You Clicked the Link. Now What?
Mary accidentally clicks a malicious link. Her first instinct is to change passwords, but is that the right next step?
Mary stared at her laptop.
Her inbox had turned into a firehose. Messages she didn’t write were flying out to clients, vendors, and friends. Each message carried the same infected link she’d just clicked.
Her phone buzzed with replies:
“Did you mean to send this?”
“Hey, your account’s been hacked!”
Mary froze.
Her first instinct was what most of us would do: change every password she had.
But she hesitated. Something told her that might make things worse.
The Moment After Panic
When you realize you’ve been hit, your mind floods with to-do lists:
· Reset passwords.
· Unplug the computer.
· Call the bank.
· Delete everything.
It feels like a race against the clock. But the truth, surprisingly, is that the most urgent step is device containment rather than identity cleanup.
That bad link didn’t just send emails. It likely planted software on the device that could watch, record, and wait. Keyloggers, remote access tools, or scripts designed to report back to the attacker’s computer. Changing passwords on an infected machine is like changing your house locks while the burglar is still standing in the hallway, watching.
So Mary didn’t change her passwords right away. Instead, she called us, the professionals.
Step One: Freeze, Don't Fiddle
Our first instruction was calm and clear:
“Don’t touch anything yet. Let’s make sure the device isn’t still talking to the attacker.”
Together, we checked the basics:
· Disconnect Wi-Fi.
· Unplug from Ethernet.
· Power down the device.
That simple act of disconnecting stopped more data from leaking out. It’s the digital equivalent of closing a valve on a burst pipe.
Then came the inspection. With Mary’s permission, once we gained access to the device, we moved quickly but methodically. We reviewed activity logs, sign-ins, and recent installs. Then we dug deeper into background processes, hidden folders, and browser extensions, all the while searching for the digital fingerprints that confirmed how the attacker had slipped in.
Why Devices Come Before Identities
Cybersecurity often gets explained backwards.
We hear “change your password” first, because it’s simple, visible, and feels productive.
But when an attacker compromises a device, the device itself becomes a spy.
Every new password you type, every code you enter, every email you send, the attacker could be seeing.
That’s why the order matters:
- Clean devices first.
- Then reset identities.
- Then harden environment.
The sequence is technical and psychological. It helps restore control one layer at a time.
Step Two: Verify and Clean
With Mary’s laptop offline, we got to work confirming whether it had been compromised.
We checked for:
· Suspicious startup items.
· Unknown applications.
· Browser credential theft extensions.
· Modified DNS settings.
Then we ran a trusted endpoint detection and response (EDR) scan, software that looks deeper than antivirus. Think of antivirus as a smoke detector.
EDR is the fire marshal who shows up to find out where the smoke started.
The scan took time, but it mattered. It turned up traces of a malicious software, small, but enough to warrant a full wipe of Mary’s systems.
So we backed up only verified clean files, reimaged the laptop, and reinstalled company-managed tools.
In very little time, her machine was safe to use and hardened against future attempts by a threat actor.
Step Three: Reset with Confidence
While we say the device comes first, in reality the work to reclaim a comprised identity is done concurrently with cleaning a compromised device.
We’ll cover more about identity in next week’s article. But for now, after having Mary reset passwords for key services from a clean device.
Her account was stabilized.
Her messages stopped.
The attacker’s access was gone.
What “Hardening Devices” Really Means
In IT, we talk about “hardening,” but for most people, that sounds abstract. Here’s what it means in plain English:
Every device should be monitored. So if something changes, whether a new login, a new app, a strange network request, someone sees it immediately.
Updates aren’t optional. They’re armor. When software stays unpatched, it leaves holes in the fence your computer needs to keep closed.
Antivirus isn’t enough. You need managed detection and response that looks for behavior, not just bad files.
Backups are insurance. Not just for files, but for the sanity that comes from knowing you can start fresh if something goes wrong.
Lessons Learned
Most business leaders don’t know how to respond when cybersecurity incidents occur. Mary’s experience illustrates a few key things;
Human moments create openings.
Mary wasn’t reckless. She was working fast, juggling calls, and a thousand priorities. Attackers rely on that. The more professional and helpful the email looks, the more likely someone will click.
Devices are the bridge between you and the internet.
If an attacker controls that bridge, they don’t need your password. They can wait until you type it. Even worse, they can silently observe sensitive business
information and client data.
Fast doesn’t mean frantic.
The right response sequence is calm, structured, and layered. Disconnect. Verify. Clean. Reset.
Prevention is built, not bought.
When we came on the scene, we didn’t have to guess. The monitoring, response tools, and protocols we offer help prevent this incident before it happened.
Connecting Back to the Bigger Picture
In the first article, we introduced Device → Identity → Network — the three pillars of modern IT defense.
Mary’s story shows why the first pillar matters so much.
Devices are your how. - A secure device keeps your identity honest.
Identity is your who. - A hardened identity keeps your network clean.
Network is your where. - A well-designed network keeps both from spreading trouble.
Each layer supports the security of the others.
At Anneal Tech, this is standard practice. Our defense-in-depth methodology uses industry leading tools and best practices to ensure that our clients are protected from the latest cybersecurity threats used by threat actors daily.
Author’s note:
This story reflects real-world events and Anneal Tech’s real process for responding to business email compromise and endpoint infection, with names and details changed for privacy.