In one of our latest blog posts, we discussed what to do after an employee clicked on a phishing link that you sent as a test, but what about when it comes to the real deal?

Real phishing link clicks can be harder to catch because you won’t receive a notification as soon as the employee clicks on the link, like with tests. Instead, you won’t notice the attack unless the employee shares their concerns with you or the damage has already been done. 

It’s an unfortunate reality, but with the right steps and support your business can quickly get back on track. We’ve created a 5-step process to perform after you’ve been notified that an employee has clicked on a malicious link:

1) Support: Offer support, not shame

The first step when an employee clicks on a phishing link is to offer support. Anyone can fall for these scams; it’s not a reflection of their competency or intelligence. Avoid shaming or punishing employees for making a mistake as much as possible. Instead, focus on educating and supporting them so they can avoid similar issues in the future.

A person failing a live phishing test and being frustrated

"It’s been a “super-fantastic” experience to see people learning and talking about security threats."

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

If the employee came to you themselves, thank them for informing you and work on a solution together to make their computer and software secure again. It helps to use the term “we” over “you” in these situations. 

If you find out a computer has malware, but the employee never told you about clicking on a suspicious link, inform them that this could be from a phishing link, but don’t accuse them or ask why they never let you know. Explain to them that if they ever have even a slight concern after opening another email they can send a quick message to you so you can check it out.

How you handle this situation is everything and can drastically affect your company’s security culture, so bite your tongue and approach in a supportive way. This way, the word won’t go around that if you click on a link, you’ll be shamed and yelled at, instead the employee will feel more comfortable sharing what to do if someone else mentions they clicked on a weird email – “Oh, just send an email to Bob, he is very helpful!” 

2) Isolate & Investigate: Take immediate action


As soon as you are aware that an employee has clicked on a malicious link, ensure you can connect with that person right away (preferably in person, but if they work remotely you may need to conduct a phone call). It’s vital that you isolate their computer as quickly as possible. This means disconnecting it from all wired and wireless networks.


Interview your employee

During your supportive discussion with the employee, ask them what information they gave after clicking the link. Their insights can give you an idea of what data was compromised, what type of harm the attacker planned, and what steps you need to take next. 

If the employee doesn’t remember or acknowledge that they clicked a phishing link, assume that the worst happened and important passwords were compromised. 

Conduct a malware and virus scan

Once you’ve identified the potential issues, conduct a thorough malware and virus scan on all impacted devices. These scans will help identify any active malware that came from the link. If you use Windows, you can use Windows Security, or if you have Apple, you can use the Smart Scan feature.

In the end, it may be best to back up any needed files on the employee’s computer and then wipe it clean. 

3) Reset: Change important passwords ASAP

Any passwords that this employee uses should be changed immediately. After cleaning their computer, have the employee make a list of all accounts they have access to and change the passwords with priority on any password managers or accounts with sensitive information. 

If your employee is lucky, they will have a password manager that can help them change all these passwords easily. If they aren’t using a password manager, now is the best time to start. 

4) Educate: Figure out what went wrong & implement a Clickers Group

While you’re supporting your employee with securing their computer and accounts, figure out where the employee went wrong. Out of all the phishing emails and test emails your employee received, what made them click on this specific email? Is this something new your employees don’t know about? Is it something you’ve noticed people missing in training before?

Chances are you will never have a 0% phishing click rate. So, if this is the employee’s first offense and you don’t notice a pattern with clicks within the organization, no further steps may need to be taken. 

But, if you find this employee has clicked on multiple test links and now this phishing link, it may be time to implement a Clickers Group. A Clickers Group is a set of training for employees to complete when they click on too many phishing links (as identified by you). This new training will re-target patterns you’ve recognized as weak points within the organization and will only be mandatory for the clicking employees. 

Screenshot of live phishing test training

Click Armor’s new feature allows you to create specific training for customized groups. You’ll be able to create your Clickers Group with ease. Schedule a demo with us to be one of the first to try out customized groups. 

The trickiest part will be explaining to the employee that they will need to join this re-training group. They might be offended and think they are too smart to join the group or that they “only clicked on one link”. That’s why it’s best to have set requirements for Clickers Group entry. For example, to be put into the group, an employee has either: clicked on two phishing test links or one real link. That way, when your employee begins to argue, you can explain that these are rules of the organization, meant to protect them, not shame them.  

5) Monitor: Monitor important accounts

Finally, monitor important accounts closely; keep an eye on credit reports, bank balances, and any online accounts. Vigilance is key when it comes to dealing with phishing attacks. Stay on top of any suspicious activity, no matter how small, and act quickly to prevent any further damage.

This might mean alerting certain teams about the attack (without outing your employee) or implementing a daily check-in process for your team to complete by checking in on important accounts for certain activities for at least three months after the incident. 

Phishing attacks are a severe threat to businesses of all sizes. It’s important to have a plan in place for when an employee clicks on a real phishing link (and also a fake one). Remember to support employees, find out what information was given, conduct a malware scan, change important passwords, implement a retraining program, and monitor important accounts. With these steps in place, your business can quickly recover from a phishing attack and stay secure in the future.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.