Report a Live Phishing Site

When a lookalike domain is actively serving malicious content, fast reporting across multiple services is critical. This guide walks you through every major reporting channel (browser vendors, industry databases, infrastructure providers, and government agencies) so that phishing pages get blocked, flagged, and taken down as quickly as possible.

1 Gather Evidence Before You Report

Before submitting reports, collect as much evidence as possible. Strong evidence leads to faster action. Gather the following:

• Full URL(s): The exact phishing page URL(s), including the path and any query parameters. Always include the https:// or http:// prefix.
• Screenshots: Full-page screenshots of the phishing site, ideally showing login forms, brand impersonation, or credential harvesting fields. Include timestamps.
• Your legitimate domain: The real domain being impersonated, along with proof of ownership (e.g., your official website, trademark registration, WHOIS record).
• Page source code: If possible, save the HTML source of the phishing page. This preserves evidence even if the site goes down.
• WHOIS data: Run a WHOIS lookup on the phishing domain at lookup.icann.org and note the registrar, creation date, and nameservers.
• DNS records: Note the A record (IP address), MX records (email capability), and nameservers. Use dig or an online DNS lookup tool.
• Phishing emails: If you received phishing emails linking to the site, save the full email headers and body as .eml files.
• Date first observed: When you or your monitoring tool first detected the domain or phishing activity.

2 Report to Google Safe Browsing

Google Safe Browsing is the most impactful single report you can make. Its blocklist is used by Chrome, Firefox, Safari, and Android, which together account for the vast majority of web traffic worldwide. Once a URL is flagged, visitors see a full-page red warning before the site loads.

1. Go to safebrowsing.google.com/safebrowsing/report_phish
2. In the URL field, paste the full URL of the phishing page (e.g., https://acme-login.com/signin)
3. In the Additional details field, describe the impersonation clearly. Example: "This site impersonates acme.com to harvest login credentials. The real site is https://acme.com. The lookalike domain was registered on 2026-03-25."
4. Complete the CAPTCHA verification
5. Click Submit Report

Expected timeline: Google typically reviews and flags active phishing pages within a few hours. High-confidence phishing pages (those with login forms mimicking well-known brands) may be flagged even faster.

3 Report to Microsoft SmartScreen

Microsoft SmartScreen protects users across Microsoft Edge, Internet Explorer, Outlook, and Windows Defender. Reporting here covers Microsoft's entire security ecosystem, including email link scanning in Outlook and Microsoft 365.

1. Go to microsoft.com/en-us/wdsi/support/report-unsafe-site
2. In the Site URL field, enter the full phishing URL
3. Under Threat type, select Phishing
4. Select the appropriate language of the phishing page
5. Add any additional information in the comments field
6. Complete the CAPTCHA and click Submit

Expected timeline: Microsoft typically processes phishing reports within a few hours to 24 hours. Confirmed phishing sites are added to the SmartScreen blocklist and may also trigger Defender for Office 365 protections.

4 Report to Netcraft

Netcraft operates one of the world's largest phishing takedown networks. When you submit a report, Netcraft validates it and then simultaneously notifies the hosting provider, registrar, and browser blocklists. A single Netcraft report can trigger action across multiple parties, making it one of the most effective places to report.

1. Go to report.netcraft.com/report
2. Enter the full URL of the phishing page in the URL field
3. Select the appropriate reason for your report (e.g., Phishing, Malware, Web Shell)
4. Provide your email address so you can receive status updates on the takedown
5. Add any comments describing the impersonation or the brand being targeted
6. Click Report

Expected timeline: Netcraft validates most phishing reports within minutes. Once validated, they issue takedown notices immediately. Hosting providers typically act within 24–48 hours, though some respond faster. You will receive email updates as the takedown progresses.

5 Report to PhishTank

PhishTank is a community-driven phishing verification service operated by Cisco Talos. Submitted URLs are verified by the community, and confirmed phishing URLs are fed into security products including Cisco Umbrella (OpenDNS), Opera browser, and numerous third-party threat intelligence feeds.

1. Go to phishtank.org
2. Create a free account or sign in (an account is required to submit phishing URLs)
3. Click Submit a Phish (or navigate to phishtank.org/add_web_phish.php)
4. Enter the full phishing URL
5. Indicate which organization is being impersonated (select from the list or type the name)
6. Submit the report

Expected timeline: Community verification typically happens within a few hours. Once verified, the URL is added to PhishTank's blocklist and distributed to integrated security products. You can check the status of your submission on the PhishTank website.

6 Report to Cloudflare (If Applicable)

If the phishing site is behind Cloudflare's network (check by looking at the nameservers in WHOIS; they will end in .ns.cloudflare.com), report it directly to Cloudflare. Cloudflare can forward the complaint to the hosting provider and, in cases of clear phishing, may take direct action.

1. Go to cloudflare.com/trust-hub/reporting-abuse
2. Select Phishing as the abuse type
3. Enter the domain or URL of the phishing site
4. Provide your contact information and a description of the abuse
5. Attach any evidence (screenshots, email headers)
6. Submit the report

7 Report to the Anti-Phishing Working Group (APWG)

The APWG is a global industry coalition that aggregates phishing data and distributes it to law enforcement, ISPs, security vendors, and financial institutions worldwide. Your report contributes to a centralized database used by thousands of organizations for threat intelligence.

Option A: Report via email (recommended for phishing emails):

1. Forward the phishing email as an attachment (not inline) to reportphishing@apwg.org
2. In most email clients, use Forward as Attachment (in Gmail: More → Forward as attachment; in Outlook: right-click → Forward as Attachment)
3. This preserves the full email headers, which are critical for tracing the sender

Option B: Report via the APWG website (recommended for phishing URLs):

1. Go to apwg.org/reportphishing
2. Submit the phishing URL along with any supporting details

Expected timeline: The APWG does not issue takedowns directly. Instead, your report feeds into the eCrime Exchange (eCX) database, which is consumed by security vendors and law enforcement. Impact is indirect but broad, and your data helps improve detection across the entire industry.

8 Report Directly From Your Browser

Every major browser has a built-in mechanism to report phishing sites. These reports go directly to the browser vendor's security team and are often processed faster than web form submissions because they include additional context about how you reached the page.

9 Report to Government Cyber Agencies

National cyber security agencies accept phishing reports and use them for law enforcement investigations, national threat intelligence, and coordinated takedowns. Reporting to your country's agency creates an official record and can help with legal proceedings.

10 Notify Your Own Users

While takedowns are being processed (which can take hours to days), proactive communication with your users reduces harm immediately. Every hour of delay exposes more people to the phishing page.

• Website notice: Post a security banner on your website and/or login page warning users about the lookalike domain.
• Email alert: Send a targeted email to your user base describing the phishing domain and what to look for.
• Be specific: Name the phishing domain explicitly. Example: "We have detected that acme-login.com is impersonating our company. Our only official domain is acme.com. Do not enter your credentials on any other domain."
• Social media: If appropriate, post a notice on your social media channels.
• Support team: Brief your support team so they can handle inbound questions and reports from affected users.

11 Verify the Site Has Been Flagged

After submitting reports, monitor whether the phishing site has been successfully flagged or taken down. Use these tools to check:

• Google Safe Browsing Transparency Report: Check if a URL has been flagged at transparencyreport.google.com/safe-browsing/search. Enter the phishing URL to see its current status.
• VirusTotal: Scan the URL at virustotal.com. VirusTotal checks the URL against 70+ security engines and will show you which vendors have flagged it.
• PhishTank: Search for the URL at phishtank.org to see if it has been verified as phishing by the community.
• urlscan.io: Submit a scan at urlscan.io to check if the site is still live, what it looks like, and whether it has been flagged by any threat intelligence sources.
• Browser test: Open the phishing URL in Chrome, Edge, Firefox, and Safari. If any browser shows a red phishing warning page, the report is working.

Check again 24–48 hours after your initial reports. If the site is still live and unflagged, re-submit your reports or escalate by contacting the services directly.

12 Expected Response Timelines

Every reporting service operates on a different timeline. The table below summarizes what to expect from each: