Skip to content
ScamClarity

Scam Type

Clicked a phishing link? Check the risk by what happened

Clicked, typed, paid, shared a code, or downloaded something? Match the safest next step to what actually changed.

By ScamClarity Editorial Team

Published May 20, 2026Updated May 27, 2026

A phishing message becomes more serious if you entered a password, shared a one-time code, gave payment or personal information, downloaded or installed something, sent money, or noticed account or device changes.

If you only received the message, or clicked a link but entered nothing, the risk is usually lower. Still check what happened after the click before assuming everything is fine or resetting a device.

Do not verify through the link, QR code, phone number, attachment, or reply thread in the suspicious message. Open the real app or website yourself, use a saved bookmark, or use a known phone number from a card, bill, statement, or official website.

Start with what happened

If more than one row applies, handle money, account access, sensitive information, downloads, remote access, or account changes first.

Phishing risk by what happened

Scroll sideways to see all columns.

What happenedWhat to check first
You only received or opened the messageDo not reply, click, call, scan, or open attachments. Report it if useful, then delete or archive it.
You clicked or scanned but entered nothingClose the page. Check for downloads, permission prompts, app or profile installs, extensions, redirects, or payment and login forms.
You typed a password or one-time codeTreat it as exposed unless you are sure nothing was captured. Secure the real account and do not share another code.
You entered card, bank, or payment detailsContact the bank, card issuer, payment app, or provider through its real app, website, card, statement, or known number.
You entered SSN, ID, tax, date of birth, or other identity detailsSave evidence. Use identity-recovery steps if the information could be misused or an account was opened, changed, or accessed.
You downloaded a file, opened an attachment, installed something, or allowed remote accessDo not reopen the file. Check for new apps, profiles, extensions, permissions, or remote-access tools. Run trusted security checks.
You sent moneyContact the payment provider immediately. Save transaction IDs, receipts, usernames, wallet addresses, dates, and screenshots.
Your account, phone, or computer changed afterwardCheck sign-ins, recovery settings, forwarding rules, connected apps, new apps, profiles, extensions, popups, and remote-access software.

Risk depends on what loaded, what was entered or submitted, and what changed afterward.

If you clicked but entered nothing

A click is not the same as giving a scammer your password, code, money, or remote access. After a click, check what actually happened:

  • Did a file download?
  • Did another app open?
  • Did the page ask for a login, card number, code, payment, or install?
  • Did the browser ask for notifications, permissions, or a profile?
  • Did you see a security alert, account change, or unfamiliar sign-in?
  • Did a payment app, wallet, or banking screen open?

If none of that happened and you entered nothing, treat it as a clicked-only situation. Do not click again to test the link.

If you entered a password or one-time code

Work from the real account, not the suspicious link. If the exposed account is email, banking, work, school, healthcare, or a password manager, handle it first.

Secure the affected account

Use the account's real app or website. If a provider has security tools, use those before relying on general advice.

  • Change the password

    Change it on the real site. Change the same password anywhere else you reused it.

  • Sign out other sessions

    Use the account's security settings to remove unfamiliar devices or sessions when that option exists.

  • Check recovery settings

    Look for changed recovery email, recovery phone, backup codes, app passwords, passkeys, and security questions.

  • Review email forwarding rules

    For email accounts, check forwarding, filters, and rules that send mail to an address you do not recognize.

  • Remove unknown connections

    Review connected apps, OAuth access, browser extensions, integrations, and devices you do not recognize.

  • Do not share another code

    Ignore calls, texts, emails, or chats asking for a new code, even if they refer to the first message.

A one-time code can approve more than a login. Depending on the service, it may approve a password reset, device registration, payment, or security change. If you cannot get back into the account, use the provider's official recovery process instead of searching for random support numbers.

If payment or identity information was shared

Start with the institution or provider that controls the account, card, payment, or recovery path. A card number, bank login, payment app transfer, SSN, and ID image do not create the same risk.

Match the response to the information shared

Use official apps, websites, cards, statements, or known phone numbers. Do not call a number from the suspicious message.

  • Credit or debit card

    Contact the issuer about blocking activity, replacing the card, checking pending charges, and disputing unauthorized transactions.

  • Bank login or account details

    Contact the bank quickly. Ask about account locks, transfer limits, password resets, and recent activity.

  • Payment app, wire, gift card, or crypto transfer

    Report through the real provider immediately and save transaction records. Some payment methods have narrow recovery windows; some may not be reversible.

  • SSN, ID image, tax information, or date of birth

    Use IdentityTheft.gov if misuse is possible or if an account was opened, changed, or used without permission.

  • Recovery services

    Be careful with anyone who promises to recover scam money for an upfront fee. That can become a second scam.

If something downloaded, installed, or changed

Treat attachments, fake invoices, installers, browser extensions, configuration profiles, and remote-access tools as device and account issues. Do not reopen a suspicious file to inspect it.

Device and download checks

Keep the response evidence-based: check what changed, remove what you can identify safely, and involve the right support team when work, school, or financial accounts are involved.

  • Check downloads without reopening the file

    Look in Downloads, Files, browser downloads, and email attachments without opening the suspicious file again.

  • Use trusted security tools

    Run a scan with security software you already trust or the built-in protection for the device.

  • Look for new software or settings

    Check for unknown apps, browser extensions, configuration profiles, notification permissions, popups, or remote-access tools.

  • Review accounts open on the device

    If banking, email, work, school, healthcare, or password manager accounts were open, check their sessions and security settings.

  • Contact IT when required

    Report work, school, or shared-device incidents to the support team even if nothing obvious happened.

Verify the message without using it

The safest verification path is outside the message. Open the official app, type the known website address yourself, use a saved bookmark, or call a number from a card, bill, statement, or official website. If the message appears to come from a person you know, contact them another way.

Do not rely only on logos, spelling, urgency, or the sender name. Polished messages can still be fake. The stronger warning sign is the action path: the message pushes you to use its link, QR code, attachment, phone number, payment request, code request, or reply thread instead of letting you verify through the real provider.

Common phishing setups include:

  • Fake account alerts, password resets, shared documents, storage warnings, payroll notices, and account closure threats.
  • Package, toll, bank, delivery, payment failure, and verification-code texts.
  • QR codes on invoices, parking notices, signs, emails, mailed notices, or payment pages.
  • Fake invoices for PayPal, Microsoft, antivirus renewals, business services, or support charges.
  • Marketplace and social messages that ask you to verify, pay, refund, ship, or continue the conversation somewhere else.
  • Work or school messages about shared files, payroll changes, Teams messages, document requests, or account access.

What not to do now

A second mistake often happens after the first one. Pause before doing any of these:

  • Do not reply with passwords, codes, SSNs, card numbers, bank details, ID photos, or recovery details.
  • Do not share one-time codes with anyone who calls, texts, emails, or chats after the first message.
  • Do not call the number in the suspicious message.
  • Do not install remote-access software because a message, caller, or pop-up told you to.
  • Do not keep using a password you typed into a suspicious page.
  • Do not pay a recovery service that promises to get scam money back.
  • Do not post screenshots with full private details. Hide full SSNs, card numbers, account numbers, codes, addresses, and recovery details before sharing outside an official report or provider support channel.

What to save before reporting

Keep enough detail to explain what happened without spreading private information further. Save originals for official reports or providers. Crop or blur private details before sharing screenshots anywhere else.

Evidence to keep

  • The message

    Screenshots, sender email, phone number, username, handle, profile link, voicemail details, or mail headers if you know how to preserve them safely.

  • The destination

    URLs, QR-code destination if visible, fake login page address, invoice number, attachment name, or downloaded file name.

  • The timeline

    Dates, times, what you clicked, what loaded, what you typed, what you submitted, and what changed afterward.

  • Payment evidence

    Receipts, transaction IDs, wallet addresses, usernames, bank references, order numbers, and amounts.

  • Account or device changes

    Security alerts, unfamiliar sign-ins, changed passwords, changed recovery email or phone, forwarding rules, connected apps, new apps, profiles, or extensions.

Where to report phishing in the U.S.

If money is moving, an account is locked, or a payment or bank account is involved, contact the provider first. Reporting can still help even if you did not lose money.

Consumer phishing or fraud

Use FTC ReportFraud for suspicious messages, fake claims, impersonation, and consumer scam reports.

ReportFraud.ftc.gov

Phishing emails

Forward suspicious emails to APWG at reportphishing@apwg.org and use the impersonated company's reporting option when available.

APWG report phishing

Suspicious texts

Forward suspicious texts to 7726 and use your phone or carrier report tools. For USPS-related package texts, USPIS also accepts reports.

USPIS smishing guidance

Internet-enabled fraud or money loss

Use FBI IC3 for online fraud, payment loss, business email compromise, and cyber-enabled crime reports. Save or print your complaint before leaving the confirmation screen.

FBI IC3

Identity theft or SSN misuse

Use IdentityTheft.gov for recovery steps when personal information was used or could be misused.

IdentityTheft.gov

Bank, card, payment app, or platform account

Use the real provider's fraud, dispute, or account-recovery channel. The provider controls account locks, disputes, reversals, replacement cards, transaction review, and account recovery.

Payment scam next steps

Work or school account/device

Contact internal IT, security, or the help desk for shared systems, payroll, email, files, and devices that may have reporting rules.

Phone or account change checks

When the problem is more specific

Use a more specific page when the issue is mainly a text message, invoice, remote-access call, account change, identity exposure, or payment.

The message was mostly an invoice, renewal, or callback request

Fake invoices often push a phone call, refund trick, remote access, or payment dispute angle.

Fake invoice scam next steps

Your phone, computer, or account changed afterward

Unknown sign-ins, changed recovery settings, forwarding rules, new apps, profiles, or remote tools need account and device checks.

Phone or account change checks

You shared SSN, ID, tax, or other personal information

Identity exposure needs a different recovery path than a clicked-only phishing link.

If a scammer has your information

You sent money through Zelle

Fast payment apps have provider-specific reporting and recovery limits.

Zelle scam next steps

You want broader prevention habits

Use prevention advice after the immediate account, payment, identity, or device risk is handled.

Avoid online scams

FAQ

I clicked and the page did not load. What now?

Do not click again to test it. Check whether a file downloaded, a tab stayed open, another app opened, or the device asked for a permission, profile, or install. If nothing loaded and you entered nothing, treat it as a clicked-only situation.

I typed my password but did not submit it. Does that matter?

Yes, it can. Because you cannot confirm how the page was built, treat that password as exposed unless you are sure nothing was captured. Change it on the real site and anywhere else it was reused.

Can a phishing link hack my phone?

A link alone is not proof that a phone was taken over. Risk rises if the link downloaded a file, installed an app or profile, asked for a login, opened a payment flow, or led you to share a code. Look for concrete signs before resetting the phone.

What is QR code phishing?

QR code phishing uses a QR code to send you to a suspicious site, login page, payment page, or download. Treat it like any other phishing link: check what opened, what was entered, and whether anything downloaded or changed.

Should I reply STOP to a suspicious text?

Only reply STOP when you trust the sender, such as a service you knowingly subscribed to. With an unknown or suspicious sender, replying can confirm the number is active. Use your phone or carrier report options instead.

Should I report phishing if I did not lose money?

Yes, if you can do it without sharing more private information. Reports can help providers and agencies identify patterns. Use the reporting option that matches the message, platform, payment, or identity issue.

How did they get my email or phone number?

A phishing message does not prove someone has access to your account. Email addresses and phone numbers can come from public pages, old data breaches, lead lists, scraped profiles, mistyped addresses, or random sending. Focus first on what you did after receiving it.

Sources checked

Sources checked May 27, 2026. ScamClarity is not a government agency, bank, platform, device maker, lawyer, cybersecurity firm, or recovery service. Use the official agency, provider, bank, or platform page for formal reports and account recovery.

  • FTC phishing guidance

    Recognizing phishing, avoiding suspicious links and attachments, reporting phishing, and using IdentityTheft.gov when sensitive information was shared.

  • FTC scam response guidance

    Payment-method recovery limits, contacting providers after payment or information exposure, and using IdentityTheft.gov for SSN exposure.

  • ReportFraud.ftc.gov

    Consumer fraud reporting for phishing messages, impersonation, fake claims, and fraud patterns.

  • IdentityTheft.gov

    Recovery steps when identity theft, SSN exposure, or misuse of sensitive personal information applies.

  • FBI IC3

    Reports involving internet-enabled crime, online fraud, payment loss, and cyber-enabled incidents.

  • IC3 FAQ

    Evidence preservation, complaint details, complaint-copy limits, and expectations after filing with IC3.

  • FBI online safety guidance

    Verifying account concerns through official company websites and reporting internet-enabled crime to IC3.

  • CISA phishing guidance

    Recognizing and reporting phishing across email, text, direct messages, and calls; verifying through official contact paths.

  • Microsoft phishing guidance

    Using official contact routes, recording details, changing reused passwords, enabling multi-factor authentication, and contacting work or school IT.

  • Google Gmail phishing guidance

    Reporting Gmail phishing, checking unsafe passwords, and using Google account security protections.

  • Apple social engineering guidance

    Apple account phishing, suspicious messages, fake support calls, software downloads, and not sharing passwords or verification codes.

  • APWG report phishing

    Industry phishing reporting for suspicious emails and phishing URLs.

  • USPIS package smishing guidance

    USPS package tracking text scams, delivery-message reporting, and text-specific warning signs.

  • PayPal suspicious message reporting

    Reporting suspicious PayPal emails, texts, and websites to the impersonated provider.