The First 3 Things to Do After Clicking a Suspicious Link
There’s a half-second after you click a link before the page loads, before anything visible happens where everything is already in motion. A script might be executing. A tracker might be logging your IP. A redirect chain might be unspooling toward something you never intended to visit. That half-second is gone before you can react to it, and that’s precisely the point. Phishing links, malicious redirects, and drive-by download pages are engineered to exploit the gap between human instinct and human awareness.
Most people, when they realize what they’ve done, do one of two things: they close the tab and hope for the best, or they spiral into panic and start making fast decisions that compound the damage. Neither response is particularly useful. What actually matters in those first few minutes is a sequence of deliberate actions not frantic ones that can meaningfully reduce the risk of what happens next.
Here’s what that sequence looks like, and why each step matters more than it might seem.
Disconnect Before You Investigate
The instinct to figure out what just happened is understandable, but it’s also exactly the wrong first move. Before you open a new tab to search for the URL, before you take a screenshot, before you do anything get offline.
Turn off Wi-Fi. Disconnect from ethernet if you’re wired in. If you’re on a phone, toggle airplane mode. The reasoning here is straightforward: many malicious sites rely on a persistent connection to complete their payload. Some malware variants phone home immediately after execution, establishing a command-and-control channel that allows remote access to your machine. Others rely on continuous data exfiltration slowly pulling files, credentials, or session tokens across a live connection. Cutting that connection doesn’t undo what already happened, but it severs the line before the damage can deepen.
There’s a subtler reason, too. When you’re offline, you create a stable environment for assessment. Anything running on your device at that moment is running in isolation. Nothing new can be pushed to it. Nothing it found can be sent out. You’ve essentially frozen the scene.
The objection some people raise is that their work depends on being online, or that they need the internet to research the threat. That’s a real tension, but it misunderstands the priority. In the immediate aftermath of a suspicious click, your goal is containment, not diagnosis. Diagnosis can wait five minutes. An exfiltration process that’s already running cannot.
Document What You Actually Saw
Once you’re offline or while you’re disconnecting take a moment to document what happened with as much precision as you can. This sounds bureaucratic, but it serves a purpose that becomes obvious later: memory degrades fast under stress, and the details you’re tempted to dismiss as irrelevant are often the ones that matter most.
Write down the full URL if you can still see it or remember it. Note the time. Describe what the page looked like, if it loaded at all did it ask you to log in somewhere? Did a pop-up appear? Did a file download begin automatically? Did your browser warn you before loading, or after?
This documentation matters for a few distinct reasons. If you need to report the incident to an IT security team at work, they’ll want specifics. If a credential was potentially exposed, knowing which site the phishing page was imitating helps you prioritize which accounts to address first. And if a file did download even if you didn’t open it knowing the filename and extension gives you and any security tools you use a concrete thing to look for.
The psychological value of this step is underrated. Writing things down converts a vague, anxious sense of “something bad happened” into a concrete record of “here is exactly what happened.” That shift in framing changes how you respond to everything that follows. You’re no longer reacting to a feeling; you’re responding to a set of documented facts.
Change the Credentials That Were Closest to the Click
This is where most people either overreact or underreact. Some try to change every password they own in a panic-driven marathon. Others decide nothing was compromised and do nothing at all. The more disciplined approach is targeted: change the credentials that were plausibly in scope, based on what you observed.
If the link came through an email that appeared to be from your bank, change your banking password first. If it looked like a Netflix notification, start there. If you were logged into a specific service when you clicked and the page appeared to be related to that service, that account is your immediate priority. The logic isn’t complicated phishing attacks are almost always impersonating something you already have a relationship with, because familiarity is what gets people to click in the first place.
What makes this step more complex is the question of where you change the password. You just disconnected from the internet, and reconnecting feels risky. There’s a reasonable solution here: use a different device, ideally one that was not present on the same network session and was not involved in the original click. Change the credentials from your phone if you clicked on a laptop link, or vice versa. This isn’t paranoia it’s just ensuring that whatever may have been compromised in the first device doesn’t sit in the communication path between you and the account you’re trying to protect.
One more thing worth doing in this step: check whether any accounts you’re changing passwords for have active sessions you didn’t initiate. Most modern services Google, Apple, Facebook, and most banking apps show you a list of active sessions with device type and rough location. If you see a session you don’t recognize, revoke it before you change the password, not after. The order matters because revoking first ensures that whoever may have piggybacked on your session is cut off immediately, rather than being given a window to note your new credentials.
Why the Order Matters as Much as the Actions
These three steps disconnect, document, change targeted credentials work because they follow the logic of damage control rather than the logic of investigation. Most people want to understand what happened before they act on it. That’s a reasonable impulse in most contexts, but in a potential security incident, understanding and acting need to run in parallel, not in sequence.
The disconnect step limits the blast radius. The documentation step ensures you have something concrete to work with once you’re calm enough to think clearly. The credential change step addresses the most likely avenue of harm account takeover without the chaos of trying to protect everything at once.
Security incidents that escalate into serious data breaches or identity theft rarely do so because of what happened in the first click. They escalate because of what happened in the minutes and hours afterward the unrevoked sessions, the passwords left unchanged, the malware that had a live connection long enough to do its work. That timeline is where your leverage actually is.
You can’t undo the click. What you can do is compress the window between that click and your response until it’s as small as possible. The threat model for most people isn’t sophisticated nation-state actors running zero-days. It’s opportunistic credential harvesting and session hijacking threats that depend on your inaction to succeed. Take action in the right order, and a suspicious link becomes an inconvenience rather than a breach.
