If you already clicked: what the next 15 minutes decide

The window is closing

You clicked. Now your heart rate is up and your mind is cycling through the possibilities. Here is what is actually happening right now:

If the link led to a credential-harvesting page and you entered your login details, those credentials have likely already been transmitted to an attacker's server and are being tested against your email, banking, and other accounts. If the link delivered malware, the payload may already be executing — silently inventorying your files, establishing persistence, and waiting for instructions.

You have a window. It is not large, but it is real. What you do in the next 15 minutes will determine whether this becomes a minor incident or a catastrophic one.

Minutes 0–5: Contain immediately

• Disconnect from the internet now — turn off Wi-Fi. Unplug ethernet. This prevents malware from communicating with command-and-control servers, exfiltrating data, or downloading additional payloads. Do this before anything else.
• Do not close the browser tab yet — take a screenshot of exactly what you see. Note the full URL from the address bar. This is critical for reporting and advisory review.
• Do not enter anything on the page — if a form is open, do not fill it in. Do not click "submit." Do not "log in to verify."
• Do not panic-click — rapid clicking through multiple links or downloads compounds exposure. Stop. Breathe. Think.

Minutes 5–10: Address credential exposure

• If you entered a password: change it immediately from a different, trusted device — not the potentially compromised one
• Enable two-factor authentication if not already active — this limits what an attacker can do even with your password
• Check the account's active sessions or login history for any access you don't recognize
• If the same password is used on other accounts — change those too, and use a password manager going forward
• If you entered financial information: call your bank's fraud line immediately. Use the number on the back of your card — not any number from the suspicious page or email.

Minutes 10–15: Assess your device

• Reconnect to the internet briefly and run a full scan with your existing security software
• Check for new browser extensions, applications, or startup items you don't recognize
• Review recently modified files — especially in your Documents, Desktop, and Downloads folders
• If you are not confident in your assessment: do not use this device for sensitive tasks until it has been professionally examined or wiped and restored from a clean backup

Immediately after: document and report

• Submit the URL and context to MountainShield for advisory review — we can assess what the link was designed to do and whether additional steps are warranted
• Report phishing to the impersonated organization — they will take action and may alert other targets
• US: report to the FTC at reportfraud.ftc.gov and IC3 at ic3.gov
• UK: report to Action Fraud at actionfraud.police.uk
• EU: report to your national cybercrime unit

The thing you need to hear

Being targeted is not a failure of intelligence. Sophisticated attacks target experienced security professionals at major organizations. They are engineered to succeed against careful people. The only thing that matters now is what you do next — methodically, without shame, and quickly.

If you are unsure what happened or what to do, submit to MountainShield. We will tell you clearly what the indicators suggest and what your next steps should be. You should not have to figure this out alone.