Your Employee Just Clicked a Phishing Link — Now What? A 5-Step Emergency Guide

It happens fast. An employee clicks a link in an email that looked legitimate — maybe it was a fake Microsoft 365 login page, a shipping notification, or an invoice from a “vendor.” Now you’re staring at a potentially compromised network and wondering what to do next.

Don’t panic. But do act fast. The next 60 minutes are critical.

Here’s exactly what to do, step by step.

Step 1: Disconnect the Device From the Network (Immediately)

Time: Do this within the first 2 minutes.

The single most important thing you can do right now is isolate the affected computer from your network. This limits the attacker’s ability to spread laterally to other systems, exfiltrate data, or deploy ransomware.

How to disconnect:

• Wired connection: Unplug the Ethernet cable from the computer.
• Wi-Fi: Turn off Wi-Fi on the device. On Windows, click the Wi-Fi icon in the taskbar and select “Disconnect” — or better yet, turn on Airplane Mode.
• Do NOT turn off the computer. Powering down can destroy forensic evidence that your IT team or a security professional will need to investigate what happened.

If the employee was working remotely or on a personal device, have them disconnect from their home Wi-Fi and any VPN connections immediately.

What if they entered credentials on the phishing page?

If the employee typed in a username and password on the fake page, treat those credentials as fully compromised. We’ll address password resets in Step 4, but know that the clock is ticking — attackers often use stolen credentials within minutes.

Step 2: Report It Internally (Don’t Hide It)

Time: Within the first 10 minutes.

This is not the time for embarrassment or blame. Phishing attacks are sophisticated — even security professionals get fooled. What matters is how quickly you respond.

Who to notify:

• Your IT department or IT provider — This is the most critical notification. If you have a managed IT provider, call them immediately. Don’t just send an email; pick up the phone.
• Your direct supervisor or office manager — They need to know in case broader communication is needed.
• The employee who clicked the link — Make sure they know not to interact with the device further, not to click any more links, and not to try to “fix it” themselves.

What to document:

• The exact time the link was clicked
• What the email looked like (take a screenshot or photo with a phone if possible)
• What happened after the click — did a page load? Did they enter credentials? Did anything download?
• The sender’s email address (the full address, not just the display name)

This information will be invaluable for your IT team’s investigation.

Step 3: Scan for Malware and Check for Damage

Time: Within the first 30 minutes (your IT team should handle this).

Once the device is isolated and reported, it’s time for a technical assessment. If you have an IT team or managed service provider, this is where they take the lead.

What the scan process looks like:

• Full antivirus/anti-malware scan on the affected device using up-to-date definitions.
• Check for newly installed software — Malware often installs itself as a background process, browser extension, or scheduled task.
• Review browser history and downloads — Identify exactly what was accessed and whether any files were downloaded.
• Check for signs of data exfiltration — Look at recent outbound network traffic logs if available.
• Examine email rules — A common attack technique is to set up email forwarding rules that silently send copies of all incoming email to the attacker. Check the compromised account for any new rules in Outlook or your email platform.

What if something was downloaded?

If a file was downloaded and opened, the risk level increases significantly. The device should be considered fully compromised until proven otherwise. Your IT team may need to:

• Image the hard drive for forensic analysis
• Rebuild the machine from a clean backup or fresh OS install
• Check other devices on the same network segment for indicators of compromise

Step 4: Reset Passwords and Secure Accounts

Time: Within the first 60 minutes.

If any credentials were entered on the phishing page — or if there’s any doubt — reset passwords immediately. Don’t wait until the investigation is complete.

Password reset priority list:

1. The account that was directly compromised (usually Microsoft 365 or Google Workspace email)
2. Any accounts that share the same password — Yes, people reuse passwords. Ask the employee directly.
3. Banking and financial accounts — If there’s any chance financial credentials were exposed.
4. VPN and remote access accounts
5. Any admin or privileged accounts the employee has access to

Additional account security measures:

• Enable multi-factor authentication (MFA) on every account possible — if it wasn’t already enabled, this incident is your wake-up call.
• Revoke active sessions — In Microsoft 365, you can force a sign-out of all active sessions, which will kick out anyone who’s already logged in with stolen credentials.
• Review recent sign-in activity — Check for logins from unusual locations, IP addresses, or devices.
• Check for OAuth app grants — Attackers sometimes trick users into granting permission to malicious apps. Review and revoke any unfamiliar app permissions.

Step 5: Monitor, Learn, and Prevent the Next One

Time: Over the next 24-72 hours and ongoing.

The immediate crisis may be contained, but the work isn’t over. Post-incident monitoring is essential to make sure the attacker didn’t establish persistent access.

Short-term monitoring (24-72 hours):

• Watch for unusual login attempts across your organization
• Monitor the compromised email account for signs of unauthorized access
• Check for bounce-back emails (attackers may have sent phishing emails from the compromised account to your contacts or clients)
• Alert your bank if financial information may have been exposed
• If client data was potentially accessed, consult with a legal professional about breach notification requirements

Longer-term prevention:

• Conduct a post-incident review. What happened? How did the phishing email get through? What could have prevented it?
• Implement security awareness training. Regular phishing simulations and training dramatically reduce click rates. Studies show that organizations with ongoing training programs see phishing susceptibility drop from 30%+ to under 5%.
• Deploy email filtering. Advanced email security solutions can catch the majority of phishing emails before they reach inboxes.
• Enable MFA everywhere. Multi-factor authentication is the single most effective defense against credential theft. Even if an attacker gets a password, they can’t log in without the second factor.
• Create an incident response plan. If you didn’t have one before this incident, now’s the time. Document the steps above, assign roles, and make sure everyone knows the process before the next incident occurs.

A Quick-Reference Checklist

Print this out and post it near your office’s shared areas:

If you clicked a suspicious link:

1. ✈️ Disconnect from the network (unplug Ethernet or enable Airplane Mode)
2. 📞 Call IT immediately — don’t email, call
3. 📸 Screenshot the suspicious email
4. 🚫 Don’t turn off the computer
5. 🚫 Don’t try to fix it yourself
6. 📝 Write down what happened and when

Don’t Have an IT Team?

If you’re reading this during an actual emergency and your business doesn’t have dedicated IT support, you’re experiencing firsthand why every business needs a technology partner.

Call OmniTechPro at (410) 749-2340. We provide managed IT services for small and mid-size businesses across the Eastern Shore of Maryland. Our team can help you respond to security incidents, implement preventive measures, and make sure the next phishing email doesn’t become a crisis.

Whether you need emergency help right now or want to put a plan in place before the next attempt, we’re here to help. Contact us today for a free consultation.