A phishing message becomes more serious if you entered a password, shared a one-time code, gave payment or personal information, downloaded or installed something, sent money, or noticed account or device changes.
If you only received the message, or clicked a link but entered nothing, the risk is usually lower. Still check what happened after the click before assuming everything is fine or resetting a device.
Do not verify through the link, QR code, phone number, attachment, or reply thread in the suspicious message. Open the real app or website yourself, use a saved bookmark, or use a known phone number from a card, bill, statement, or official website.
Start with what happened
If more than one row applies, handle money, account access, sensitive information, downloads, remote access, or account changes first.
Scroll sideways to see all columns.
| What happened | What to check first |
|---|---|
| You only received or opened the message | Do not reply, click, call, scan, or open attachments. Report it if useful, then delete or archive it. |
| You clicked or scanned but entered nothing | Close the page. Check for downloads, permission prompts, app or profile installs, extensions, redirects, or payment and login forms. |
| You typed a password or one-time code | Treat it as exposed unless you are sure nothing was captured. Secure the real account and do not share another code. |
| You entered card, bank, or payment details | Contact the bank, card issuer, payment app, or provider through its real app, website, card, statement, or known number. |
| You entered SSN, ID, tax, date of birth, or other identity details | Save evidence. Use identity-recovery steps if the information could be misused or an account was opened, changed, or accessed. |
| You downloaded a file, opened an attachment, installed something, or allowed remote access | Do not reopen the file. Check for new apps, profiles, extensions, permissions, or remote-access tools. Run trusted security checks. |
| You sent money | Contact the payment provider immediately. Save transaction IDs, receipts, usernames, wallet addresses, dates, and screenshots. |
| Your account, phone, or computer changed afterward | Check sign-ins, recovery settings, forwarding rules, connected apps, new apps, profiles, extensions, popups, and remote-access software. |
Risk depends on what loaded, what was entered or submitted, and what changed afterward.
If you clicked but entered nothing
A click is not the same as giving a scammer your password, code, money, or remote access. After a click, check what actually happened:
- Did a file download?
- Did another app open?
- Did the page ask for a login, card number, code, payment, or install?
- Did the browser ask for notifications, permissions, or a profile?
- Did you see a security alert, account change, or unfamiliar sign-in?
- Did a payment app, wallet, or banking screen open?
If none of that happened and you entered nothing, treat it as a clicked-only situation. Do not click again to test the link.
If you entered a password or one-time code
Work from the real account, not the suspicious link. If the exposed account is email, banking, work, school, healthcare, or a password manager, handle it first.
Secure the affected account
Use the account's real app or website. If a provider has security tools, use those before relying on general advice.
Change the password
Change it on the real site. Change the same password anywhere else you reused it.
Sign out other sessions
Use the account's security settings to remove unfamiliar devices or sessions when that option exists.
Check recovery settings
Look for changed recovery email, recovery phone, backup codes, app passwords, passkeys, and security questions.
Review email forwarding rules
For email accounts, check forwarding, filters, and rules that send mail to an address you do not recognize.
Remove unknown connections
Review connected apps, OAuth access, browser extensions, integrations, and devices you do not recognize.
Do not share another code
Ignore calls, texts, emails, or chats asking for a new code, even if they refer to the first message.
A one-time code can approve more than a login. Depending on the service, it may approve a password reset, device registration, payment, or security change. If you cannot get back into the account, use the provider's official recovery process instead of searching for random support numbers.
If payment or identity information was shared
Start with the institution or provider that controls the account, card, payment, or recovery path. A card number, bank login, payment app transfer, SSN, and ID image do not create the same risk.
Match the response to the information shared
Use official apps, websites, cards, statements, or known phone numbers. Do not call a number from the suspicious message.
Credit or debit card
Contact the issuer about blocking activity, replacing the card, checking pending charges, and disputing unauthorized transactions.
Bank login or account details
Contact the bank quickly. Ask about account locks, transfer limits, password resets, and recent activity.
Payment app, wire, gift card, or crypto transfer
Report through the real provider immediately and save transaction records. Some payment methods have narrow recovery windows; some may not be reversible.
SSN, ID image, tax information, or date of birth
Use IdentityTheft.gov if misuse is possible or if an account was opened, changed, or used without permission.
Recovery services
Be careful with anyone who promises to recover scam money for an upfront fee. That can become a second scam.
If something downloaded, installed, or changed
Treat attachments, fake invoices, installers, browser extensions, configuration profiles, and remote-access tools as device and account issues. Do not reopen a suspicious file to inspect it.
Device and download checks
Keep the response evidence-based: check what changed, remove what you can identify safely, and involve the right support team when work, school, or financial accounts are involved.
Check downloads without reopening the file
Look in Downloads, Files, browser downloads, and email attachments without opening the suspicious file again.
Use trusted security tools
Run a scan with security software you already trust or the built-in protection for the device.
Look for new software or settings
Check for unknown apps, browser extensions, configuration profiles, notification permissions, popups, or remote-access tools.
Review accounts open on the device
If banking, email, work, school, healthcare, or password manager accounts were open, check their sessions and security settings.
Contact IT when required
Report work, school, or shared-device incidents to the support team even if nothing obvious happened.
Verify the message without using it
The safest verification path is outside the message. Open the official app, type the known website address yourself, use a saved bookmark, or call a number from a card, bill, statement, or official website. If the message appears to come from a person you know, contact them another way.
Do not rely only on logos, spelling, urgency, or the sender name. Polished messages can still be fake. The stronger warning sign is the action path: the message pushes you to use its link, QR code, attachment, phone number, payment request, code request, or reply thread instead of letting you verify through the real provider.
Common phishing setups include:
- Fake account alerts, password resets, shared documents, storage warnings, payroll notices, and account closure threats.
- Package, toll, bank, delivery, payment failure, and verification-code texts.
- QR codes on invoices, parking notices, signs, emails, mailed notices, or payment pages.
- Fake invoices for PayPal, Microsoft, antivirus renewals, business services, or support charges.
- Marketplace and social messages that ask you to verify, pay, refund, ship, or continue the conversation somewhere else.
- Work or school messages about shared files, payroll changes, Teams messages, document requests, or account access.
What not to do now
A second mistake often happens after the first one. Pause before doing any of these:
- Do not reply with passwords, codes, SSNs, card numbers, bank details, ID photos, or recovery details.
- Do not share one-time codes with anyone who calls, texts, emails, or chats after the first message.
- Do not call the number in the suspicious message.
- Do not install remote-access software because a message, caller, or pop-up told you to.
- Do not keep using a password you typed into a suspicious page.
- Do not pay a recovery service that promises to get scam money back.
- Do not post screenshots with full private details. Hide full SSNs, card numbers, account numbers, codes, addresses, and recovery details before sharing outside an official report or provider support channel.
What to save before reporting
Keep enough detail to explain what happened without spreading private information further. Save originals for official reports or providers. Crop or blur private details before sharing screenshots anywhere else.
Evidence to keep
The message
Screenshots, sender email, phone number, username, handle, profile link, voicemail details, or mail headers if you know how to preserve them safely.
The destination
URLs, QR-code destination if visible, fake login page address, invoice number, attachment name, or downloaded file name.
The timeline
Dates, times, what you clicked, what loaded, what you typed, what you submitted, and what changed afterward.
Payment evidence
Receipts, transaction IDs, wallet addresses, usernames, bank references, order numbers, and amounts.
Account or device changes
Security alerts, unfamiliar sign-ins, changed passwords, changed recovery email or phone, forwarding rules, connected apps, new apps, profiles, or extensions.
Where to report phishing in the U.S.
If money is moving, an account is locked, or a payment or bank account is involved, contact the provider first. Reporting can still help even if you did not lose money.
Consumer phishing or fraud
Use FTC ReportFraud for suspicious messages, fake claims, impersonation, and consumer scam reports.
ReportFraud.ftc.govPhishing emails
Forward suspicious emails to APWG at reportphishing@apwg.org and use the impersonated company's reporting option when available.
APWG report phishingSuspicious texts
Forward suspicious texts to 7726 and use your phone or carrier report tools. For USPS-related package texts, USPIS also accepts reports.
USPIS smishing guidanceInternet-enabled fraud or money loss
Use FBI IC3 for online fraud, payment loss, business email compromise, and cyber-enabled crime reports. Save or print your complaint before leaving the confirmation screen.
FBI IC3Identity theft or SSN misuse
Use IdentityTheft.gov for recovery steps when personal information was used or could be misused.
IdentityTheft.govBank, card, payment app, or platform account
Use the real provider's fraud, dispute, or account-recovery channel. The provider controls account locks, disputes, reversals, replacement cards, transaction review, and account recovery.
Payment scam next stepsWork or school account/device
Contact internal IT, security, or the help desk for shared systems, payroll, email, files, and devices that may have reporting rules.
Phone or account change checksWhen the problem is more specific
Use a more specific page when the issue is mainly a text message, invoice, remote-access call, account change, identity exposure, or payment.
The message was a text
Text-message phishing has carrier reporting and reply risks that differ from email.
Text message scam next stepsThe message was mostly an invoice, renewal, or callback request
Fake invoices often push a phone call, refund trick, remote access, or payment dispute angle.
Fake invoice scam next stepsSomeone got you to install software or give remote access
That risk is closer to fake tech support than ordinary phishing.
Fake tech support and remote accessYour phone, computer, or account changed afterward
Unknown sign-ins, changed recovery settings, forwarding rules, new apps, profiles, or remote tools need account and device checks.
Phone or account change checksYou shared SSN, ID, tax, or other personal information
Identity exposure needs a different recovery path than a clicked-only phishing link.
If a scammer has your informationYou sent money through Zelle
Fast payment apps have provider-specific reporting and recovery limits.
Zelle scam next stepsYou want broader prevention habits
Use prevention advice after the immediate account, payment, identity, or device risk is handled.
Avoid online scamsFAQ
I clicked and the page did not load. What now?
Do not click again to test it. Check whether a file downloaded, a tab stayed open, another app opened, or the device asked for a permission, profile, or install. If nothing loaded and you entered nothing, treat it as a clicked-only situation.
I typed my password but did not submit it. Does that matter?
Yes, it can. Because you cannot confirm how the page was built, treat that password as exposed unless you are sure nothing was captured. Change it on the real site and anywhere else it was reused.
Can a phishing link hack my phone?
A link alone is not proof that a phone was taken over. Risk rises if the link downloaded a file, installed an app or profile, asked for a login, opened a payment flow, or led you to share a code. Look for concrete signs before resetting the phone.
What is QR code phishing?
QR code phishing uses a QR code to send you to a suspicious site, login page, payment page, or download. Treat it like any other phishing link: check what opened, what was entered, and whether anything downloaded or changed.
Should I reply STOP to a suspicious text?
Only reply STOP when you trust the sender, such as a service you knowingly subscribed to. With an unknown or suspicious sender, replying can confirm the number is active. Use your phone or carrier report options instead.
Should I report phishing if I did not lose money?
Yes, if you can do it without sharing more private information. Reports can help providers and agencies identify patterns. Use the reporting option that matches the message, platform, payment, or identity issue.
How did they get my email or phone number?
A phishing message does not prove someone has access to your account. Email addresses and phone numbers can come from public pages, old data breaches, lead lists, scraped profiles, mistyped addresses, or random sending. Focus first on what you did after receiving it.
Sources checked
Sources checked May 27, 2026. ScamClarity is not a government agency, bank, platform, device maker, lawyer, cybersecurity firm, or recovery service. Use the official agency, provider, bank, or platform page for formal reports and account recovery.
- FTC phishing guidance
Recognizing phishing, avoiding suspicious links and attachments, reporting phishing, and using IdentityTheft.gov when sensitive information was shared.
- FTC scam response guidance
Payment-method recovery limits, contacting providers after payment or information exposure, and using IdentityTheft.gov for SSN exposure.
- ReportFraud.ftc.gov
Consumer fraud reporting for phishing messages, impersonation, fake claims, and fraud patterns.
- IdentityTheft.gov
Recovery steps when identity theft, SSN exposure, or misuse of sensitive personal information applies.
- FBI IC3
Reports involving internet-enabled crime, online fraud, payment loss, and cyber-enabled incidents.
- IC3 FAQ
Evidence preservation, complaint details, complaint-copy limits, and expectations after filing with IC3.
- FBI online safety guidance
Verifying account concerns through official company websites and reporting internet-enabled crime to IC3.
- CISA phishing guidance
Recognizing and reporting phishing across email, text, direct messages, and calls; verifying through official contact paths.
- Microsoft phishing guidance
Using official contact routes, recording details, changing reused passwords, enabling multi-factor authentication, and contacting work or school IT.
- Google Gmail phishing guidance
Reporting Gmail phishing, checking unsafe passwords, and using Google account security protections.
- Apple social engineering guidance
Apple account phishing, suspicious messages, fake support calls, software downloads, and not sharing passwords or verification codes.
- APWG report phishing
Industry phishing reporting for suspicious emails and phishing URLs.
- USPIS package smishing guidance
USPS package tracking text scams, delivery-message reporting, and text-specific warning signs.
- PayPal suspicious message reporting
Reporting suspicious PayPal emails, texts, and websites to the impersonated provider.