HackWatch

Pillar guide

Ultimate phishing recovery guide 2026

Use this guide when you clicked a phishing link, entered credentials on a fake login page or approved a suspicious authentication prompt.

What to do in the first 24 hours

  1. Stop all interaction with the suspicious sender, link or attachment immediately.
  2. Change passwords for affected accounts from a trusted clean device.
  3. Review active sessions and sign out unknown devices.
  4. Reset recovery email, recovery phone and MFA methods if they were changed.
  5. Inspect mailbox rules, forwarding, delegated access and app connections.
  6. Run malware scan on the original device before returning to normal use.
  7. Check whether the same password was reused across banking, social and work accounts.

When to escalate

  • If financial accounts were touched, contact the institution directly via official channels.
  • If business mailbox rules changed, involve your security or IT response owner immediately.
  • If identity data was exposed, move to identity theft planning.