What to do if you clicked a scam link

Tapping a link is the most common thing people do with a scam text, and for most of them nothing bad follows. Modern phones and browsers are built to contain a single web page; a tap alone almost never installs software or empties an account. Panic is the scammer's best tool — a frightened person hands over a card number to “fix” the problem. So take a breath: you have time to do this properly.

What matters now is figuring out how far it went. Did you only land on the page, or did you actually type something in or install something? Use the steps below in order, and skip the sections that don't apply to you.

1. 1Close the page immediately and don't enter anything. If a form is on screen, do not fill it in — leaving the page is enough.
2. 2Don't tap any further buttons, downloads, or “your device is infected” pop-ups. Those pop-ups are part of the scam; close the tab or browser entirely.
3. 3Disconnect from the internet briefly (turn on aeroplane mode) only if a file started downloading or an app tried to install — this stops it mid-flight.
4. 4Take a screenshot of the message and the link for later reporting, then resist the urge to keep poking at the page.
5. 5Honestly assess what, if anything, you actually typed or tapped. Just visiting a page is low-risk; entering details or installing something is what raises the stakes — the next two sections cover those.

A fake login page exists to capture what you type. If you entered credentials, assume they're now in someone else's hands and move quickly, in this order:

• Change that password first, from a device you trust. Then change it anywhere you reused the same password — reuse is how a single leak becomes many.
• Secure your email account before anything else if email credentials were exposed. Email is the master key: whoever controls it can reset every other account.
• Turn on two-factor authentication (an authenticator app or passkey is stronger than SMS) on your email, bank, and any important account.
• Check recent activity and recovery settings — sign out of all other sessions, and confirm the recovery phone and email haven't been changed.

If the page impersonated a specific service — say a bank or a streaming login — our brand pages such as Commonwealth Bank and Netflix show what the genuine sign-in channels are so you can get back to the real one.

This is the situation that needs the fastest action — and the one where acting quickly genuinely protects you.

1. 1Call your bank immediately using the number on the back of your card or in your banking app — never a number from the text. Tell them you entered your details on a scam site and ask them to block the card and watch for fraud.
2. 2Watch for the “bank” calling you back. A classic follow-up is a call claiming to be your bank's fraud team, asking you to move money to a “safe account” or read out a code. That is always a scam — your bank will never ask you to do this. Hang up and call them yourself.
3. 3Review and dispute any transactions you don't recognise. Under the ePayments Code, you're generally protected from unauthorised transactions you report promptly.

For the full playbook on bank-posing follow-ups, see bank impersonation scams.

If the page tried to download a file, install an app, or show alarming “virus detected” pop-ups, take these steps. (If you only saw a page and closed it, you can skip ahead.)

• Don't install anything the page suggested, and delete any file or app it managed to download. Never grant a new app accessibility or admin permissions on its prompting.
• Update your phone or computer to the latest OS version — security patches close the holes these pages try to exploit.
• On a computer, run a scan with your built-in security tool (Microsoft Defender on Windows, or a reputable scanner on Mac). On a phone, a clean reboot plus removing unknown apps is usually enough.
• Change your important passwords from a different, trusted device if you suspect anything was installed — not from the device you're worried about.

Even after you've done the immediate steps, stay alert for a few weeks. Scammers often come back, and a leaked detail can surface later:

• Texts or calls “from your bank” following up on the link — scammers often phone within days posing as fraud teams to finish the job. Hang up and call the number on your card.
• Small “test” transactions on your statements; fraudsters trial tiny amounts before a big one.
• Login alerts, password-reset emails, or two-factor codes you didn't request — a sign someone is trying your credentials.
• New accounts, loans, or credit checks in your name — a reason to check your credit report and consider a credit ban if details were stolen.
• More scam messages than usual, since a confirmed-live number gets sold on. Forward scam SMS to 7226 to help your carrier block them.

Reporting helps shut the scam down for others and creates a record if you need it for your bank. If you're in Australia, report to:

• Scamwatch — Report the scam to the ACCC's national scam service.
• ReportCyber — Report cybercrime and financial loss to the police.
• ACMA — Report scam texts and spam SMS or calls.
• Forward to 7226 (SPAM) — Forward the scam SMS to short code 7226 so your carrier can block the source.
• IDCARE — Free identity and cyber support if your details were taken.

For the full step-by-step, including the US channels, see how to report a scam text.