Phishing is not just a fake email. It is any message that tries to make you act before you verify: click a link, scan a QR code, open a file, enter a password, share a code, call a number, install software, or send money.
The important question is not only how official the message looked. It is what happened after you saw it. A click, a typed password, a one-time code, a payment, and a downloaded file all call for different next steps.
Start with what happened
Use the closest match. If more than one applies, start with the situation involving money, account access, sensitive information, downloads, or remote access.
I only received the message
If you did not click, reply, call, scan a QR code, or open an attachment, the main job is to avoid using the message as proof.
Open the real app or website yourself, use a saved bookmark, or use a known phone number from the official source.
Check whether the message is asking for a login, code, payment, file, phone call, or reply.
If it is a text from an unknown sender, do not reply with private information.
Do not: Do not click the link or call the number in the message to prove it is real.
I clicked but entered nothing
Clicking is not the same as entering your password or card number. The next question is whether the page loaded, downloaded something, opened another app, or asked for information.
Close the page. Check your downloads, browser tabs, and whether the site asked for a login, payment, one-time code, profile install, or app install.
If the page did not load, do not click again to test it.
If you closed it right away and entered nothing, treat it as lower risk than account or payment exposure.
On iPhone or Android, look for a downloaded file, new app, profile, permission request, or unusual browser behavior.
Do not: Do not reset your whole phone only because you clicked. Look for signs first and use device guidance if something changed.
I typed information but did not submit
Treat typed passwords, codes, card numbers, or personal details as exposed if you are not sure how the page behaved. Some pages can capture information before a final submit button.
Act based on what you typed. If it was a password, change it from the real site. If it was payment or identity information, contact the relevant provider.
Did a password manager fill the page automatically?
Did the page show an error, spinner, or redirect after typing?
Did you paste a one-time code, card number, SSN, bank login, or address?
Do not: Do not keep using a password you typed into a suspicious page.
I entered a password or one-time code
A password can let someone sign in. A one-time code can approve a login, password reset, device registration, or payment.
Go to the real website or app yourself and change the password. Then review sessions, recovery settings, forwarding rules, and connected apps.
Change that password anywhere else you reused it.
Sign out of other sessions if the account offers that option.
Do not: Do not share another code with anyone who calls, texts, or chats after the first message.
I entered card, bank, SSN, or personal information
This can become payment fraud, account abuse, or identity risk depending on what you shared.
Contact the bank, card issuer, payment app, or account provider using a known number or the real app. Use IdentityTheft.gov when SSN or identity misuse applies.
Card number: ask the issuer about replacing the card and watching pending charges.
Bank login or routing/account details: contact the bank quickly.
SSN, date of birth, address, or ID image: use identity theft recovery steps if misuse is possible.
Do not: Do not send more private details to someone who claims they can remove the risk for a fee.
I downloaded or opened something
A suspicious attachment, fake invoice, PDF, installer, or mobile download needs device and account checks.
Do not open it again. Use trusted security software, check for new apps or browser changes, and contact work or school IT if their account or device was involved.
Look for a file in Downloads or Files, not just the browser tab.
Check whether you installed an app, browser extension, configuration profile, or remote-access tool.
If this touched a work or school account, report it to the support team even if nothing obvious happened.
Do not: Do not install remote-access software because a message, caller, or pop-up told you to.
I sent money
When money moved, the payment provider controls the account and dispute options. Start there before you spend time on general research.
Contact the payment provider immediately. Save receipts, transaction IDs, wallet addresses, usernames, emails, phone numbers, dates, and screenshots.
Use the app or official website, not a phone number from the phishing message.
Report fast even if recovery is uncertain.
Watch for recovery services that ask for upfront payment.
Do not: Do not pay a recovery service that promises to get the money back.
My account, phone, or computer seems different
Some signs matter more than general anxiety: unfamiliar sign-ins, changed settings, forwarding rules, new apps, popups, or remote-access tools.
Check the affected account first, then the device. Unknown sessions, changed recovery info, forwarding rules, and unknown apps matter more than a slow page by itself.
Review recent sign-ins and security alerts.
Check recovery email, recovery phone, forwarding rules, and connected apps.
Look for new apps, browser extensions, profiles, popups, or remote-access software.
Do not: Do not assume every battery drain, slow page, or spam message proves the device is hacked.
I need to report it
Reporting is still useful even if you did not lose money. The right place depends on fraud, identity information, payment, platform, and work or school involvement.
Save evidence first, then report to the official destination that matches what happened.
FTC for consumer fraud and phishing reports.
IC3 for internet-enabled crime or fraud.
IdentityTheft.gov for identity theft or sensitive personal information.
Do not: Do not paste full SSNs, full card numbers, or private account credentials into random forums or helper tools.
A click is not the same as giving access
Many people land here because they clicked and then panicked. A click can matter, but it is not the same as entering a password, sharing a one-time code, downloading software, sending money, or giving remote access.
After a click, check what actually happened. Did the page load? Did a file download? Did the browser ask to open another app? Did the page ask for a login, card number, security code, profile install, or permission? Those details decide the next step better than the message's design.
How risk changes after the message
Use this as a practical scale, not a guarantee. Risk usually rises when the message leads to account access, sensitive information, money, a download, or remote control.
Saw it only
Verify outside the message, report if useful, and delete or archive it.
Clicked but entered nothing
Close the page and check for downloads, prompts, app installs, profiles, or redirects.
Typed but did not submit
Treat sensitive information as possibly exposed if you cannot tell whether the page captured it.
Entered password or code
Change the password on the real site and review sessions, recovery settings, forwarding rules, and connected apps.
Entered payment or personal information
Contact the financial or account provider. Use identity recovery steps when SSN or identity details were shared.
Downloaded, opened, paid, or gave remote access
Preserve evidence and handle the device, account, payment, or report as its own issue.
This scale is meant to prevent two common mistakes: ignoring real account exposure, or assuming the worst from a click that did not lead anywhere.
If you entered information, handle the account or provider first
Once you typed or submitted information, the response should match the information involved. A password problem is different from a card problem. A one-time code is different from an email address. SSN or ID exposure is different again.
What to check first
Work from the real app or website, not from the suspicious link. If a provider has account security tools, use those before relying on general advice.
Password
Change it on the real site. If you reused that password anywhere else, change it there too.
Sessions and devices
Many accounts let you remove other signed-in devices. Use that option when available.
Recovery settings
Look for changed recovery email, recovery phone, backup codes, app passwords, or security questions.
Email forwarding rules
For email accounts, look for forwarding, filters, or rules that send mail to an address you do not recognize.
Connected apps
Remove OAuth apps, browser extensions, or account connections you do not recognize.
One-time codes
A code can approve a login, reset, device registration, or payment. Do not share another code with anyone who contacts you.
Card, bank, or payment app details
Contact the issuer, bank, or payment app through the real app, website, card, bill, or statement. Ask about account locks, disputes, replacement cards, and pending activity.
SSN, date of birth, ID image, or tax details
Use identity theft recovery steps if misuse is possible, especially if an account was opened, changed, or used without permission.
If this involved a work or school account, contact the support team even if you already changed the password.
If you downloaded something, sent money, or noticed account changes
Some phishing incidents stop being only a message problem. A file, remote-access tool, payment, or changed account setting should be handled as its own issue.
Situations that need closer follow-up
These are the moments where screenshots and careful notes help, because the next person you contact may be a bank, platform, employer, school, or official reporting site.
A file downloaded or an attachment opened
Do not open it again. Check Downloads or Files, scan with trusted security software, and look for browser extensions, profiles, or apps you did not install intentionally.
Remote-access software was installed
Disconnect from the caller or chat. Remove the tool only after preserving enough detail to explain what happened. Review accounts that were open while the tool was active.
Money was sent
Contact the payment provider quickly. Recovery is not guaranteed, but the provider controls account locks, disputes, reversals, and fraud reports.
A phone, computer, or account changed
Look for unfamiliar sign-ins, changed recovery information, forwarding rules, connected apps, new extensions, popups, profiles, or unknown apps.
A work or school device was involved
Contact the right support team. Shared files, payroll accounts, email, Teams, and school accounts may have rules that personal accounts do not.
A recovery service contacted you
Be careful. Someone promising to recover money for an upfront payment may be starting a second scam.
What the message wanted from you
Phishing is a trust trick. The requested action usually points to the risk. The same fake bank alert can be low risk if you only saw it, account risk if you entered a password, payment risk if you sent money, and device risk if it installed software.
Message action and likely risk
What it asked for
Likely risk
Best first move
Click a link
Fake login, payment page, tracking, or download
Close it and check what loaded or downloaded
Enter a password
Account takeover
Change it on the real site and review sessions
Share a one-time code
Login, reset, or payment approval
Treat the code as account access
Open an attachment
Fake invoice or malware risk
Do not reopen it; scan and review device signs
Call a number
Fake support or bank impersonation
Use a known number from the official source
Install software
Remote access
Disconnect from the caller and remove unknown tools
Send money
Payment scam
Contact the payment provider first
Move off-platform
Weaker platform protections
Keep evidence and report in the original platform
Use this map to decide whether the next issue is account, identity, payment, device, or reporting.
Where phishing shows up now
The channel changes, but the pattern is the same: the message creates pressure and gives you an unsafe way to act. Common examples include:
Texts about packages, tolls, bank alerts, missed deliveries, payment failures, or verification codes.
QR codes on invoices, parking notices, signs, emails, mailed notices, or payment pages.
Fake invoices for PayPal, Microsoft, antivirus renewals, business services, or support charges.
Marketplace and social DMs that ask you to verify, pay, refund, ship, or continue the conversation somewhere else.
Work or school messages about shared files, payroll changes, Teams messages, document requests, or account access.
What not to do next
A second mistake often happens after the first one. Pause before doing any of these:
Do not reply with passwords, codes, SSNs, card numbers, bank details, ID photos, or account recovery details.
Do not share one-time codes with anyone who calls, texts, emails, or chats after the first message.
Do not call the number in the suspicious message. Use a known number from the official website, card, bill, statement, or app.
Do not install remote-access software because a message, caller, or pop-up told you to.
Do not pay a recovery service that promises to get scam money back.
Do not send screenshots with full private details to random helpers. Hide full SSNs, card numbers, account numbers, codes, addresses, and recovery details first.
Do not keep using the same password if you typed it into a suspicious page.
What to save and where to report
Before reporting, save enough detail to explain what happened without spreading private information further. You do not need to post everything publicly to get help.
What to save
Keep the uncropped originals for official reports or providers. Crop or blur private details before sharing screenshots with anyone else.
URLs, QR-code destination if visible, fake login page address, invoice number, or attachment name.
The timeline
Dates, times, what you clicked, what loaded, what you typed, what you submitted, and what changed afterward.
Payment evidence
Receipts, transaction IDs, wallet addresses, usernames, bank references, order numbers, and amounts.
Account changes
Security alerts, unfamiliar sign-ins, changed passwords, changed recovery email or phone, forwarding rules, and connected apps.
For consumer phishing and fraud, the FTC's ReportFraud site is the main federal consumer reporting option. For internet-enabled crime, online fraud, or money loss, FBI IC3 is the federal reporting option. If identity theft or SSN exposure applies, IdentityTheft.gov gives recovery steps. If money, account access, a platform account, or a work or school account was involved, also contact that provider or support team directly.
Official sources
These sources support the safety rules and reporting options on this page. ScamClarity does not replace them.
Recognizing phishing, avoiding suspicious links and attachments, reporting phishing, and using IdentityTheft.gov when sensitive information was shared.
USPS package tracking text scams, delivery-message reporting, and what to do after interacting with a fake package link.
Questions people ask after a phishing message
I clicked and the page did not load. What now?
Do not click it again to test it. Check whether a file downloaded, a browser tab stayed open, another app opened, or your device asked for a permission, profile, or install. If none of that happened and you entered nothing, treat it as a clicked-only situation rather than assuming the device was taken over.
I typed my password but did not submit it. Does that matter?
Yes, it can. If you typed a password into a suspicious page, treat that password as exposed unless you are sure nothing was captured. Change it on the real site and anywhere else you reused it.
Can a phishing link hack my iPhone or Android?
A link alone is not proof that a phone was taken over. Risk rises if the link downloaded a file, installed an app or profile, asked for a login, opened a payment flow, or led you to share a code. Look for concrete signs before resetting the phone.
Should I reply STOP to a suspicious text?
Only reply STOP when you trust the sender, such as a service you knowingly subscribed to. With an unknown or suspicious sender, replying can confirm the number is active. Use your phone or carrier report options instead.
Should I report phishing if I did not lose money?
Yes, if you can do it without sharing more private information. Reports can help providers and agencies identify patterns. Use the reporting option that matches the message, platform, payment, or identity issue.
How did they get my email or phone number?
A phishing message does not prove someone has access to your account. Email addresses and phone numbers can come from public pages, old data breaches, lead lists, scraped profiles, mistyped addresses, or random sending. Focus first on what you did after receiving it.