What happens if I click a phishing link?

Email security

Phishing is the attempt to deceive someone into doing something via a social engineering email. However, text messages and compromised websites can also be used to deliver scams. Scammers who use phishing target individuals and businesses either individually (spear phishing) or on a mass scale. 

Phishing is the most prominent form of cyber-attack, regularly prompting email recipients into disclosing their personal information, credentials, downloading malware, or sending money to someone else. These actions can result in unauthorized access to data, network systems, or applications.

What does a phishing attempt look like? 

Although phishing scams are prevalent, many people don't realize when a potential scam is occurring or what happens if they click a phishing link.

It all starts with a scammer creating and sending a message to their targets, usually an email that looks like it's from a trusted source. That could be a brand you're familiar with, a company you do business with, or even someone you already know (assuming they're a specific target). 

That email likely has some universal traits found in phishing emails, such as a generic greeting, spoofed email address, an urgent request, and then a hyperlink that takes you to the next step of the phishing process depending on the scammer's objective. 

The idea is that the scammer is trying to get their targets to do one of a few things:

  • Click on a link to take the user to a web page so they can collect information 
  • Click on a link to download malware that spies on the user or collects their data 
  • Click on a link to download ransomware that locks the user out of their system 
  • Complete a task specified by the scammer, such as wiring money to a particular bank account. (In this case, the scammer is pretending to be someone the target knows) 

Clicking a phishing link by objective

When threat actors send a phishing email, assuming they aren't impersonating someone else and trying to get money wired, there usually have one of two main objectives:

  • To get the victim to submit information
  • To get them to download something 

Credential-harvesting phishing 

In this scenario, upon clicking the link, the user is taken to a (spoofed) login page that looks exactly like the real one. After entering the credentials to log in, the scammer receives the information, and the user redirects to another web page (often the real version of the spoofed site). The scammer can then use those credentials for other malicious activities. 

Malware-deploying phishing 

Upon clicking the link or file, malware gets downloaded onto the user's device to spy on their activity or collect their data. For this type of malware, sometimes referred to as spyware, you may not have any idea that a download occurred. 

Malware could also be used to lock the user from using their device and demand a sum of money be paid to have access again; this is known as ransomware. Deployment of this malware involves users receiving notification that they're locked out of their device and must pay a specific amount.

What next? Never click on links from unknown or sketchy sources and make sure you fully understand the signs of a phishing email

FAQs

What happens if you accidentally click on a phishing link on your iPhone?

There’s a common misconception that iPhones can’t get viruses. It might not be a disaster if you clicked on the phishing link from your iPhone and didn’t submit any information, but it’s always better to be safe than sorry and contact your IT team. 

Should I be worried if I clicked on a phishing link?

There's hopefully nothing to worry about as long as you didn't submit any information to the web page. However, the link may still have been used to deploy malware or spyware, so you should always notify your security team after clicking on a phishing link. 

What if I clicked on a phishing link but did not enter details?

If you clicked on a phishing link that took you to a spoofed page and did not enter any personal information or credentials, then you should be fine. However, one danger is that scammers usually know whether or not you clicked on the link. So, they may determine you're a good target to continue pursuing.