My Teen Clicked a Phishing Link — What To Do Right Now (2026 Parent Guide)

A phishing link in 2026 almost never looks like the old "Nigerian prince" email. For a 14-year-old, it looks like a Discord DM from their best friend's account saying "omg is this you?" with a video link. It looks like a Roblox trading DM promising rare items. It looks like a TikTok DM from an influencer they follow. It looks like an Instagram login prompt after they clicked a story link. It looks like a Google Docs invite forwarded to their school email.

The scam isn't stupid. The teen isn't stupid. The attack is engineered by professionals to bypass exactly the defenses a 14-year-old has. The FTC's 2024 Consumer Sentinel data shows teens aged 14-17 reported losing a collective $210 million to online fraud — up more than 2,500% from 2017. This is the threat model now.

Here's what to do.

Step 1: First 30 minutes — what to do right now

Do these in order. Don't skip ahead.

1. Disconnect the device from the internet. Turn on airplane mode on the phone. Turn off wifi on the laptop. This stops any automatic communication between the device and the attacker's server while you investigate.
2. Close the tab or app. Do not click anything else on the page. Do not complete any "verification." Do not enter any credentials it's still asking for.
3. Ask your teen one question, calmly: "Did you type anything on that page, or download anything?" Their answer determines the next hour. Do not ask why they clicked. That can wait.
4. From a different device — your phone, a family computer — start changing passwords on the affected account. If your teen entered credentials, see Step 4.
5. Identify which platform the link was on. The response differs for Discord, Roblox, Instagram, Snapchat, TikTok, and school/email. See Step 2.

Step 2: What platform was the phishing link on?

The scammer's goal changes by platform, and so does your response.

Discord

Discord phishing is almost always "free Nitro," "someone posted a video of you," or "I found your old account." The attacker's goal is the Discord account itself — to then send the same phishing link to every contact the teen has.

• Sign out of Discord on every device (Settings → Devices → Log Out Everywhere)
• Reset the password at discord.com/reset from a different device
• Enable 2-factor authentication with an authenticator app (not SMS)
• Review Settings → My Account → Connections for unknown linked accounts (Twitch, Steam, Spotify) — unlink anything the teen didn't add
• Check Settings → Authorized Apps and revoke anything unfamiliar
• If the link came from a friend, the friend's account is compromised too. Warn them through a different app (iMessage, SMS), not Discord

For the full Discord playbook, see our Discord scams parent guide.

Roblox

Roblox phishing is usually a "free Robux generator," a fake trading page, or a "limited items rollback" scam. The attacker's goal is the Robux balance and any rare items in the inventory — both of which can be laundered fast on third-party marketplaces.

• Change the Roblox password from a different device at roblox.com/my/account
• Enable 2-Step Verification (Settings → Security)
• Enable the Account PIN feature (Settings → Security → Account PIN) — this blocks settings changes even if the password is known
• Check Settings → Security → Sessions and log out of any unknown devices
• If items were already taken, contact roblox.com/support within 30 days — Roblox's recovery policy only applies within that window, and you'll need your original purchase receipts as proof of ownership

For the deeper Roblox angle, see our Free Robux scam parent guide.

Instagram, Snapchat, TikTok

Social-platform phishing typically asks the teen to "reverify your account" after clicking a story or DM. The attacker's goal is both the account (for resale or further phishing) and any private content stored in it — DMs, photos, story archives.

• Change the password from a different device through the official app (not through any link the teen received)
• Enable 2-factor authentication with an authenticator app
• Review login activity: Instagram (Settings → Security → Login Activity), Snapchat (Settings → Session Management), TikTok (Settings → Security → Security Alerts)
• Revoke any third-party app connections your teen didn't authorize
• Check the email and phone number on the account — attackers often swap these first to lock the real owner out; change them back if needed

School / email (Gmail, Outlook, Google Classroom)

School-email phishing looks like a Google Docs invite, a teacher "grade update," or a "your password expires today" notice. The goal is often bigger than a teen account — attackers use a verified school email to send internal phishing to staff and other students.

• Reset the email password from a different device
• Enable 2-factor authentication (your school district almost certainly supports it)
• Review sent mail — attackers often forward phishing to the contact list within minutes of compromise
• Check inbox rules / filters — a common trick is to add a filter that auto-forwards or deletes emails from the school's IT department
• Tell the school IT department. This is not optional. If a school email was compromised, the district needs to know so they can check for lateral movement into other accounts

Step 3: What did your teen actually do after the click?

Scope the damage based on the last action, not the first.

Step 4: If your teen entered a password

Credentials are a commodity. Within hours of the click, they're often either being used by the original scammer or sold on a credential market to be used by someone else. Speed matters.

1. Change the password on the affected account right now, from a different device
2. Change the password on every account that used the same or similar password. This means email, school, Discord, Roblox, any games, any apps. Teens reuse passwords at a rate north of 70% (Stanford Internet Observatory, 2025)
3. Enable 2-factor authentication on every important account — email first
4. Set up a password manager — Bitwarden (free) or 1Password Family. This is the single biggest protection against credential reuse going forward
5. Check bank statements and parental accounts — if your teen ever made a purchase on the affected platform, the payment method is now linked to a compromised account
6. Place a free credit freeze for minors if the compromised account had identity information (full name + date of birth + address). Contact each of the three major credit bureaus — Equifax, Experian, TransUnion — and request a freeze on the child's credit file. The FTC has step-by-step instructions

Step 5: If your teen downloaded something

Phishing pages sometimes offer a fake "verification app," a "trainer for Roblox," or a "Discord token checker." These are usually information-stealing malware or remote-access trojans.

1. Keep the device offline until you've completed the next steps
2. Run a full antivirus scan. On Windows, Microsoft Defender Offline scan catches most credential stealers. On Mac, Malwarebytes Free is the standard second-opinion tool. On Android, Malwarebytes or Bitdefender Mobile; on iOS, delete any unfamiliar profiles under Settings → General → VPN & Device Management
3. Check browser extensions (Chrome, Edge, Safari). Remove anything that wasn't there yesterday
4. If the scan finds anything serious — or if you're unsure — factory-reset the device. Yes, it's inconvenient. A reset is faster and more reliable than trying to surgically remove malware from a teen's phone, and the cloud backup will restore their apps and photos
5. After the device is clean, go through Step 4 for every account accessed from that device in the last 48 hours

Step 6: If it was 'just' a click — don't relax entirely

The click itself is almost certainly not the full attack. Phishing campaigns operate in stages: the first link profiles the victim, and a more targeted follow-up arrives within days. Watch for:

• Follow-up DMs from the same account or different accounts referencing whatever the first link was about
• Friends' accounts sending similar links — the compromise often spreads through the original victim's contact list, not through the victim themselves
• Unexpected password-reset emails on any account — a sign that someone is probing your teen's accounts using info they collected
• Calls or texts claiming to be from "platform support" asking to verify the account — no platform ever does this

Step 7: When to escalate to authorities

Most phishing incidents end at Step 4 or 5. These cases need to go further:

• Report to the FTC at reportfraud.ftc.gov if any money was lost, if identity information was shared (SSN, date of birth, full address), or if your teen was asked to send gift cards
• Report to the FBI's IC3 at ic3.gov for identity theft, financial fraud, or crimes crossing state/international lines
• If any sexual content is involved — photos requested, threats made, "we have pictures of you" language — stop everything and report to the NCMEC CyberTipline at 1-800-843-5678. This is sextortion. The FBI has a dedicated sextortion team at tips.fbi.gov. Do not pay. Do not delete messages. Preserve everything. One in five teens experienced sextortion in 2025, and 90% of financial sextortion victims are boys aged 14-17 (FBI, 2025)
• If a school email was compromised, contact the school IT department — they are legally and operationally required to check for lateral compromise
• Contact your local police if any in-person threat, stalking, or blackmail is involved

Step 8: What to say to your teen (the usually-missed part)

This is the most important step and the one most parents skip. How this conversation goes determines whether your teen tells you next time — and there will be a next time, because the scams keep evolving.

• Lead with "I'm not mad." And mean it. The attacker is a professional. Your teen is 14. This was not a fair fight
• Split the conversation in two. The technical recovery happens now, together. The "how do we prevent this next time" talk happens in 24-48 hours, when emotions settle
• Don't do "I told you so." It rewires your teen to hide the next incident instead of bringing it to you. That's how single clicks turn into sextortion cases
• Name the tactic, not the teen. "That's a classic account-takeover phishing pattern — they engineered it to look exactly like a friend's real DM" is useful. "You should have known better" is not
• Ask what signal would have helped. Not "how did you miss it" — that's accusatory. Instead: "Looking at it now, what's the one thing that would have stopped you for a second?" Teens who identify their own pattern-break cues are the ones who catch it next time

Step 9: How to prevent the next one — pattern recognition, not rules

"Don't click suspicious links" doesn't work. The links aren't suspicious — they come from friends' hacked accounts, use platform-native formatting, and exploit urgency. What works is pattern recognition trained through repetition under pressure — the same way people learn to spot a bluff at a poker table.

A few things that measurably help:

• One absolute rule: "Passwords and verification codes are typed into the official app or the bookmarked URL — never into a link someone sent me." One absolute rule beats a list of heuristics
• Second-channel verification habit: If a friend DMs something unusual, confirm through a different app before acting. iMessage-what-happened is a reflex worth training
• A password manager — teens can't click a phishing page that looks like Discord if their password manager doesn't autofill because the URL is wrong. This is the single most effective protection you can install today
• Practice under pressure. Rules teens heard in a lecture don't fire when a hacked friend's account is messaging them at 9:47 PM. Rules they practiced in a realistic scenario do