← All insights Insights

An Employee Clicked a Phishing Link — Here's What to Do in the Next Hour

May 16, 2026 · Kapa Canada

It happens to good, careful people every day: a convincing email, a busy moment, a click. If an employee has just clicked a phishing link, the worst thing you can do is panic — and the second worst is to do nothing. The first hour matters most. Here’s a clear plan.

First, figure out what actually happened

Not every phishing click is equal. There are two main scenarios:

  • They clicked, but didn’t enter anything. The risk is lower, though the page may still have attempted a malicious download.
  • They entered credentials or downloaded a file. Treat this as a likely compromise and work through every step below.

Ask the employee calmly: what did the page ask for, did you type anything in, and did anything download or open?

Step 1: Disconnect the device

If a file was downloaded or opened, disconnect that device from the network — unplug the network cable or turn off Wi-Fi. This limits malware from spreading while you assess. Leave the device powered on.

Step 2: Change the password and turn on MFA

If credentials may have been entered, reset that account’s password immediately — and reset it for any other account that used the same password. Enable multi-factor authentication if it isn’t already on; it’s the single best protection against stolen passwords.

Step 3: Check for mailbox rules and forwarding

If an email account was involved, look for forwarding rules or filters the employee didn’t create. Attackers add these within minutes to monitor conversations or hide their activity.

Step 4: Scan the device

Run a full security scan on the affected device. Modern endpoint detection tools can flag and isolate anything that was dropped on the machine.

Step 5: Watch for follow-on activity

A phishing click is often just step one. Over the following days, watch for unusual logins, unexpected payment requests, or messages sent from the account. Business email compromise frequently starts exactly this way.

Don’t punish the employee

This matters. If staff fear blame, they hide mistakes — and a hidden phishing click is far more dangerous than a reported one. Thank people for speaking up. The goal is a culture where the first instinct is to tell someone, fast.

When to bring in help

If credentials were entered, a file was downloaded, or you simply aren’t sure how far it went, get expert eyes on it. A managed security team can confirm whether anything is still active and contain it properly.

If you’re dealing with this right now, see our incident response guide or contact us — we can help you check whether the click turned into something more.

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us