I Clicked a Phishing Link. What Should I Do Now?

· Updated April 28, 2026 · Anuranjan Vikas · 5 min read
phishingscamssecurityguide

If you clicked a phishing link, do not panic. Close the page, do not enter any more details, disconnect from the site, change the password for the account involved, and turn on two-factor authentication. If you entered payment details, OTPs, banking passwords, or UPI PINs, call your bank and report the incident on cybercrime.gov.in or the Indian cybercrime helpline 1930 right away.

The first few minutes matter because most damage happens after the click, not from the click itself. A phishing page usually wants you to do one of three things: type a password, share an OTP, download an app, or approve a payment. Your job is to stop that chain quickly.

Here is the calm version of what to do.

First, what did you do after clicking?

The right response depends on what happened next.

If the page opened and you closed it without entering anything, the risk is lower.

Do this:

  • Close the tab
  • Do not reopen the link
  • Clear recent browser downloads if anything downloaded automatically
  • Forward the link to Kaval on WhatsApp or paste it into Kaval for a safety check
  • Watch for follow-up calls or SMS messages pretending to be from the same company

Most modern phones and browsers are hard to compromise from a single page view. The bigger risk is that the page looked real enough to get you to type something.

You typed a password

Change that password immediately. Start with the account the page was pretending to be, then change the same password anywhere else you reused it.

Priority order:

  1. Email account
  2. Bank or payment app account
  3. Social media accounts
  4. Shopping accounts with saved cards
  5. Work accounts

If the password was reused, assume every reused account is at risk. Attackers try leaked passwords on Gmail, Instagram, Amazon, banking portals, and cloud storage within minutes.

You typed an OTP, UPI PIN, card PIN, or CVV

Treat this as urgent.

Call your bank or payment app support from the official app or official website. Do not call a number from the suspicious message. Tell them you may have shared a code or PIN on a phishing page.

Also report the incident on cybercrime.gov.in or call 1930 if money was moved or you suspect financial fraud. The official National Cyber Crime Reporting Portal says complaints should include accurate details for prompt action, and lists 1930 as the cybercrime helpline.

You installed an app

This is the riskiest version, especially if the scammer asked you to install a screen sharing app, APK file, “support” app, “KYC update” app, or SMS forwarding app.

If the file was an Android APK, use this dedicated fake APK cleanup guide after you disconnect the phone.

Do this now:

  • Uninstall the app
  • Turn off screen sharing or accessibility permissions if you granted them
  • Restart your phone
  • Check SMS forwarding, call forwarding, and notification access permissions
  • Change important passwords from a different device
  • Call your bank if the app had access while you were logged in

NPCI’s UPI safety guidance specifically warns users not to download screen sharing or SMS forwarding apps when asked by unknown people. That advice is worth taking seriously.

If it was a bank or KYC message

Fake KYC messages are common because they create panic. The message usually says something like:

Dear customer, your SBI account will be blocked today. Complete KYC now: [link]

The Reserve Bank of India has warned that KYC fraud often uses calls, SMS, or emails that create false urgency and push people to share login details, card information, PINs, OTPs, or install unverified apps. RBI’s advice is simple: contact your bank directly through official sources, do not click suspicious KYC links, and report financial cyber fraud quickly.

That means:

  • Do not use the link in the SMS
  • Open your bank app manually
  • Check notifications inside the official app
  • Call the number printed on your card or listed on the bank website
  • Visit a branch if the issue is serious

If the bank really needs KYC, it will be visible through official channels. It will not need your OTP over a random link.

Check for account damage

After you have changed passwords and reported urgent money risk, check for signs that someone got in.

Look for:

  • Login alerts from unknown cities or devices
  • Password reset emails you did not request
  • New recovery email or phone number
  • New UPI IDs or payment beneficiaries
  • Email forwarding rules you did not create
  • Sent messages you do not remember sending
  • New apps connected to Google, Apple, Meta, or Microsoft accounts

Email forwarding rules are easy to miss. If attackers get into your email, they often create a hidden forwarding rule so they keep seeing your password reset emails after you change the password.

What to save as evidence

Before deleting anything, take screenshots.

Save:

  • The original SMS, WhatsApp message, or email
  • The phone number or sender ID
  • The link
  • The fake page if it is still open
  • Any transaction ID
  • Bank debit message
  • UPI reference number
  • Time and date

You may need this for your bank, cybercrime complaint, or local police station.

For a clearer reporting path, see our guide on how to report cybercrime online in India.

Should you reset your phone?

Usually, no. If you only opened a phishing page, a full reset is overkill.

Consider a phone reset if:

  • You installed an unknown APK
  • You granted accessibility access to a suspicious app
  • You cannot uninstall the app
  • Your phone is sending messages by itself
  • Your bank or security team asks you to reset it

If you reset, back up photos and important files first. Do not restore suspicious apps from backup.

How Kaval can help

Send the suspicious link, SMS, WhatsApp message, or screenshot to Kaval. Kaval can check if the link is risky, explain what the scam was trying to do, and give the next step.

For example:

Unsafe. Do not open it again. The link is not an SBI domain and redirects to a fake login page. Since you entered an OTP, call your bank now and report it on 1930.

That is the kind of answer you need after a scare: not a lecture, just the next move.

Quick checklist

  • Close the page
  • Do not type anything else
  • Change the affected password
  • Turn on two-factor authentication
  • Call your bank if you shared payment details, OTP, PIN, CVV, or UPI PIN
  • Report financial fraud on cybercrime.gov.in or call 1930
  • Uninstall any app the link made you install
  • Save screenshots and transaction details
  • Warn family members if the message came through WhatsApp

Clicked links are common. The mistake is not clicking once. The mistake is waiting after you realize something is wrong.