Understanding Confidence Levels: How to Prioritize Domain Threats
When PhishFence scans your domains, it can detect hundreds of lookalike variants. Most are parked, inactive, or unrelated. The challenge is knowing which ones actually threaten your brand and which you can safely ignore. That is where confidence levels come in.
In this guide
01 The problem: too many alerts, not enough time
A single domain can generate hundreds of lookalike variants. For a domain like example.com, PhishFence might detect variants across typos, TLD swaps, homoglyphs, and prefix spoofs. Many of them are registered but completely inactive.
If you had to manually investigate each one (visiting the site, checking for login forms, verifying DNS records), it would take hours. And most of them would turn out to be parked domains or unrelated websites.
Confidence levels solve this problem. Instead of treating all alerts equally, PhishFence visits each live domain, analyzes its content, and tells you exactly how likely it is to be an active phishing threat. You can focus your limited time on the domains that are actually dangerous.
02 How PhishFence analyzes live content
When a lookalike domain is live (serving HTTP content), PhishFence does not just flag it and move on. It downloads the page and runs a series of automated checks:
Scans the HTML for <input type="password"> fields inside forms. A password field is the strongest signal that the site collects credentials.
Checks if your brand name appears in the page title or body content. A phishing page targeting your customers will almost always reference your brand name to build trust.
Checks where form data gets submitted. Legitimate login pages submit to their own domain. Phishing pages submit credentials to an external attacker-controlled server.
Detects common phishing phrases like "sign in to your account," "verify your identity," "your account has been suspended," and "update your billing information."
Each check produces a score. The combined score determines the confidence level.
03 The four confidence levels explained
What it means: The site has multiple strong indicators of active credential theft. It has a login form, references your brand, and typically submits data to an external server.
Action required: Immediate. Report to the registrar for takedown, submit to browser blocklists (Google Safe Browsing, Microsoft SmartScreen, Netcraft), and notify your customers if necessary.
What it means: The site has strong indicators but not the complete phishing setup. It might have a login form with your brand name, but the form submits locally (not externally). Or it has credential harvesting with an external form but no brand mention.
Action required: Investigate promptly. Visit the site (safely, in a sandboxed browser), confirm the threat, then proceed with takedown if confirmed.
What it means: The site references your brand but is not actively collecting credentials. It might be a parked domain with your brand keywords, a competitor comparison page, or a site under construction that mentions your company.
Action required: Monitor. Set the alert to "Watching" so PhishFence tracks it for changes. If the site later adds a login form, it will escalate automatically.
What it means: The domain is registered and may resolve DNS, but no phishing content was detected. The site might be blank, parked, showing a registrar landing page, or serving unrelated content.
Action required: Low priority. You can whitelist it if you know the owner, or leave it for periodic re-scanning. PhishFence will automatically escalate if the content changes.
04 Recommended investigation workflow
Instead of reviewing every alert equally, use confidence levels to prioritize your response:
Handle Confirmed Phishing immediately
File abuse reports, submit to browser blocklists, notify customers if active campaign detected. These are verified threats.
Investigate Likely Phishing within 24 hours
Visit the site in a sandbox, confirm the threat, then take action. These have strong indicators but may need human verification.
Set Suspected Impersonation to "Watching"
PhishFence will re-scan these and alert you if they escalate. No immediate action needed unless the content is clearly malicious.
Whitelist or ignore Registered Lookalikes
If you recognize the owner or the domain is clearly unrelated to your brand, whitelist it to reduce noise. Otherwise, leave it for automated monitoring.
The result: Instead of investigating 200 alerts manually, confidence levels let you focus on the 5-10 that actually matter. The rest are monitored automatically and will escalate if anything changes.
05 Real-world examples
✔ Login form with password field (+3)
✔ Page title: "Example - Sign In to Your Account" (+2)
✔ Form submits to https://steal-creds.ru/collect (+3)
Total: 8 points → Confirmed Phishing. Immediate takedown required.
✔ Login form with password field (+3)
✔ Brand name in page title (+2)
✘ Form submits to same domain (not external)
Total: 5 points → Likely Phishing. Worth investigating. May be collecting credentials locally.
✘ No login form
✔ Brand name mentioned 12 times in content (+1)
✘ No external form action
Total: 1 point → Suspected Impersonation. Could be a review site, competitor comparison, or SEO spam. Monitor for changes.
✘ No login form
✘ No brand mentions
✘ Parked domain, shows registrar landing page
Total: 0 points → Registered Lookalike. Domain exists but is inactive. Leave for automated monitoring.
Start monitoring your domains
PhishFence automatically assigns confidence levels to every alert, so you always know which threats to handle first.
Go to Dashboard