I Clicked a Scam Link — What to Do Right Now
Free: How to Keep Yourself Safe From Scammers
9 chapters. Reporting checklist. 30-second protection checklist. Read on the site.
I Clicked a Scam Link — What to Do Right Now
It happens to the best of us. You tapped a link in a text message, clicked through in an email, or followed a URL that turned out to be a scam. Maybe you realized immediately, or maybe you entered some information before the alarm bells went off.
Either way, don't panic. What you do in the next few minutes matters far more than the click itself. This guide covers exactly what to do if you clicked a scam link, whether you simply loaded the page or went further and entered personal information.
Scenario 1: You Clicked the Link But Didn't Enter Any Information
If you only loaded the scam page without typing anything in, your risk is lower — but not zero. Malicious websites can sometimes install malware or tracking scripts simply by loading in your browser.
Immediate Steps
- Close the browser tab immediately — don't interact with anything on the page
- Disconnect from the internet temporarily (turn on airplane mode)
- Clear your browser cache and cookies to remove any tracking
- Run a malware scan using your device's built-in security (Windows Defender, Apple's XProtect) or a trusted antivirus app
- Restart your device after the scan completes
- Update your operating system and browser to the latest version to patch any vulnerabilities
For Mobile Devices
- iPhone: iOS has strong sandboxing, so simply closing Safari and clearing history is usually sufficient. Go to Settings > Safari > Clear History and Website Data.
- Android: Run a scan with Google Play Protect (Settings > Security > Google Play Protect). Clear your Chrome data under Settings > Privacy and Security > Clear Browsing Data.
Not sure if your message is real? Paste it into Cautellus and get a risk score before you reply.
Scan it free →Or: Get the Chrome extension to scan pages without leaving your browser.
Scenario 2: You Entered Login Credentials
If you typed a username and password into a fake login page, act immediately.
Immediate Steps
- Change your password for that account right now — go directly to the real website (type the URL manually, don't use the scam link)
- Enable two-factor authentication (2FA) if you haven't already
- Change the password on any other account where you use the same password
- Check for unauthorized activity — review recent login history, sent emails, or transactions
- Log out of all sessions — most services have a "Sign out of all devices" option in security settings
Critical: If It Was Your Email Password
Your email is the master key to your digital life. If a scammer has your email password, they can:
- Reset passwords for your bank, social media, and other accounts
- Intercept two-factor authentication codes
- Read sensitive personal information
- Impersonate you to your contacts
Change your email password first, then check your email's "sent" folder and account forwarding rules for anything you didn't set up.
Scenario 3: You Entered Financial Information
If you entered credit card numbers, bank account details, or payment information on a scam site, time is critical.
Immediate Steps
- Call your bank or credit card company immediately — use the number on the back of your card
- Report the fraud and request they freeze or cancel the compromised card
- Monitor your accounts closely for the next 30-90 days
- Set up transaction alerts so you're notified of any charges
- Document everything — take screenshots of the scam page if possible and note exactly what information you entered
If You Sent Money via Wire Transfer, Gift Cards, or Crypto
Unfortunately, these payment methods are nearly impossible to reverse. However:
- Wire transfer: Contact your bank immediately — there's a small window where they may be able to recall the wire
- Gift cards: Call the gift card company (Google, Apple, Amazon) and report the fraud with the card numbers
- Cryptocurrency: Report to the exchange you used and file a police report, though recovery is unlikely
Scenario 4: You Entered Personal Identity Information
If you provided your Social Security number, driver's license number, date of birth, or other identity documents:
Immediate Steps
- Place a fraud alert on your credit reports by contacting one of the three bureaus (Equifax, Experian, or TransUnion — they're required to notify the other two)
- Consider a credit freeze — this prevents anyone from opening new accounts in your name. Contact all three bureaus individually:
- Equifax: 1-800-685-1111
- Experian: 1-888-397-3742
- TransUnion: 1-888-909-8872
- Monitor your credit reports weekly at AnnualCreditReport.com (free)
- File an identity theft report at IdentityTheft.gov
- Report to your local police for documentation
How to Report the Scam
Reporting helps authorities track and shut down scam operations:
- FTC: reportfraud.ftc.gov
- FBI's IC3: ic3.gov (for internet crimes)
- Your email provider: Use the "Report phishing" feature
- Phone carrier: Forward scam texts to 7726 (SPAM)
- Anti-Phishing Working Group: reportphishing@apwg.org
If You Also Shared Specific Documents
If the scam went past a link click and you actually handed over a specific document or credential, jump to the targeted recovery guide for that item:
- Sent a photo of your driver's license? Follow the driver's-license-compromised checklist — credit freeze, DMV flag, FTC identity theft report.
- Shared a verification code (WhatsApp, Google Voice, banking app)? Read the verification code scam guide — the steps to reclaim the account are time-sensitive.
- Sent money via Zelle, Venmo, or Cash App? See the Zelle and Venmo payment scams guide for what you can (and can't) recover.
How to Prevent Future Scam Clicks
Once you've secured your accounts, take these steps to avoid falling for scam links in the future.
First, lock down your logins so a stolen password can't be used — a password manager also refuses to autofill on a fake domain, which quietly catches a lot of phishing. In 2026 the second factor you choose matters as much as the password. Here's the ladder, strongest first:
Protect Yourself
Protection in 2026 is a ladder. Climb as high as each account lets you — and don’t stop at the bottom rungs just because they used to be enough.
Passkeys — the strongest, easiest option
A passkey is tied to the real website’s address, so a fake login page can’t use it. That’s what “phishing-resistant” means, and it’s exactly what ordinary 2FA isn’t. Turn passkeys on anywhere they’re offered — Instagram, Google, Apple, Microsoft, and a growing list of banks already support them.
Hardware security keys — for your most important accounts
A physical key you tap or plug in (YubiKey, Google Titan, Feitian; some read your fingerprint). A remote attacker can’t touch it. Use one on your primary email, banking, and any business logins, and keep a spare as backup.
App-based two-factor — strong middle ground
An authenticator app (Authy, Google Authenticator) is far better than text-message codes. It can still be phished in real time, so use it everywhere a passkey or key isn’t available — just don’t treat it as the finish line.
The floor — still required, never sufficient on its own
- SMS (text-message) 2FA is the weakest form of 2FA, but weak 2FA still beats none. Keep it on anything that offers nothing stronger.
- Never reuse a password. Everyone does it; one breach then unlocks every account that shares that password. Don’t.
- Use a password manager. It creates a unique strong password for every site, remembers them all, and increasingly stores your passkeys too. It’s the single highest-leverage habit for most people.
Lock the back door — account recovery
Most takeovers don’t beat your login; they walk in through password recovery. Use a private recovery email that isn’t on your public profile, store backup codes offline, remove SMS as a recovery method where you can, and turn on login alerts so a reset attempt reaches you instantly.
Two-factor authentication and good passwords are the floor you stand on — not the ceiling you stop at.
Then build the habits that keep you off fake pages in the first place:
- Slow down before clicking — scammers rely on urgency to override your judgment
- Verify independently — if a text or email claims there's a problem, go directly to the company's official website or app
- Keep software updated — security patches protect against known vulnerabilities
Got something like this in your inbox? Drop it into the scanner — it takes 5 seconds and could save you thousands.
Check it now →Already been scammed? See where and how to report it.
Check Suspicious Links Before You Click
The best defense is checking before you click. Cautellus's scanner can analyze suspicious text messages, emails, and links instantly. Paste the message content into our AI-powered tool, and we'll identify phishing patterns, suspicious URLs, and scam tactics before you put yourself at risk.
Already clicked something suspicious? Follow the steps above, then use Cautellus to analyze the original message so you understand exactly what kind of scam it was — and can warn others.
Think you've been targeted? Paste any text, link, email, or screenshot into Cautellus for instant AI analysis.
Scan something free →Want unlimited scans + the Chrome extension? See pricing.
Courtney
Founder, Cautellus · 20+ years in financial services
Two decades in financial compliance, digital security, and fraud prevention. Built Cautellus because the scam detection tools that exist were made for IT departments, not for real people getting weird texts.
Learn moreKeep reading
Support Our Mission
Cautellus is built to protect people from online fraud. Your contribution helps us keep building security tools and resources.