Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
Actions On Cyber logo
Contact
← Back to Actions On

Actions On: Clicked a Phishing Link

Use this drill when someone clicks a suspicious link, opens a suspicious attachment or enters details into a suspicious page.

Purpose: This drill is designed for small organisations without a dedicated cyber team.

Immediate actions

  1. Stop using the suspicious page immediately.
  2. Do not enter any more information.
  3. Take screenshots of the message and web page.
  4. Report it to your manager, IT provider or incident contact.
  5. Change any affected passwords.
  6. Turn on MFA if not already enabled.
  7. Check account activity and watch for follow-up scams.

Do not

  • Do not delete evidence before it is captured.
  • Do not ignore it because nothing appears to have happened.
  • Do not reuse passwords.
  • Do not delay reporting because it feels embarrassing.

Escalate if

  • Money, customer data, staff data or business-critical services may be affected.
  • You suspect criminal fraud or unauthorised access.
  • You are unsure what has been exposed.

After-action review

  • Was reporting simple?
  • Was MFA enabled?
  • Were roles clear?
  • What control would reduce the chance of this happening again?
Note: Practical guidance only. Seek specialist support where personal data, money loss or criminal activity may be involved.