If you are reading this because you just opened a suspicious email, here is the most important thing to know — opening an email alone almost never causes harm.
According to the FBI's 2024 Internet Crime Report, the IC3 received 859,532 complaints with losses exceeding $16 billion. Phishing was the most reported crime category. The APWG recorded 4.8 million phishing attacks in 2024, with an estimated 3.4 billion phishing emails sent daily.
This article breaks the response into three clear levels: "opened only," "clicked a link," and "entered information" — because the correct response is completely different for each.
Opening an Email Alone Is Not the Danger
If you only opened the email (read the body text) without clicking anything or opening attachments, you are almost certainly fine.
Modern email clients (Gmail, Outlook, Apple Mail) do not execute scripts embedded in emails. If your settings auto-load remote images, the sender may learn that you opened the email, but that is the extent of the risk.
However, if any of the following apply, read the relevant section below.
- You clicked a link (URL) in the email
- You opened an attachment
- You entered a password, credit card number, or other information on a page the link took you to
Identify Your Situation First
The correct response depends entirely on what you did. Find your situation in the table.
| Situation | Risk Level | Response |
|---|---|---|
| Opened email only | Low | Delete and move on |
| Clicked a link (entered nothing) | Medium | Scan and monitor |
| Entered credentials or financial info | High | Immediate action required |
| Opened an attachment | High | Disconnect and scan |
Each situation is covered in detail below.
You Did Not Click Any Link
If you only opened the email and did not click any link or open any attachment, there is very little to do.
- Delete the email (or move it to spam)
- Block the sender (prevents repeat messages from the same address)
- Report it as phishing (Gmail: "Report phishing," Outlook: "Junk → Phishing")
No further action is needed. However, if you keep receiving similar emails, your email address may have been leaked. Check with "How to Check If Your Data Is on the Dark Web" to be sure.
You Clicked a Link but Entered Nothing
You clicked a link in the email but did not enter any information on the page it opened. Risk is moderate.
What to Do
- Close the browser — close the tab or window entirely. Do not just hit "back"
- Clear browser cache and cookies — the phishing site may have planted tracking cookies
- Run a full virus scan — use Windows Defender or your installed security software
- Monitor your accounts — check bank and credit card statements for unusual activity over the next few days
If You Clicked on Your Phone
The same principles apply: close the browser and clear the cache. Additionally, check that no unfamiliar apps were installed. For detailed phone-specific steps, see "Is Your Phone Hacked? How to Check and What to Do Right Now."
You Entered Credentials or Financial Info
This is the most dangerous situation. If you entered a password, credit card number, or bank details on a phishing site, act immediately.
If You Entered a Password
- Change the password on that service right now
- Change the password everywhere you reused it — attackers use credential stuffing (trying leaked credentials on other services) almost immediately
- Enable two-factor authentication (2FA) — authenticator apps are safer than SMS. See "Is SMS 2FA Still Safe? How to Switch" for setup steps
- Check the service's login history — if you see unfamiliar sessions, log out of all devices
For password management guidance, see "Can't Remember Your Passwords? You Don't Have To." To check if your passwords are already leaked, see "How to Check If Your Password Has Been Leaked."
If You Entered Credit Card Information
- Call your card issuer immediately — request a card freeze and a new card number
- Review recent statements — look for charges you do not recognize
- File a report — contact your bank's fraud department and, if needed, report to the FTC at reportfraud.ftc.gov
If You Entered Bank Account Information
- Call your bank immediately — request a temporary freeze on online banking
- Change your PIN and online banking password
- Review transaction history — look for unauthorized withdrawals or transfers
You Opened an Attachment
If you opened an attachment (.exe, .zip, .docm, .pdf, etc.), malware infection is possible.
What to Do
- Disconnect from the network — turn off WiFi, unplug Ethernet. This stops malware from communicating with external servers
- Run a full virus scan — not a quick scan, a full system scan
- Follow the scan's instructions to remove threats
- Change passwords after cleanup — a keylogger may have recorded your keystrokes before removal
If you opened an attachment on your phone, see "Is Your Phone Hacked? How to Check and What to Do Right Now" for verification steps.
How to Block Phishing Emails Before They Hit
Knowing the response is important, but not encountering phishing in the first place is better.
Email Client Settings
- Use Gmail's filter feature to auto-route emails from specific domains or subject patterns to spam
- Turn off automatic image loading (Gmail: Settings → General → "Ask before displaying external images")
- Report spam aggressively — the more you report, the better your filter gets
Block Phishing Links with Threat Protection Pro
NordVPN's Plus plan and above includes Threat Protection Pro (TPP), which automatically detects and blocks phishing links inside emails.
How TPP's email protection works:
- Works in Gmail and Yahoo Mail web versions
- Checks email links against a known-threat database
- Displays a red warning banner on dangerous links
- Also scans downloaded files in real time
TPP does not read email body text or attachments. It only scans links, keeping privacy impact minimal.
For a full feature breakdown, see "NordVPN Threat Protection Pro Review."
How to Spot Phishing Emails (Basics)
No method is foolproof, but these checks catch the majority of phishing attempts.
- Check the sender address — "amazon-security@random-domain.com" is a giveaway. The domain matters more than the display name
- Watch for urgency — "Your account will be suspended in 24 hours" is a classic pressure tactic. Legitimate services rarely demand immediate action via email
- Hover over links before clicking (on desktop) — if the displayed text and actual URL differ, it is phishing
- Look for language quality issues — awkward phrasing, mixed formality, unusual formatting
Where to Report (US)
| Resource | When to Use |
|---|---|
| FTC reportfraud.ftc.gov | General phishing and fraud reports |
| FBI IC3 ic3.gov | Financial losses or identity theft from cybercrime |
| IdentityTheft.gov | If your personal identity was compromised |
| Your bank or card issuer | If financial information was entered |
The world's leading VPN — fast, secure, and easy to use
- 6,400+ servers across 111 countries
- NordLynx protocol (WireGuard-based)
- Threat Protection Pro (ads & malware blocking)
Wrapping Up
Your response to a phishing email depends entirely on what you did.
- Opened only → delete and move on. No need to panic
- Clicked a link → close browser → clear cache → run virus scan
- Entered information → change passwords immediately → call bank/card issuer → enable 2FA
- Opened an attachment → disconnect from network → full scan
For proactive protection, Threat Protection Pro blocks phishing links automatically, and reporting suspicious emails as phishing before opening them should become a habit.
If you are worried your information may already be circulating, check now with "How to Check If Your Data Is on the Dark Web."