells users to review recovery phone and recovery email settings, review 2-Step Verification methods, and correct any unfamiliar changes immediately. 

That is why you should not only change your password once and stop. Review the entire recovery chain. Make sure the phone number belongs to you, the recovery email is one you control, and the 2FA method is still in your possession. If these settings are hijacked, you may lose access even after changing the password. Google’s own support page makes this point by telling users to inspect account activity, devices, recovery settings, and access permissions after a compromise. 

15. Report the scam immediately

Reporting helps more than people think. The FTC says that when you report a scam, it can use the information to build cases against scammers, spot trends, educate the public, and share data about what is happening in your community. It tells victims to report scams at ReportFraud.ftc.gov and to use IdentityTheft.gov when identity information such as a Social Security number was exposed. Reporting does not guarantee recovery, but it helps the ecosystem and may help investigators identify campaigns. 

If the scam involved a specific account provider, also report it inside that service’s help center or security flow. Google’s hacked-account help includes review screens for suspicious activity and devices, and its third-party app help lets you report third-party apps that misuse your data. If the scam came through a bank, payment app, or card, report the fraud to that institution immediately and ask for reversal or fraud handling. The more places you report it, the faster the damage can be contained. 

16. What to do in the next 24 hours

The first day after a scam link is about verification and cleanup. Recheck your email, cloud account, and payment apps for sign-in alerts or unusual messages. Review Google’s recent security events and connected devices if you use Google products, and repeat the check after a few hours because attackers sometimes act in stages. Google’s Security Checkup is specifically designed to help you secure data and devices, add extra protections, and check recent events, which makes it a useful follow-up tool instead of a one-time task. 

If you downloaded anything or let someone into your device, keep watching for signs of malware or remote-control behavior. Strange pop-ups, a browser that keeps redirecting, new extensions, unexpected logins, or unfamiliar settings are all warning signs. FTC and Google both recommend updating security software, scanning the device, removing harmful software, and changing passwords after suspicious device access. If the computer or phone still feels compromised after cleanup, a factory reset may be safer than trying to patch around the problem. 

17. How to prevent the next scam link

The best defense against a phishing attack is to slow down every time a link wants something urgent from you. Scammers rely on pressure, fear, and urgency. They use fake login pages, fake warnings, fake shipping notices, fake invoices, and fake support messages to make you act before you think. Security research shows that phishing URLs can imitate legitimate patterns and evade detection, which is why you should verify the destination before trusting any link that asks for personal information. 

Use two-factor authentication everywhere you can, store passwords in a trusted password manager, and avoid reusing the same password across accounts. Google’s support pages make it clear that a stolen password alone should not be enough to get into your account when 2-Step Verification is on. Keep your browser and operating system updated, remove suspicious extensions, and periodically review connected apps and third-party access. Those habits may feel small, but they block many of the most common post-click attack paths. 

18. If the scam link hit your work account

If you clicked the scam link on a work device or with a work email, follow your company’s incident-response process in addition to the steps above. Work accounts often connect to shared systems, cloud tools, payroll portals, internal apps, and customer data, so a compromise can affect more than your personal email. At minimum, notify your IT or security team quickly, change the affected passwords, and review any third-party app connections or browser sessions tied to the account. Google’s hacked-account guidance shows why this matters: once a password or device is compromised, attackers often move across connected services and settings. 

The same principle applies to shared family accounts, partner accounts, and school or organization logins. If a scam link compromised one device or one account, do not assume the rest of the environment is fine. Check every login that used the same password, every account that shares your email address, and every payment method that may have been exposed. Fast containment is what stops a single click from becoming a bigger incident. 

Conclusion

If you clicked a scam link, the safest response is fast, calm, and methodical. Stop interacting with the page, protect your passwords, secure your email first, review devices and recovery settings, scan your computer or phone, call your bank if money may be exposed, and report the scam. The FTC’s guidance and Google’s hacked-account help both point to the same core truth: the sooner you act, the less power the scammer has to move from a simple click to account theft, bank fraud, malware infection, or identity theft. 

A scam link is not just a bad moment. It is a potential chain reaction. But you can stop that chain if you move quickly, change the right settings, and lock down the accounts that matter most. Treat every suspicious link as a test of your security habits, and make your response stronger than the scam was clever. 

Frequently Asked Questions

1) What should I do first if I clicked a scam link?

Close the page, stop interacting with it, and check whether you entered any information, downloaded anything, or allowed access. Then secure the affected account, scan your device, and report the scam if needed. The FTC says to change passwords, protect financial accounts, and report scams quickly. 

2) What if I entered my password on a fake site?

Treat it as a stolen password. Change that password immediately from a trusted device and change it anywhere else you reused it. Then review recovery settings, devices, and recent security events. Google specifically tells users to do exactly that after suspicious account activity. 

3) What if I entered my bank card or payment details?

Contact your bank or card issuer right away and report the transaction as fraudulent. The FTC says to ask for reversal wherever possible and to report fraudulent transfers or charges to the relevant bank, card issuer, or payment service. 

4) What if the scammer got access to my computer or phone?

Update your security software, run a scan, remove harmful software, and if needed reset the device after backing up important files. Google also recommends reviewing browser extensions, Chrome updates, Gmail settings, and third-party app access after suspicious activity. 

5) Should I report the scam link?

Yes. The FTC says reporting helps build cases, identify trends, and educate the public, and it asks consumers to report scams at ReportFraud.ftc.gov. If identity information was exposed, it also directs victims to IdentityTheft.gov. 

6) How can I prevent this from happening again?

Use two-factor authentication, avoid password reuse, keep your browser and device updated, review third-party access, and slow down whenever a link creates urgency. Google’s account security and hacked-account guidance shows that these habits are central to keeping an account secure.