I clicked a scam link. What now?

You only clicked the link

If you tapped the link but did not type anything, did not download anything and did not log in, the damage is usually small. Modern phones and browsers stop most malware automatically.

1. Close the tab.
2. Don't go back. Don't tap the back button to "see what it was".
3. On Android, run a quick scan with the built-in Play Protect (Settings, Google, Play Protect). On iPhone, you don't need a virus scan.
4. If you were on a work device, tell your IT team so they can block the page for everyone else.

You entered a password

Act fast. The scammer may already be logging into the real site with your details.

1. Go to the real website (typed by hand, not from the email) and change the password right now.
2. Change the same password on any other site that used it. Scammers try the same password everywhere.
3. Turn on two-factor authentication on every account that supports it.
4. Check the account for any logins, settings changes or transactions you didn't make.

You entered card or bank details

Call your bank now. Use the number on the back of your card, not any number from the scam page or email.

1. Tell them what happened. They will lock or replace the card.
2. Watch your account closely for the next 48 hours. Tiny test payments often appear before a big one.
3. If money has already moved, ask them to start a fraud claim under the new APP reimbursement rules.
4. Report it to Action Fraud (0300 123 2040). In Scotland, call 101.

You entered a one-time code

Treat this as the most urgent case. A scammer with your password and your 2FA code can do anything you can do on that account.

1. Change the password on that account immediately. The new password will invalidate any active sessions.
2. Sign out of all other sessions in the account's security settings.
3. Turn on a stronger 2FA method (authenticator app or hardware key, not SMS).
4. If it was a banking code, call your bank using the number on the back of your card.

You downloaded a file

On a phone, deleting the app or file is usually enough. On a laptop or desktop, be more careful.

1. Disconnect from the internet (turn off wifi).
2. Run a full antivirus scan. Windows Defender (built into Windows) and the built-in macOS protection are both fine.
3. If anything is found, follow the prompts to remove it.
4. Change passwords for any accounts that use the same device, especially banking and email.

Check for damage over the next two weeks

• Watch your bank account for unusual transactions, even tiny ones.
• Check your email for password-reset requests you did not start.
• Check that no new addresses or phone numbers have been added to your accounts.
• Check your credit report. CheckMyFile offers a free 30-day trial that pulls all four UK credit agencies.

Always report, even if no money was lost

Reporting helps everyone else. Action Fraud aggregates reports and the National Cyber Security Centre uses them to take down scam pages, often within hours.

• Phishing emails: forward to report@phishing.gov.uk
• Scam texts: forward to 7726 (free)
• Lost money or fraud attempted: actionfraud.police.uk or 0300 123 2040