How quickly do phishing attackers act after capturing credentials?

Captured credentials are often used within minutes. Phishing kits send real-time notifications to attackers — email, Telegram, or a dashboard — the moment credentials are submitted. Automated scripts then test the credentials immediately. For high-value targets (financial accounts, corporate email), manual attackers may be monitoring specific campaigns and act within seconds. Speed of response is critical.

What is the first action to take after entering credentials on a phishing site?

Go directly to the real site (type the URL, do not click any link) and change the password immediately. This invalidates the captured credential before the attacker can use it — or if they already have a session, most services terminate other sessions when the password changes. Do not wait to confirm you were phished — if you suspect it, act immediately.

Should I contact my bank if I entered banking credentials on a phishing site?

Yes, immediately. Call the number on the back of your card or on your bank's official website (not a number found in search results). Report that you may have entered credentials on a fraudulent site. Banks can place holds on accounts, monitor for suspicious transactions, and initiate fraud processes. Early reporting significantly increases the chance of recovering any funds moved fraudulently.

How do I report phishing to the NCSC?

Forward the phishing email to report@phishing.gov.uk — the NCSC Suspicious Email Reporting Service (SERS). If the phishing was delivered via text message, forward it to 7726 (the industry shortcode for spam reporting). If you suffered financial loss, report to Action Fraud (0300 123 2040 or actionfraud.police.uk). Reporting helps the NCSC identify and dismantle active phishing infrastructure.

What should I check on my other accounts after a phishing incident?

After securing the compromised account: (1) Identify any other accounts that used the same password and change them all. (2) Check whether the compromised email was used as a recovery address for other accounts — if so, change those recovery addresses. (3) Review active sessions and connected applications in the compromised account settings and revoke anything unrecognised. (4) Run your email through HaveIBeenPwned to identify any related breaches.

What to Do Immediately After a Phishing Attack

Realising you have entered credentials on a phishing site is one of the most stressful security incidents a person can experience. The instinct to pause and assess is understandable but counterproductive — every second that passes gives the attacker more time to act on captured credentials. This guide provides an ordered response protocol designed to minimise damage as quickly as possible.

The First Five Minutes

Navigate directly to the real site — type the URL, do not click any link. Go immediately to the legitimate service and change your password. Use a newly generated strong password from the Credential Guard. Do not use the same password elsewhere.
Sign out all other sessions. Most services have a "Sign out of all devices" or "Revoke all sessions" option in account or security settings. Use it. This ends any session the attacker may have established.
Check your recovery options. In the account security settings, verify the recovery email address and phone number have not been changed. Attackers change these first to lock you out of future recovery.
Enable or rotate MFA. If MFA was not enabled, enable it now — a hardware FIDO2 key or authenticator app. If MFA was enabled, the phishing capture likely included a live OTP — rotate your authenticator codes (regenerate the TOTP secret) or register a new hardware key.
If financial credentials were involved, call the institution immediately. Phone the number on the back of your card or from their official website — not from a search result or any link.

Next 30 Minutes

Identify every other account using the same password — change them all
Check whether the compromised account was used as a recovery method for other accounts
Review connected apps and OAuth grants in the compromised account — revoke anything unrecognised
Check sent mail and recent activity in the compromised account for evidence of impersonation or data access
Alert your contacts if the account was used to send phishing messages — post a brief social media notice if applicable

Reporting

NCSC Suspicious Email Reporting: [email protected]
Text message phishing (smishing): Forward to 7726
Financial loss or identity theft: Action Fraud (0300 123 2040)
ICO (if personal data breach): ico.org.uk

Prevention going forward: Use unique generated passwords for every account (the Credential Guard generates these), stored in a password manager. Enable FIDO2 hardware key MFA on all accounts that support it. Never click email links to log in — always navigate directly. These three habits eliminate the vast majority of phishing risk.

phishing response incident response account recovery credential compromise NCSC

For informational purposes only. Phishing threats evolve constantly — always consult current NCSC, CISA, and your organisation's security team guidance for your specific environment.

← Credential Stuffing vs Phishing: Understand Both