Takedown

How to Take Down a Phishing Site Impersonating Your Brand

A practical, sequenced playbook for getting a phishing site that impersonates your brand taken offline as fast as possible.

Updated 2026-06-17 · 5 min read

A phishing site wearing your brand is a clock-management problem: every hour it stays live is more harvested credentials and more damaged trust. The goal is disruption, fast — and the way to get it is to capture evidence cleanly and hit the right layers in parallel, leading with the abuse type that gets the quickest action. Here is the playbook.

First: capture evidence before it disappears

The moment you act, the operator may pull the page. Capture first, report second.

  • A timestamped screenshot of the live phishing page, ideally full-page.
  • The exact, full URL and the bare domain.
  • The impersonation itself — your logo, brand name, or copied layout in use — captured side by side with your real site if you can.
  • Email headers and body if the phishing arrived by mail (they reveal sending infrastructure for a separate report).
  • The DNS and certificate records — the resolving IP, the MX record if it is mail-capable, and the TLS certificate from Certificate Transparency logs.

Save everything with timestamps. A dead page is far harder to action than a documented live one.

Speed comes from parallelism: file with the host, the registrar, and Safe Browsing at the same time, and lead each report with "active phishing," not "trademark." Phishing triggers the fastest abuse obligations.

Identify the layers you can disrupt

A phishing site depends on several independent providers, and each can pull a different lever:

  • Hosting provider / CDN — serves the content; can remove the page fastest, often within hours.
  • Registrar — sold the domain; can suspend or hold it, killing the name entirely.
  • DNS provider — resolves the name; sometimes separate from the registrar.
  • Google Safe Browsing and browser blocklists — warn users in Chrome, Safari, Firefox, and Edge without touching the site.
  • Email provider — relevant if the campaign sends mail from or through the domain.

You will usually report to several at once. Match the lever to your goal: content removal (host), domain suspension (registrar), user protection right now (Safe Browsing).

Step by step: filing the takedown

  1. Find the host. Resolve the domain to its IP and look up that IP's abuse contact at the relevant regional registry, or identify the CDN from the response headers. Most hosts publish an abuse@ address or a web form.
  2. Find the registrar. Query RDAP at https://rdap.org/domain/example.com; the JSON response names the registrar and its abuse contact. RDAP returns this even when WHOIS is redacted.
  3. Report to the host. Send the evidence package, state plainly that the URL is an active phishing page impersonating your brand, and ask for content removal.
  4. Report to the registrar. Same package; cite DNS abuse (phishing) and ask for suspension. ICANN obligates accredited registrars to act on phishing reports.
  5. Submit to Safe Browsing. Report the URL through Google's phishing report page and Microsoft SmartScreen, putting interstitial warnings in front of most browsers within hours.
  6. Report the mail path if the domain sends phishing email — to its email provider and, where relevant, anti-phishing feeds.
  7. Record every ticket number and follow up at each provider's stated window.

Lead with the strongest, fastest claim

Different claims move at different speeds, and choosing wrong costs days:

  • Phishing or malware is the strongest, fastest lever — reportable to host, registrar, and Safe Browsing on the abuse alone, with no trademark required.
  • Trademark infringement covers the domain name impersonating your brand, but at a registrar it is usually a lower priority than active phishing. It does unlock UDRP, URS, and platform IP forms.
  • DMCA is for copyright only — copied images, text, or code — not the domain name. Use it to pull stolen content, not to seize the name.

If the site is harvesting credentials, lead every report with phishing. Save the trademark and UDRP routes for when you need the domain itself.

When to escalate to UDRP

A registrar or host abuse report disrupts the live attack, but the domain can stay registered and be reused. When you want the name permanently — transferred to you so the squatter cannot return — escalate to a UDRP complaint, which requires a trademark and resolves in roughly two months. For clear-cut cases on a new gTLD, URS suspends the domain faster and more cheaply, though it does not transfer it. A common pattern: kill the live page now via the host, then pursue UDRP for ownership in parallel.

Don't fire a notice you can't stand behind

A takedown notice carries legal weight. A DMCA notice containing a knowing misrepresentation exposes you to liability under §512(f), and a sloppy or wrongly routed notice gets your reports deprioritized. Keep every claim accurate and within what your evidence supports, and keep a human in the loop before anything is sent. This is general information, not legal advice; involve counsel for contested or high-stakes cases.

Make it repeatable

Doing this once is manageable; doing it for every lookalike that appears is a process. The work that scales is the front of the funnel — detecting impersonation early and packaging evidence the same way every time — so that takedown becomes routine instead of a fire drill. Brandfence watches certificate-transparency logs, DNS, and new registrations for domains impersonating your brand, resolves the registrar, host, and abuse contact, packages the evidence, and drafts the correctly-routed notice — with a human signature required on every one before it is sent.

Take down impersonators, faster

Brandfence detects the impersonating domain, resolves the registrar, host, and abuse contact, packages the evidence, and drafts the correctly-routed takedown — every notice human-reviewed before it's sent. Get a free brand exposure report.

Frequently asked questions

How fast can a phishing site be taken down?
With clear evidence routed to the right hosting provider, malicious content is often removed within hours. Domain-level suspension at the registrar and Safe Browsing warnings also move in hours to a day; UDRP transfers take weeks.
Who do I report a phishing site to first?
Report to the hosting provider for the fastest content removal, the registrar to suspend the domain, and Google Safe Browsing to warn users immediately. File all three in parallel rather than waiting on any one.
What evidence do I need to take down a phishing site?
A timestamped screenshot of the live page, the exact URL, the impersonation (your logo or brand in use), email headers if it arrived by mail, and proof you own the brand or trademark. Capture it while the page is live.
Can I take down a phishing site without a trademark?
Yes. Active phishing is reportable to the host, registrar, and Safe Browsing on the abuse itself — no trademark required. A registered trademark only becomes necessary to pursue UDRP transfer or platform IP claims.
Keep reading
Free exposure report

See what's impersonating your brand

Send us a domain. We run a passive sweep — permutations, certificate logs, DNS — and send back what we find, free. No signup, no sales call to start.

Get a free exposure report