If you clicked a phishing link, entered credentials, or approved a suspicious login, act fast: the first hours matter most.
This guide explains how to secure account after phishing by locking out attackers, checking for persistence, and hardening your security settings.
What to do first after a phishing attack
Start with containment.
The goal is to stop active access before changing anything else, because an attacker may already be moving through email, cloud storage, banking apps, or social media.
- Disconnect the affected device from Wi-Fi or cellular data if you suspect malware.
- Do not reuse the compromised password anywhere else.
- Use a trusted device to begin recovery whenever possible.
- Prioritize the account that was phished, then move to any accounts that share the same password.
If the phish targeted email, treat that inbox as the control center.
Email recovery links can be used to reset nearly every other account, so protecting it first is critical.
Change the password immediately
Replace the compromised password with a unique, strong password that has never been used before.
A password manager such as 1Password, Bitwarden, LastPass, or Dashlane can generate and store one securely.
- Use at least 12 to 16 characters.
- Mix letters, numbers, and symbols.
- Avoid names, dates, pet names, or reused patterns.
- Do not save the new password in an unprotected notes app or browser if the device may be compromised.
If the service allows it, choose an option to log out of all sessions after the password change.
This forces active attackers to reauthenticate and often cuts off unauthorized access immediately.
Sign out of all devices and sessions
Most major platforms, including Google, Microsoft, Apple, Facebook, Instagram, and X, provide a session management page that lists signed-in devices.
Review these entries carefully and end any session you do not recognize.
- Look for unfamiliar locations, device models, or login times.
- Remove remembered devices you no longer use.
- Check whether an attacker created a session token that stays valid after a password reset.
Session revocation matters because phishing often leads to cookie theft, not just password theft.
In those cases, changing the password alone may not be enough.
Check account recovery settings
Attackers often add their own recovery email, phone number, or authentication app so they can regain access later.
Review the account’s security settings and remove anything you do not recognize.
- Verify the recovery email address.
- Check the phone number associated with password recovery.
- Inspect backup codes and regenerate them if needed.
- Review connected apps and third-party logins.
For Google Workspace, Microsoft 365, and Apple ID accounts, also review trusted devices and app-specific passwords.
These are common persistence points after phishing.
Strengthen multi-factor authentication
Enable multi-factor authentication, but choose the strongest available method.
Authentication apps such as Microsoft Authenticator, Google Authenticator, or Authy are better than SMS alone, because text messages can be intercepted through SIM swapping or number porting.
Best practice is to use phishing-resistant methods when available, such as passkeys, security keys based on FIDO2/WebAuthn, or hardware keys from YubiKey.
These methods help block attackers even if they have your password.
- Prefer passkeys or hardware security keys.
- Store backup codes offline in a secure place.
- Avoid approving unexpected push notifications.
- Remove old 2FA methods that are no longer used.
Review email, forwarding, and rules
Email accounts are especially valuable to attackers because they can be used to reset passwords on other services.
After a phishing incident, inspect mailbox settings for changes that could redirect or hide messages.
- Check forwarding addresses and inbox rules.
- Look for filters that archive, delete, or mark security alerts as read.
- Review “sent” and “deleted” folders for suspicious activity.
- Confirm that recovery emails from financial institutions and cloud services are still arriving.
In Gmail, Outlook, and Yahoo Mail, attackers may create hidden rules that silently forward messages.
Remove anything suspicious right away.
Scan devices for malware and persistence
If the phishing link downloaded a file or installed a browser extension, the device may still be compromised.
Run a full scan with reputable antivirus or endpoint protection software and review installed browser extensions, startup items, and recently added applications.
- Remove unknown browser extensions.
- Update the operating system and browser.
- Check for remote-access tools you did not install.
- Consider a clean reinstall if you suspect credential theft malware or a keylogger.
On Windows, look for unusual scheduled tasks and startup programs.
On macOS, review Login Items and profiles.
On Android and iPhone, verify app permissions and delete suspicious apps.
Monitor financial and identity risk
If the phishing attack involved banking, payroll, tax, or payment platforms such as PayPal, Venmo, Cash App, or Stripe, monitor transactions closely.
Contact the provider’s fraud team if you see unauthorized activity.
- Freeze or lock payment cards if needed.
- Change security questions and PINs.
- Review account notifications for changes to address, phone, or withdrawal settings.
- Watch for identity theft indicators, including unfamiliar credit inquiries.
If personal data such as a Social Security number, passport image, or tax record was exposed, consider a fraud alert or credit freeze with Equifax, Experian, and TransUnion.
Notify contacts if the account was used to send phishing
When attackers gain access to email or social media, they often send new phishing messages from the compromised account.
Warn contacts quickly so they do not click malicious links or share data.
- Tell recipients not to open recent suspicious messages.
- Ask them to verify any payment requests through another channel.
- Use a clean account or phone call to send the warning.
This step reduces secondary damage and helps limit the spread of the attack across coworkers, friends, and family.
Document the incident for future recovery
Keep a record of what happened, including timestamps, screenshots, suspicious sender addresses, links, and any changes you found in settings.
This documentation helps support customer service requests, workplace incident reports, insurance claims, or law enforcement reports.
For business accounts, inform IT or the security team immediately.
They may need to review logs, revoke tokens, reset access across the organization, and check for lateral movement in Microsoft 365, Google Workspace, Slack, or Salesforce.
How to prevent another phishing compromise
Once the account is secure, reduce the chance of repeat compromise by making phishing less effective.
The strongest defenses combine user habits, account controls, and device hygiene.
- Use a password manager for every login.
- Enable passkeys or hardware-based MFA where supported.
- Check sender domains carefully before clicking links.
- Type sensitive website addresses manually instead of following email links.
- Keep software updated to reduce exploit risk.
- Train employees or family members to verify urgent requests out of band.
Also review which services store payment methods, recovery details, and connected apps.
Reducing account sprawl makes post-phishing recovery faster and limits attacker options.
Which accounts should you secure next?
After the original account is contained, secure every account that may share a password, recovery email, or authentication path.
Common priorities include:
- Email accounts
- Banking and credit card portals
- Apple ID, Google Account, and Microsoft account
- Cloud storage and file-sharing services
- Social media and messaging apps
- Shopping and payment platforms
These accounts often connect to each other, so one compromised login can quickly become a chain of compromises if you delay the cleanup.