When a friend tells you they fell for a phishing scam, the moment can feel heavy. You want to be supportive, give useful advice, and keep the conversation calm. Below are steps you can follow, plus ready‑to‑use replies that sound natural.

1. Listen without interrupting

Give your friend space to share what happened. Nod, keep eye contact, and let them finish before you speak.

• I’m sorry you went through this.

• That must be stressful.

Example replies

I feel bad for you

I hear how upset you are

Tell me more if you want

When you respond, avoid jumping to solutions right away. A simple acknowledgment often does more good than any quick fix.

2. Validate the feelings

People often blame themselves after a scam. Let them know it is common and not a sign of weakness.

• Many people get tricked, you are not alone.” (avoid “that” word)

• “Scammers get smart, it is easy to fall.

Example replies

It is normal to feel shaken

You are not the only one

Scammers are clever, so are you for spotting it later

3. Offer concrete steps

After validation, guide your friend toward actions that protect their accounts. Keep the list short and clear.

• Change passwords on every account that used the same login.
• Enable two‑factor authentication wherever possible.
• Report the fraud to the bank and to the platform where the scam occurred.
• Delete the phishing email and any related messages.

Example replies

Let’s start by changing your password

You should tell your bank right away

Enable two‑factor authentication today

If you have personal experience, share it briefly. “I once got a fake text that looked like my carrier. I called the number on the bill, not the one in the message, and stopped the loss.” This shows you understand and have acted before.

4. Provide emotional support

Beyond the steps, your friend may need reassurance that they will recover. Use kind language and avoid “should” statements.

• You will get through this.

• I am here if you need to talk later.

Example replies

I am here for you

You will bounce back

Call me if you feel stuck

5. Follow up later

A single conversation is not enough. Check in after a day or two to see if they completed the actions.

• Did you manage to lock the account?

• How does everything look now?

Example replies

How are things after the changes?

Let me know if anything new pops up

I checked my own inbox, and I see the same pattern – stay alert

Quick checklist for you

• Listen first, no interruption.
• Say a sentence that shows empathy.
• Suggest three easy actions: password change, two‑factor, report.
• Offer to help with any step.
• Touch base later in the week.

Personal note

Last month a coworker told me about a fake job offer email. I felt the same panic you might feel now. Together we reported it, changed the login, and the company’s IT team flagged the sender. The incident reminded me that quick teamwork stops the spread.

Closing thought

Helping a friend after a phishing scam mixes practical advice with genuine care. By listening, validating, guiding, and staying in touch, you turn a scary moment into a chance for both of you to grow stronger.

Be kind ❤