What you're dealing with — in plain English
The click is the start, not the end.
A phishing click by itself rarely does the damage — what happens in the following minutes decides the outcome. A stolen password gets used within hours. A fake invoice gets paid within days. Acting inside that window is what separates an incident from a story you tell later.
The first hour is about closing doors: change the exposed password everywhere it's reused, end active sessions, turn on MFA if it wasn't on, and check the mailbox for forwarding rules attackers quietly add. If money moved — a paid fake invoice, changed banking details — call your bank immediately; the window to recall a transfer is short.
The person who clicked — or who reported that they clicked — did the right thing by speaking up. Blame teaches people to hide the next click, and hidden clicks are the expensive ones. Calm, documented response wins here.