What to Do After an Employee Clicks a Phishing Link
A step-by-step response guide for the first hour after a phishing click: reporting, account containment, triage, and when to escalate.
Someone on your team clicked a phishing link. Maybe they told you right away, maybe a filter flagged it, maybe they just have a bad feeling and are not sure what happened. What matters now is the next hour, not the click itself.
Phishing response is a race between the attacker and your team. The attacker needs time to use a stolen password, read a mailbox, or move a payment. Every step below is designed to take that time away. None of it requires an enterprise security team.
What counts as clicking
Not every click carries the same risk, so start by finding out what actually happened. Ask the employee, without blame, which of these describes it:
- They clicked the link but closed the page without doing anything else.
- They entered their username and password, or approved an MFA prompt.
- They opened or downloaded an attachment.
- They replied, sent data, or changed a payment on the strength of the message.
The first case is usually low risk. The other three need action. If the employee is not sure, treat it as the riskier case. People often remember entering credentials only after a calm question, not during the initial panic.
Step 1: Report the message right away
The original email is your best evidence. The employee should report it through your normal channel, ideally a report button in the inbox, and should not delete it. Headers, links, and attachments tell IT what the message was trying to do and who else may have received it.
If your company has a written phishing reporting policy, this is the moment it pays for itself: the employee already knows where to report and knows they will not be punished for clicking. If you do not have one, the incident you are handling right now is a good reason to fix that this week.
Step 2: Contain the account
If credentials may have been exposed, act on the account before investigating the message:
- Change the password for the affected account.
- Sign out all active sessions, most identity providers have a single control for this.
- Check that MFA is still enabled and that no new devices or methods were added.
- Review mailbox rules for new forwarding or auto-delete rules. Attackers add these to hide their activity.
Do these in minutes, not hours. A stolen password is most valuable to an attacker in the first window after the click, before anyone notices.
Step 3: Triage the message
Whoever handles IT, in-house or an MSP, should look at what the link or file actually did. Where did the URL really point? Was it a fake login page, a file download, or a redirect chain? Does the attachment need a malware scan on the device that opened it?
This is also the time to check the blast radius. Search for the same message across other mailboxes. One reported email often reveals a campaign that hit ten people, and the other nine may not have said anything yet.
If money or data is at risk
If the employee changed a payment, sent a transfer, or shared sensitive data, escalate immediately:
- Call your bank's fraud line and ask about recalling the transfer. Speed matters more here than anywhere else, recovery gets much harder within a day or two.
- Verify the request that started it through a known phone number, not by replying to the email.
- In the United States, file a report at the FBI's IC3, which can assist with wire recall through its recovery process.
This is the scenario where a written plan beats improvisation. A phishing incident response plan with a wire fraud fast path gives whoever picks up the incident a script: who to call, in what order, with the phone numbers already filled in.
Close the loop with the employee
When the dust settles, thank the person who reported, even if they also clicked. Reporting after a click is exactly the behavior you want, because it is the difference between a contained incident and a silent compromise.
Then close the loop with everyone else. If the campaign hit multiple inboxes, send a short warning with a screenshot of the lure. Keep a simple record of what happened and what was done. That record helps with insurance questions later and shows the next incident handler what worked.
Reduce the chance of the next click
One click is a data point, not a verdict. After the incident, look at what would have changed the outcome: a reporting button that is easier to find, a verification rule for payment changes, a short refresher on the lure theme that worked, or a phishing simulation that gives people safe practice with that exact scenario.
The goal is not zero clicks. Attackers only need one realistic message at the wrong moment, so some clicks will happen. The goal is a team that reports fast and a process that limits what one click can cost.
Sources and further reading
Related resources
How phishable is your team?
Take the free 2-minute assessment to see where your human layer is strong and where attackers still have an easy path. Then see how PhishAlertPro combines reporting, AI-assisted triage, simulations, and awareness training.