Scam Message Checker

How to secure your accounts after phishing

After clicking a phishing link or entering details, securing your accounts well prevents most follow-on damage. The priorities are: change exposed passwords, turn on app-based two-step verification, sign out other sessions, and check for sneaky changes like mail-forwarding rules. This guide walks you through it in order.

Quick answer

After clicking a phishing link or entering details, securing your accounts well prevents most follow-on damage. The priorities are: change exposed passwords, turn on app-based two-step verification, sign out other sessions, and check for sneaky changes like mail-forwarding rules. This guide walks you through it in order.

  • Start with email, then banking, then anything reusing the password.
  • Reset passwords and enable app-based 2FA.
  • Sign out other sessions/devices.
Most urgent

Do this now

  1. Change the password of any exposed account from a secure device.
  2. Turn on app-based two-step verification.
  3. Sign out all other sessions and check for unknown rules/devices.

Understanding what happened

After a phishing attempt, securing your accounts well prevents most follow-on damage - and the order you do it in matters. Email first (it controls everyone else's password resets), then banking, then anything that shared the same password. Done promptly, this usually shuts attackers out entirely.

Phishing's payoff is reused credentials and live sessions. Even if you only entered details once, assume that password is known and may be tried elsewhere, and that an attacker who got in may have created ways to stay - which is why changing passwords is necessary but not always sufficient.

Two-step verification is the single biggest upgrade, because it blocks logins even when the password is known; app-based authenticators or passkeys are stronger than SMS. Signing out all other sessions and removing unknown connected apps cuts off anyone already inside.

Finish by checking the quiet places attackers hide: email forwarding rules and filters, recovery phone and backup email, and third-party app access. Moving to unique passwords with a password manager means one phished site can never again endanger the rest.

First 5 minutes

  1. Start with email, then banking, then anything reusing the password.
  2. Reset passwords and enable app-based 2FA.
  3. Sign out other sessions/devices.

First 24 hours

  1. Check for forwarding rules, filters, and connected apps you didn't add.
  2. Update recovery details (phone, backup email) if tampered.
  3. Use unique passwords (a password manager helps).

Next 7 days

  1. Watch for login alerts and unusual activity.
  2. Finish updating any remaining reused passwords.
  3. Review and remove unknown third-party app access.

What not to do

  • Do not reuse the exposed password anywhere.
  • Do not skip 2FA - it blocks most account takeovers.
  • Do not forget to check email forwarding rules.

Evidence to save

  • Login history showing unfamiliar access.
  • Any rules/filters or connected apps you removed.
  • Screenshots of the phishing message.

How to save scam evidence →

How to report

  1. Gather your evidence first (screenshots, dates, amounts, any reference numbers).
  2. Report to your national fraud/cybercrime body and, if money moved, to your bank.
  3. Find the right official links for your country in the reporting directory.

Find official reporting links for your country in the reporting directory.

  • Do not use phone numbers or links from the suspicious message - look up the official ones yourself.
  • Report quickly if money was sent or ID documents were shared; speed improves your options.
  • Keep your evidence - see how to save scam evidence.

Beware 'recovery' offers afterwards: anyone who contacts you promising to get your money back for an upfront fee is running a second scam.

Stop it happening again

Use a password manager so every account has a unique password, making one leak far less damaging.

Keep app-based two-step verification on for important accounts and review connected apps periodically.

Related scam types

Related red flags

Related terms

This is general safety information, not legal, financial, or cybersecurity incident-response advice.

Still have the message?

Check it to understand the red flags and how to report it.

Check a message

Frequently asked questions

Which account should I secure first?

Email - it controls password resets for everything else. Then banking and any account sharing the same password.

Is changing the password enough?

Add app-based 2FA and check for hidden forwarding rules; a password change alone may not lock attackers out.

Is changing my password enough?

Not by itself. Add app-based two-step verification and check for hidden forwarding rules or connected apps; a password change alone may not lock an attacker out.

Get scam safety updates

Practical scam alerts, new examples, and simple safety tips. No spam. No sensitive message data.

We only collect your email address, optional name, consent status, signup page, and signup time. See our privacy policy.