First: what a click actually means
Not every click on a phishing link results in a breach. The outcome depends on what the link did, what the staff member did next, and how quickly your business responds. A click that opened a credential-harvesting login page is very different from one that triggered a silent malware download. The steps below apply regardless — but knowing the difference helps you prioritise.
More serious scenarios
- A login page appeared and credentials were entered
- A file was downloaded and opened
- Macros were enabled in a document
- Banking or payment details were submitted
- The link was clicked on a device with access to shared drives or financial systems
Less serious scenarios
- The link opened a webpage but nothing was entered or downloaded
- The browser flagged the site as unsafe before it fully loaded
- The device is isolated and personal, not connected to business systems
- The staff member closed the page immediately and reported it
Even in the lower-risk scenarios, treat this as a live incident until you have confirmed otherwise. Some phishing sites silently fingerprint the visitor's device, capture browser credentials stored in memory, or drop tracking cookies — without any visible interaction required.
What to do — right now
Ask the staff member to stop using the device immediately
Do not restart, wipe, or reset it. Disconnect it from Wi-Fi and unplug the network cable if present. Isolating the device prevents any malware from communicating back to the attacker or spreading laterally to other systems on your network. The device needs to stay powered on for now — turning it off can disrupt forensic investigation later.
Find out exactly what happened — calmly
Ask the staff member to walk you through what they saw and did. Did a login page appear? Did they enter any details? Did anything download? Write it down. This record will be needed if you have to report to the police or the ICO, and it helps your IT support investigate more quickly. Make it clear they are not in trouble for telling you the truth — you need the full picture.
Change passwords — from a different, clean device
If credentials may have been entered or the device had access to business accounts, change those passwords immediately — using a separate, unaffected device. Prioritise: business email, cloud platforms (Microsoft 365, Google Workspace), banking portals, and any system the affected device was logged into. Enable two-factor authentication anywhere it is not already active.
Check for signs of compromise in connected systems
Look at the sent items of any email accounts the device had access to — attackers often use compromised accounts to send further phishing emails to your contacts before you notice. Check for any unusual logins, password reset requests, or forwarding rules that were not there before. If your business uses shared drives, check for unusual file activity or deletions.
Contact your bank if financial systems were involved
If the affected device had access to online banking, payment platforms, or financial accounts — call your bank's fraud line straight away. They can place a temporary hold, review recent transactions, and flag the account for monitoring. Speed matters here more than anywhere else.
Report the phishing email to the NCSC
Forward the original phishing email to report@phishing.gov.uk — the NCSC's dedicated reporting inbox. This helps them investigate the source, take down malicious sites, and warn other businesses. It takes one minute and may protect other organisations from the same attack. Suspicious texts can be forwarded to 7726 (free on all networks).
Bring in technical support to assess the device
Once you have secured accounts and reported the email, get your IT provider or a cyber specialist to examine the affected device properly. They can check for malware, review network logs for unusual outbound connections, and confirm whether anything was exfiltrated. Do not simply run one antivirus scan and consider it resolved — sophisticated payloads are designed to evade standard scans.
Do you need to report this to anyone officially?
Possibly — and it is worth checking now rather than discovering later that you were obligated to.
ICO — if personal data may have been exposed
If the phishing incident resulted in unauthorised access to personal data — customer records, employee information, supplier contacts — you may be required to report this to the Information Commissioner's Office (ICO) within 72 hours under UK GDPR. This applies even if you are not certain data was accessed — if there is a reasonable likelihood it was, the obligation to report exists. Visit ico.org.uk to report a breach.
Report Fraud — if money was lost or crime occurred
If any financial loss resulted, or if systems were accessed without authorisation, report it to
reportfraud.police.uk
or call 0300 123 2040 (Mon–Fri, 8am–8pm).
You will receive a crime reference number, which your insurer will need.
For Scotland, contact Police Scotland directly on 101.
On blaming the person who clicked
This matters — and the NCSC is clear on it.
The NCSC advises businesses not to punish staff who click phishing links. Creating a blame culture around phishing discourages people from reporting incidents promptly — and a delayed report is always more damaging than the click itself. The goal is an environment where staff feel safe saying "I think I made a mistake" within minutes, not hours. That speed is what limits the damage.
Source: NCSC — Phishing attacks: defending your organisation
Modern phishing emails are convincing. They impersonate known brands, colleagues, HMRC, and delivery companies with increasing sophistication. Even security-aware people get caught. The NCSC notes that expecting staff to identify every phishing attempt is an unrealistic and counterproductive goal — the better approach is building systems that limit the damage when a click inevitably happens, and a culture where it gets reported immediately.
What this incident is telling you
A phishing click that was caught quickly, reported properly, and resolved without significant damage is a near-miss — and near-misses are valuable. They reveal something real about your current exposure.
The questions worth asking in the days after the incident:
- How did the phishing email get through your mail filtering?
- Did the staff member know they could report suspicious emails, and to whom?
- How quickly was the incident escalated to you as the business owner?
- Did you have visibility of what the affected device was doing on your network?
- If credentials were compromised, how quickly could you have detected the unauthorised login?
If the honest answer to most of those is "we didn't know" or "we couldn't tell" — that is not unusual for an SME, but it is worth addressing before the next incident is less fortunate.
Monitor accounts for at least 30 days after the incident. Some attacks are designed to establish access quietly, then activate weeks later once suspicion has faded. Unusual login locations, password reset emails you didn't request, or unexpected account activity after the initial incident are all worth investigating.
Want to make sure the next click doesn't become a breach?
A GET-IT security review looks at how phishing emails reach your staff, what happens when they do, and what visibility you have over your network — so the next near-miss stays a near-miss.
We also work with businesses on staff awareness that actually sticks — not just a once-a-year tick-box exercise, but practical, scenario-based guidance that builds genuine awareness over time.
Book a Free Security Review Send Us a Message[ Remote. No site access required. Confidential. ]