Clicked on a phishing link? Here are 7 things to do next

Phishing attacks remain one of the most common and effective ways cybercriminals target businesses—and no organisation is immune. Even experienced staff can mistakenly click on a well-disguised phishing link, particularly as these attacks become more convincing and harder to detect.

For small and medium-sized businesses across Wales, knowing what to do in the moments immediately after someone clicks on a phishing link is essential. A quick, calm and informed response can significantly reduce the impact and prevent further damage.

Here are seven steps to take if a phishing link has been clicked:

1. Disconnect the device from the internet

If there’s any chance that malware (malicious software) has been downloaded, disconnect the affected device from the internet immediately. This will help prevent any further communication with the attacker’s server and stops the spread of any malware across your business network.

2. Do not enter any additional information

If the phishing link took you to a website and asked for login credentials to be entered, payment information or personal data—but you haven't yet submitted anything—close the page straight away, even if it seems to be legitimate.

3. Run a full anti-virus scan

A full system scan using your anti-virus software will identify and remove any potentially harmful files. Ensure that your anti-virus tools are up to date and configured to detect the latest threats.

4. Change any compromised passwords immediately

If login details were entered into a phishing site, change those passwords without delay. If the same password has been used on other accounts, those must be updated too to a unique one. Prioritise changing passwords for critical business services, such as email accounts, cloud platforms and banking systems. The National Cyber Security Centre (NCSC) recommends using three random words to generate passwords, for example, ‘PaperWatermelonTrain’, numbers and punctuation marks can be added for complexity. Use a password manager to store them securely so you don’t have to remember them.

5. Enable multi-factor authentication (MFA)

If your systems support it, enable multi-factor authentication across all business accounts. MFA is a simple and highly effective way to add an extra layer of security, helping to prevent unauthorised access even if passwords are compromised.

6. Report the incident

It’s important to report any phishing attempt. This allows authorities to track and shut down widespread scams, which helps protect others.

• Report suspicious emails to the Suspicious Email Reporting Service at: report@phishing.gov.uk

• If business or personal information has been shared, report the incident to Action Fraud at: www.actionfraud.police.uk or call 0300 123 2040

• Inform your internal IT team or managed service provider to ensure the situation is reviewed and logged properly

7. Monitor systems and accounts for unusual activity

After a phishing incident, keep a close eye on all affected accounts and systems for any signs of suspicious behaviour. This includes checking for login attempts from unknown locations, unauthorised password reset requests, or unexpected financial transactions. Businesses should consider enabling security alerts where possible.

Mistakes do happen but prevention is always the best approach. Welsh organisations can protect themselves by putting robust security measures and clear reporting protocols in place.

Recommendations include:

• Delivering regular cyber awareness training for all staff members – the WCRC offers affordable, non-technical sessions and we are running a special offer for businesses and organisations with 10 or less employees

• Implementing strong password policies and secure access controls

• Ensuring all software and systems are kept up to date

• Encouraging a culture where employees feel comfortable reporting potential mistakes

If you’d like assistance with making sure your SME is prepared to handle a phishing attack, get in touch with the WCRC today for guidance, practical resources, or to discuss your business needs.

*Original content sourced from the Cyber Resilience Centre for the South West