You realise it a few minutes later. The email looked real. The website looked identical. You entered your password, maybe even your card details or an OTP. Then the doubt creeps in.
If you’ve fallen for a phishing attack, speed matters more than panic. The goal is simple: cut off the attacker’s access before they can use what you gave them.
Here’s what to do immediately.
1. Secure the compromised account first
Start with the account you used on the fake site. If it was your email, bank account, UPI app or social media login, go directly to the official app or website — not through the suspicious link — and change your password immediately.
Create a completely new password. Not a variation of the old one. Not the same password with an extra number at the end. If you’ve reused that password elsewhere, change it on those accounts too. Password reuse is one of the main reasons phishing spreads from one account to many.
If the account offers the option, log out of all active sessions so that any attacker who may already be inside gets kicked out.
2. Enable two-factor authentication everywhere
If you haven’t already turned on two-factor authentication, do it now. This adds a second layer of protection — typically a one-time code or authentication app approval — that makes it harder for someone to access your account even if they have your password.
Use an authenticator app instead of SMS wherever possible. SIM swap fraud is increasingly common, and app-based authentication is safer.
3. Contact your bank immediately
If you shared card details, net banking credentials, or a UPI PIN, call your bank’s official helpline and block the card or freeze the account. Do not wait to “see if anything happens.” Fraudsters often test small transactions before attempting larger withdrawals.
If money has already been debited in India, call 1930 (the national cybercrime helpline) immediately and file a complaint on the cybercrime portal. Faster reporting increases the chance of freezing the transaction.
Also check whether your bank allows you to temporarily disable online transactions. Many apps let you switch off international usage, ATM withdrawals or online payments instantly.
4. Scan your device
Run a full malware scan using reliable antivirus software. Some phishing links install malicious software silently in the background. If you downloaded an attachment, this step is even more important.
If you suspect your device itself has been compromised and you’re unsure what was installed, consider a professional reset after backing up essential data.
5. Watch your accounts for the next few weeks
Phishing damage doesn’t always show up instantly. Monitor bank statements, UPI history, credit card bills and email login alerts carefully for at least a month.
If attackers accessed your email, they may try to reset passwords for other services. Watch for “password reset” emails you didn’t initiate.
6. Report the phishing attempt
Reporting the email or message helps others. Forward phishing emails to your email provider’s reporting address, mark WhatsApp or SMS messages as spam, and report fake websites to your bank or service provider.
It won’t undo what happened, but it reduces the chances of someone else falling into the same trap.
Phishing works because it plays on urgency — “Your account will be blocked,” “Update immediately,” “Refund pending.” The fix is also urgency, but calm, deliberate urgency. Act fast, secure everything, and assume your information has been exposed even if nothing looks wrong yet.
The difference between a minor scare and a financial crisis often comes down to how quickly you respond.
FAQs
1. I shared my OTP. Is my money definitely gone?
Not necessarily. OTP-based fraud often happens in minutes, but if you immediately contact your bank and block access, you may prevent larger losses. The key is speed — report it the moment you realise what happened.
2. What if I only clicked the link but didn’t enter any details?
If you didn’t enter credentials or download anything, the risk is lower. Still, run a malware scan and avoid revisiting the link. If the page asked for login details and you typed anything before stopping, change that password immediately.
3. Should I file a police complaint for phishing?
If money has been lost or sensitive identity documents were shared, yes. In India, you should call 1930 immediately and file a complaint on the national cybercrime portal. Early reporting significantly improves the chances of recovering funds or freezing fraudulent transfers.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
