A Staff Member Clicked a Malicious Link, Now What? (And How to Prevent the Next One)

No matter how cautious your team is, phishing emails slip through. The reality for most SMEs is this: at some point, someone will click. What matters next is how your business responds and what steps you take to stop it happening again.

In this post, we break down what to do immediately after a phishing incident, and how to test your team’s ability to spot a fake email in under 60 seconds.

⚠️ First Things First: What to Do If a Link Was Clicked

If a member of your team has clicked a suspicious link whether in an email, a Teams message, or a text — follow this procedure as quickly as possible:

✅ Step 1: Stay Calm and Isolate the Device

Disconnect the device from the network immediately (unplug Ethernet, switch off Wi-Fi). Don’t shut it down unless advised malware may be triggered during reboot.

✅ Step 2: Notify IT or Your MSP

Your internal IT team or managed service provider (MSP) needs to be alerted immediately.

Provide:

• The original email or message (as a screenshot or .eml file)

• Time of the click

• Device details

• Any unusual behaviour (pop-ups, slow system, redirects, etc.)

✅ Step 3: Revoke Potentially Compromised Credentials

If the link led to a fake login page (e.g. Office 365, Google, Xero), reset passwords immediately. Prioritise email, banking, and any single sign-on (SSO) systems. Enable two-factor authentication (2FA) if not already in place.

✅ Step 4: Scan and Clean the Device

Use your antivirus or EDR tools to run a full scan. If a threat is detected, quarantine it and escalate. Don’t reuse the device until it’s been cleared or wiped professionally.

✅ Step 5: Report the Incident

Report the phishing attempt to:

• Action Fraud: www.actionfraud.police.uk

• The NCSC: report@phishing.gov.uk

• Your email security provider (e.g. Microsoft, Google)

📩 Prevention: Can Your Staff Spot a Fake Email?

Staff are often the last line of defence. But phishing emails are getting smarter written by AI, spoofed to look like internal accounts, and often urgent or financial in tone.

Here’s a simple 60-second test any manager or team leader can run today.

🧪 The 60-Second Internal Phishing Check

Send your team the following (fabricated) email in your internal system or as a shared screenshot and ask:

Can you spot what’s wrong with this email?

Subject: Action Required: New Payment Method Update for Client Invoicing

From: accounts@cl1ents-pay.co.uk

To: [Your team member]

Hi [FirstName],

We’ve just updated our preferred payment method for this month’s invoice. Please update your records and ensure all future payments go to the new account provided here:

[CLICK TO VIEW NEW PAYMENT INFO]

Thanks,SophieAccounts Dept.

✅ Red Flags to Look For:

• Slightly off domain: cl1ents-pay.co.uk instead of clients-pay.co.uk

• Urgency about financial details

• Suspicious link (hover shows random domain)

• Generic “Accounts Dept.” instead of full name and title

• No phone number or contact information

Once your team has reviewed the email, debrief together:

• What signs did they catch (or miss)?

• Have they seen something similar in real life?

• Do they know how to report phishing attempts internally?

This mini-exercise builds awareness without embarrassment and prompts helpful discussion.

👥 Bonus: What to Train Staff to Do Next Time

Here’s what every team member should know:

• Don’t click unknown links — hover first to check destination

• Never download attachments from unexpected emails

• Verify requests for payments or account updates via a second channel

• Report suspicious emails immediately — don’t delete or ignore

• Use strong passwords and enable 2FA wherever possible

Consider running a quarterly phishing simulation with your IT provider or security partner. These test campaigns are proven to reduce click rates over time.

Final Tip: Make Reporting Easy

The faster your team reports something suspicious, the faster your IT support or MSP can respond. Make it easy:

• Create a shared inbox: security@yourcompany.co.uk

• Encourage screenshots or forwarding suspicious messages

• Make security part of team meetings and onboarding

Small Incidents, Big Lessons

A click doesn’t have to lead to a crisis but only if you catch it quickly. SMEs are often targeted because scammers assume security is minimal and response time is slow. Proving them wrong starts with preparedness and training.

Need help reviewing your response plan or testing your team? We’re happy to assist.