Post cover image
Photo by Azamat E on Unsplash

June 13, 2026

Did You Click a Phishing Link? Follow This Checklist Now

It started with one click.

Ctrl Alt Hacked

6 min read

A small business owner — let's call her Sarah — was going through her morning emails when she spotted a message from what appeared to be Microsoft. Unusual sign-in detected. Review activity immediately.

She clicked the button. A login page appeared. She entered her credentials. A message told her the issue was resolved.

None of it was real.

Within six minutes, someone on the other side of the world had logged into her company's Microsoft account. Over the next three weeks, they read every email she sent and received. They learned who her suppliers were, what her payment schedules looked like, and who in her company had the authority to approve transfers.

Then they struck.

By the time anyone figured out what had happened, $47,000 had moved through three different bank accounts across two countries. Unrecoverable.

It started with one click that took less than a second.

None

What's actually happening right now

If you clicked a phishing link, here's what you need to understand before doing anything else.

If you only clicked but didn't type anything, the most likely outcome is nothing. Most phishing links lead to a fake login page that requires you to enter credentials before anything dangerous happens. Closing the page without typing is usually enough.

If you entered your password, assume it's already in someone else's hands. Not in an hour. Right now. Stolen credentials are often tested by automated systems within minutes of being submitted. Some operations have tools that attempt logins the moment the password arrives.

If you downloaded a file or opened an attachment, the risk is different. Software may have installed silently on your machine. You might see no signs of it at all. That's by design.

The next eight steps are ordered by urgency. Start at the top.

Step 1: Change the password — the right way

Do this before finishing this article if you have to.

Open a new browser tab and type the website address directly — do not click any link from any email. Go to the real site, log in, and change the password immediately.

If it was your business email password, this is the single most important action you will take. Your business email is the master key to almost everything else your company runs on. Whoever controls your email can trigger password resets on your banking portal, your accounting software, your payroll system, your client management tools. All of it flows through email.

Change that password first.

None

Step 2: Every account that shared that password

Criminals know people reuse passwords. The moment a credential is stolen, automated tools begin testing it against Microsoft 365, Google Workspace, banking portals, and every major business service simultaneously.

If you used the same password anywhere else in your business — change it there too, immediately. One reused password can cascade into full account access across your entire operation.

Step 3: Turn on multi-factor authentication right now

Multi-factor authentication — MFA — means that logging into an account requires two things: your password and a second verification code sent to your phone or generated by an app.

Even if a criminal has your correct password, they cannot get into your account without that second factor. They don't have your phone.

Enable it on the compromised account immediately. Find it under Security Settings on most platforms. It takes about five minutes to set up.

Then make a note to roll it out to every employee account this week. The next phishing email won't necessarily land in your inbox — it might land in your office manager's.

Step 4: The hidden forwarding rule trick

This is the step most people miss — and it's the one that keeps attackers inside your business long after you've changed your password.

A classic move against compromised business email accounts is to set up a hidden forwarding rule before the victim notices anything is wrong. The rule quietly copies every incoming email to an external address. Even after you change your password, they keep reading everything — your invoices, your client conversations, your payment schedules.

This is exactly how the large business email compromise attacks are built. Weeks of silent reading before a carefully timed strike.

Log into your email account and check:

  • Forwarding rules — look for any address you don't recognise
  • Email filters — look for any rules that move emails to unusual folders or mark them as read automatically
  • Recovery information — check that the backup phone number and email address are yours

Delete anything you didn't create.

None

Step 5: Check your sent folder and warn your clients

Attackers sometimes use a compromised business account immediately to email your clients and suppliers — fake invoices, updated payment details, urgent wire transfer requests. All sent from your real address.

Open your sent folder. Look at everything sent in the past 24 to 48 hours. If anything went out that you didn't write, call those clients and suppliers today. One uncomfortable phone call now is significantly better than a client discovering they wired money to a criminal because the email genuinely came from you.

Step 6: Tell your team today

Not after the weekend. Not once you know more. Today.

If an attacker has been inside your account, their next move is often a follow-up attack on your staff — emails appearing to come from you, asking someone to process a payment or open a file. Your team cannot protect against something they don't know is happening.

If you have an IT person or managed service provider, loop them in immediately.

The difference between an incident that gets contained in an hour and one that costs the business tens of thousands is almost always how quickly someone spoke up. Nobody competent will blame the person who clicked. These emails are engineered by professionals specifically to be clicked. The only mistake that matters is staying quiet.

None

Step 7: Downloaded a file? Disconnect now

If you opened an attachment or downloaded anything from the phishing page, disconnect that computer from your network immediately — turn off the wifi or pull the network cable.

If malicious software installed itself, disconnecting stops it from spreading to other machines in your office or accessing your shared files and drives.

Then run a full antivirus scan. Windows Defender — which comes built into Windows — is genuinely capable at this. Let it run completely. If it finds something, let it remove it. Then change your passwords again from a completely different device, because if anything was logging your keyboard activity, the new passwords you typed on the compromised machine may already be captured.

Step 8: If money is involved, call your bank

Use the number on the back of your card — not a number from any email.

If a payment has gone out, every minute matters. Transfers can sometimes be recalled or frozen if caught early enough. After 24 to 48 hours, that window closes for most types of transfers.

None

How to know if you're in the clear

Watch for these signs over the next week or two:

  • Password reset emails you didn't request
  • Login alerts from locations you don't recognise
  • Clients or suppliers mentioning strange emails that appear to have come from you
  • Files that suddenly can't be opened
  • Computers running unusually hot or slow for no apparent reason

Any of those signals means the situation is still active. At that point, bring in professional help — an IT security specialist who can conduct a proper assessment.

If nothing unusual happens within two weeks and your antivirus scan came back clean, you're very likely fine.

How to make sure it never happens again

Phishing works because it manufactures pressure. Urgency. Fear. Authority. Your account will be closed. Unusual activity detected. Invoice overdue. The entire technique is designed to make busy people act faster than they think.

Build this rule into your business: when an email demands immediate action, the demand itself is the warning signal. Legitimate companies almost never need you to act within minutes.

Before anyone in your business clicks a link asking them to log in, the rule is simple: go to the real website directly. Type the address. If the warning was genuine, it will be waiting inside the account. If there's nothing there, the email was the threat.

Enable MFA on every account that matters. Every email account. Banking. Accounting. Payroll. It's free, it takes minutes per account, and it's the difference between a stolen password being a business-ending event and being a minor inconvenience.

None

The honest truth

Someone in your business clicked a link. It happens in law firms, clinics, marketing agencies, and yes, IT companies too. The people who fall for these attacks are not careless. They're busy professionals doing their jobs at normal speed, and the criminals who design these emails are specifically studying how to exploit that.

What separates a bad story from a non-story is what happens in the first hour.

You now know exactly what to do in that hour.

Watch the full step-by-step video breakdown on YouTube: https://youtu.be/sQgvBJLDGtg