A fake domain impersonating your brand can be disrupted today, often within hours, if you route the report to the layer that can act and lead with the abuse type that gets priority. Here is the operational playbook.
The abuse stack: where you can actually disrupt a domain
A malicious domain sits on top of several independent providers, and each can pull a different lever:
- Registrar — the company that sold the domain. It can place the domain on hold or suspend it, killing the name entirely.
- Hosting provider / CDN — serves the actual content. It can remove the phishing page fast, even if the domain stays registered.
- DNS provider — resolves the name to an IP. Sometimes the same as the registrar, sometimes not.
- Google Safe Browsing and browser blocklists — warn or block users in Chrome, Safari, Firefox, and Edge without touching the site itself.
- Email providers — relevant when the domain is sending phishing mail.
- The platform — if the impersonation lives on a marketplace, social network, or app store, that platform's IP form is the fastest path.
Choose the layer by your goal: kill the content fast (host), kill the domain (registrar), or warn users immediately (Safe Browsing). In practice you file at more than one layer in parallel.
Route to the layer that matches your goal: the host removes content fastest, the registrar kills the name, Safe Browsing protects users now — and lead with phishing or malware, not trademark, to get the fastest action.
Find the registrar and abuse contact with RDAP
RDAP (Registration Data Access Protocol) is the modern, structured successor to WHOIS — JSON over HTTPS instead of inconsistent free text. Query it directly in a browser or with curl:
https://rdap.org/domain/example.com
The response names the registrar and lists its abuse contact under the entity records — look for an entity with the abuse role and a vcardArray containing an email like [email protected] and a phone number. ICANN requires accredited registrars to publish that abuse contact and to act on reports of DNS abuse (phishing, malware, botnets, pharming) under the 2024 Registrar Accreditation Agreement amendments.
WHOIS still works as a fallback, but it is being phased out and is frequently redacted after GDPR, so registrant names and emails are often hidden behind a privacy proxy. RDAP gives you the registrar and its abuse address regardless of redaction — that is who you actually report to.
Report to the registrar
Once you have the registrar's abuse email, file a focused report:
- Identify the registrar via RDAP and copy the
abuse@contact. - State the abuse type in the subject line and first sentence —
phishing,malware, ortrademark infringement. Lead with the strongest type you can prove. - Give the exact full URL, the domain, and the date and time you observed it.
- Attach evidence: screenshots of the live page, the impersonation side by side with your real brand, and email headers if it is sending mail.
- Include proof of your brand or trademark ownership (registration number, your real domain).
- Make one clear ask: suspend or hold the domain for the cited abuse.
- Record the ticket number and follow up if there is no response within the registrar's stated window.
Trademark infringement alone is usually a lower registrar priority than active phishing or malware. If the site is harvesting credentials, lead with phishing — it triggers the registrar's DNS abuse obligations and moves faster.
Report to the host or CDN
The hosting provider can remove the malicious content even while the domain remains registered, which is often the fastest disruption available. Find the host by resolving the domain to its IP and checking that IP's RDAP record at one of the regional registries, or by inspecting which CDN serves the response headers.
Most hosts and CDNs publish an abuse@ address or a web abuse form. Send the same evidence package and a clear statement of the abuse type. If a CDN sits in front, it can often pull the cached content and will pass the report to the origin host it shields.
Google Safe Browsing and browser blocklists
While the registrar and host process your reports, protect users immediately. Report the URL to Google Safe Browsing at its phishing report page, which feeds the blocklist used by Chrome, Safari, and Firefox. Submit to Microsoft SmartScreen for Edge as well. These do not remove the site, but they put an interstitial warning in front of most browsers within hours and dramatically cut the number of victims a live phishing page can reach.
What evidence to include
A report succeeds or stalls on its evidence. Capture, at minimum:
- A timestamped screenshot of the live malicious page.
- The exact, full phishing or impersonation URL.
- Email headers and the message body if the domain is used for phishing mail.
- A clear depiction of the impersonation — your logo, brand name, or copied design in use.
- Proof you own the brand: trademark registration number, or your legitimate domain.
- A one-line statement of the precise abuse type.
Brandfence automates this collection end to end: it resolves the registrar, host, and abuse contact via RDAP, packages the evidence (page screenshot, DOM snapshot, TLS certificate, hosting unmask), and drafts the correctly-routed notice — and a human reviews and signs every notice before it is sent.
Trademark vs. DMCA vs. phishing: which lever
These are different claims and different channels — using the wrong one gets your report deprioritized or rejected:
- Phishing or malware — the strongest, fastest lever. Reportable to the registrar (DNS abuse), the host, and Safe Browsing.
- Trademark — covers the domain name itself impersonating your brand. A registered trademark unlocks UDRP, URS, and platform IP forms; trademark alone usually moves slower than active phishing at a registrar.
- DMCA — for copyright only: copied images, text, or code. DMCA does not address the domain name. Use trademark or UDRP for the name; use DMCA for stolen content.
Pitfalls to avoid
- Redacted WHOIS sends people chasing a hidden registrant. Skip it — report to the registrar's published abuse contact via RDAP.
- Wrong channel. Filing a DMCA notice over a domain name, or a trademark complaint at a host that handles only content abuse, wastes days. Match the claim to the layer.
- Section 512(f) liability. A DMCA takedown notice that contains a knowing misrepresentation carries liability under §512(f). Keep every claim accurate and within what your evidence supports.
This is general information, not legal advice. For high-stakes disputes — especially UDRP filings or contested trademark claims — involve counsel.
Take down impersonators without the legwork
Brandfence resolves the registrar, host, and abuse contact, packages the evidence, drafts the correctly-routed notice, and puts a human signature on every takedown before it's sent. Get a free brand exposure report.