Should I delete the phishing email after I click?

No. The email is evidence. Keep it in your inbox or a dedicated folder, preserve headers, and forward a copy to your IT team or incident responder before any further action.

Do I need to change my password if I only clicked but did not enter credentials?

Yes. Many phishing kits drop session-token stealers, browser exploits, or credential harvesters even without explicit login. Rotate the password, revoke active sessions, and review sign-in logs.

When should I report the incident to the Canadian Anti-Fraud Centre?

Report to the Canadian Anti-Fraud Centre (CAFC) if any financial loss occurred, any credentials were entered, or any data was exfiltrated. Even attempted fraud should be reported to help build intelligence.

I Clicked a Phishing Link: What to Do in the First 30 Minutes

Phishing is no longer a grammar-mistake email from a fake prince. The attacks we see at Hexafusion in 2026 are brand-perfect replicas of Microsoft login pages, DocuSign notices, QuickBooks invoices, and courier tracking pages. The click itself is not the end of the world if you respond quickly and in the right order. What creates the real damage is panic, delay, and destroyed evidence.

If you are a managed client: stop reading and call the Hexafusion incident line at (604) 332-1500. Professional and Enterprise managed clients have 24/7 incident response. Everyone else gets business-hours response with after-hours best-effort callback. Following the steps below while you wait will still help.

Before You Do Anything Else

Take a breath. Do not delete the email. Do not close the browser tab in a panic. Do not reboot the computer. These are the three most common mistakes people make, and each one destroys evidence your IT team or insurer will need.

Minutes 0 to 5

Disconnect and isolate

Unplug the network cable, or turn off Wi-Fi on the device. This cuts any command-and-control channel a dropper might have established. Leave the device powered on, screen unlocked if possible, so volatile evidence (running processes, open tabs, browser storage) is preserved for responders.

If you typed credentials on the phishing page, assume the attacker already has them. Session-stealer kits post captured passwords within seconds.

Minutes 5 to 15

Change the password from a different device

Use a phone, tablet, or another computer to change the password on the account that was targeted. If it was your Microsoft 365 or Google Workspace account, change it first, then sign out all sessions from the account security page. This revokes any stolen session tokens the attacker may be using.

Then rotate any other account that shares the same password. Yes, this is the moment you wish you had been using a password manager.

Minutes 15 to 30

Audit MFA, sent items, and inbox rules

Log in to your account security page and verify the list of registered multi-factor authentication (MFA) devices. Attackers often add their own authenticator, phone number, or FIDO2 key so they can keep access after you change the password. Remove anything you do not recognise.

Open your Sent Items folder. Phishing payloads frequently send follow-up emails from your mailbox to your contacts within minutes of compromise. If you see anything suspicious, flag it.

Check mailbox rules in Outlook or Gmail. A classic attacker trick is a hidden rule that auto-forwards incoming mail to an external address, or moves messages containing words like "invoice", "wire", or "payment" to the Archive folder so you never see replies. Delete any rule you did not create.

What Not To Do (Even When Panicked)

Do not delete the email. Move it to a folder called "Incident" if you like, but leave it intact. Headers contain the sending IP, routing path, and authentication results your responder needs.
Do not factory-reset or wipe the device. Forensic artefacts, browser cache, and endpoint detection and response (EDR) telemetry are on that disk.
Do not pay anything the email demands. No legitimate supplier, courier, or tax agency asks for payment through a link in an unsolicited email.
Do not tell colleagues through the same email system if you suspect the account is compromised. Use phone, in-person, or a separate channel. Assume the attacker is reading your mail in real time.

Follow-Up Actions (Within 24 Hours)

1. Review sign-in logs

In Microsoft 365, go to Entra ID > Sign-in logs. In Google Workspace, look at the admin console audit log. Flag any sign-ins from unfamiliar countries, impossible-travel patterns (Vancouver at 10:02, Lagos at 10:05), or non-browser user agents. Keep a screenshot of anything suspicious before the logs roll off.

2. Run a full EDR scan

If your organisation deploys endpoint detection and response, trigger a full scan on the device. If you only have basic antivirus, this is a good moment to discuss upgrading. For context on why, see our article on malware versus ransomware for BC small businesses.

3. Warn the right people, the right way

Tell your direct manager and IT team by phone or in person. If the phishing email pretended to be a supplier or client, let that party know out-of-band (not by replying to the email). They likely have other victims and need to warn their own users.

4. Report the phishing attempt

Forward the email, with full headers, to the Canadian Centre for Cyber Security at cyber.gc.ca. If money or credentials were lost, file a report with the Canadian Anti-Fraud Centre (CAFC). These reports feed threat intelligence that benefits every other business in Canada.

When to Escalate to a Full Incident

Escalate from a "user clicked a link" ticket to a full incident if any of these are true:

Credentials were entered on the fake page.
Sign-in logs show unfamiliar successful logins.
Sent items contain messages you did not write.
Inbox rules you did not create were present.
The user has privileged access (finance, HR, M365 admin).
Any file was downloaded or a document was opened after the click.

At that point you are no longer dealing with a near-miss. You are dealing with a business email compromise or pre-ransomware foothold, and you need the response plan in our ransomware first-60-minutes article.

Preserve evidence for your cyber insurer. Most policies require notification within a defined window and will ask for the original email, sign-in logs, EDR alerts, and a timeline. If you start rebuilding the device before these artefacts are collected, you may compromise your claim.

Prevention Starts With Realism

The goal is not zero clicks. Humans will click. The goal is that when someone clicks, the blast radius is small: MFA blocks the login, conditional access flags the foreign IP, EDR kills the payload, and the monitoring team sees the alert before the attacker pivots. That is what layered defence looks like in practice, and it is what separates a ten-minute ticket from a six-figure incident.

If your current setup cannot answer "what happens when someone clicks", that is the conversation to have before it is tested by a real attacker.

Need Help Containing a Live Incident?

Hexafusion offers incident response for Vancouver and Lower Mainland businesses. Managed Professional and Enterprise clients get 24/7 response. New-client emergencies get business-hours triage with after-hours best-effort callback. Request a quote and we will walk you through what our incident response engagement looks like.

Request a Quote Our security services

← Back to Blog