PanicStation.org
UK USA
uk Technology & digital loss entered password on fake site • typed password into fake website • phishing login page • spoof website login • scam sign in page • fake banking login • fake email login page • gave password to scammer • credentials stolen • account takeover risk • password reuse worry • phising website • phishng link login • clicked link and logged in • suspicious url sign in • password compromised • someone has my password • accidentally logged into fake site

What to do if…
you realise you entered your password into a site that may have been fake

Short answer

Stop using that page, then go to the real website/app by typing it yourself and change your password immediately (starting with your email account if there’s any chance it was involved).

Do not do these things

  • Don’t keep trying to “log in again” on the suspicious page to test it.
  • Don’t click “contact support” links, pop-ups, or phone numbers shown on the suspicious site.
  • Don’t reuse the same password anywhere else “until you know for sure”.
  • Don’t post screenshots of the page that include your email address, username, or any codes.
  • Don’t ignore it because “nothing has happened yet” — account takeovers can be delayed.

What to do now

  1. Close the suspicious page and pause. Stop interacting with it.
  2. Go to the real service safely. Open a new tab and type the known address yourself (or use the official app you already had installed). Avoid search ads/sponsored results for this step.
  3. Change the password on that account right now.
    • Use a new, unique password (not a variation of the old one).
    • If the site offers it, choose “sign out of all devices/sessions” after changing it.
  4. If you ever reused that password elsewhere, change those next (highest risk first):
    • Email inbox account(s) (because password resets for other accounts often go there).
    • Banking/payment apps, shopping accounts, social media, messaging.
  5. Turn on 2-step verification (2FA) where available. Do this on your email account and the affected account as a priority.
  6. Check for quick signs of takeover on the affected account(s):
    • Password reset emails you didn’t request.
    • New device/session alerts.
    • Changes to recovery email/phone number.
    • New “forwarding”/auto-reply rules in your email, or suspicious sent messages.
  7. Contact the provider’s real support channel if anything looks changed or you can’t log in. Use the help pages inside the official app/site you reached by typing the address yourself (not any links/phone numbers shown on the suspicious page).
  8. Report the scam message/site.
    • If it came by email, forward it to report@phishing.gov.uk.
    • If it came by text, forward it to 7726 (free) if your network supports it.
    • You can also report suspicious websites/messages using the UK government phishing reporting route.
  9. If you entered anything financial (card/bank details) or money left your account: contact your bank or card provider immediately.
    • If you’ve lost money or believe you’ve been hacked because of the scam, report it: England/Wales/Northern Ireland usually use the national fraud reporting service; Scotland usually report fraud to Police Scotland on 101 (999 in an emergency).

What can wait

  • You do not need to decide today whether to delete accounts, change phone numbers, or replace devices.
  • You do not need to do a full “security overhaul” of everything — focus on the specific account and any reused passwords first.
  • You can review password managers and wider clean-up later.

Important reassurance

Many careful people get caught by convincing fake login pages, especially when stressed or in a rush. Taking fast, simple steps now (password change, 2FA, checking for changes) is usually enough to stop things escalating.

Scope note

This is first steps only to reduce immediate harm after a possible phishing login. If you discover confirmed account takeover, identity fraud, or financial loss, you may need additional support from the service provider, your bank, and official reporting channels.

Important note

This is general information, not legal or professional advice. If you think an attacker has access to your accounts or you see financial loss, prioritise regaining control (password reset, 2FA, signing out sessions) and contacting the relevant provider/bank promptly.

Additional Resources
Support us