File a Registrar Abuse Report
Every domain registrar accredited by ICANN is contractually required to maintain an abuse contact and investigate credible reports of phishing, brand impersonation, and malicious domain use. Filing a registrar abuse report is often the fastest way to get a lookalike domain suspended or taken down entirely. This guide walks you through the complete process, from identifying the registrar to escalating if they fail to act.
1 Collect evidence before you file
A well-documented abuse report is taken more seriously and processed faster. Gather the following evidence before contacting any registrar:
Screenshots
- Full-page screenshots of the lookalike site (if live), including the URL bar showing the domain
- Side-by-side comparison with your legitimate site to show the impersonation
- Screenshots of any phishing emails sent from the domain, including full email headers
- Screenshots of the domain's WHOIS/RDAP record (taken in the next step)
DNS records
Run these commands and save the output. They prove the domain is configured for malicious use:
MX records are especially important: they prove the domain is configured to send or receive email, which is a strong indicator of phishing intent even if no website is live.
Documentation checklist
- The lookalike domain name (e.g., acme-login.com)
- Your legitimate domain name (e.g., acme.com)
- Proof you own the legitimate domain: a link to your website, trademark registration number, or business registration
- The type of abuse: typosquat, homograph attack, brand impersonation, phishing, email fraud
- The specific harm: credential theft, financial fraud, customer confusion, malware distribution
- Timeline: the date you first observed the domain and any subsequent activity
- Any known victims: if customers or employees have been targeted, note the number and nature of incidents
2 Identify the registrar using ICANN Lookup
You need to know which registrar manages the domain so you can report abuse to the right company. ICANN provides an official lookup tool for this.
Using ICANN Lookup (recommended)
- Go to lookup.icann.org
- Enter the lookalike domain name (e.g.,
acme-login.com) in the search field - Click Lookup
- In the results, locate and record the following fields:
- Registrar Name: the company that manages the domain registration
- Registrar IANA ID: unique identifier for the registrar
- Registrar Abuse Contact Email: the email address to send your report to
- Registrar Abuse Contact Phone: for urgent/active phishing cases
- Creation Date: when the domain was registered (recently created domains strengthen your case)
- Expiration Date: useful context for your report
Even when WHOIS data is redacted under GDPR/privacy protection, the registrar name and abuse contact are always visible. These fields cannot be hidden.
Using RDAP (alternative method)
RDAP (Registration Data Access Protocol) is the modern replacement for WHOIS and provides structured, machine-readable data. You can query it directly:
In the JSON response, look for:
- The
entitiesarray withroles: ["registrar"]to find the registrar name - The
entitiesentry withroles: ["abuse"]for the abuse contact email and phone - The
eventsarray for registration and expiration dates
Using the command line
This returns the registrar name, abuse email, and abuse phone number filtered from the full WHOIS record.
3 Send the abuse report
Email the registrar's abuse contact address you found in Step 2. Use the template below as a starting point. Be factual, specific, and reference the registrar's obligations under the ICANN Registrar Accreditation Agreement (RAA).
- Reference the ICANN RAA Section 3.18, which obligates registrars to investigate abuse reports
- Include a specific deadline for action (5-10 business days is standard)
- Mention ICANN escalation, as this motivates faster action
- Attach evidence as files rather than inline links (the phishing site may go down)
- Send from a corporate email address, not a personal Gmail/Yahoo account
- If you have a trademark, mention the registration number, as it strengthens your claim significantly
4 Registrar-specific reporting instructions
In addition to emailing the abuse contact, most major registrars have dedicated abuse forms. Use both the form and the email for the best chance of a fast response.
GoDaddy
- Abuse form: supportcenter.godaddy.com/AbuseReport
- Abuse email: abuse@godaddy.com
- Process: Select "Phishing" or "Trademark/Copyright" as the abuse type. Upload evidence files directly through the form. GoDaddy requires you to identify the specific domain and type of abuse.
- Response time: Typically 24-48 hours for active phishing; 5-7 business days for parked/inactive domains.
Namecheap
- Abuse form: namecheap.com/support/abuse
- Abuse email: abuse@namecheap.com
- Process: Use the online form to select the abuse category (Phishing, Trademark Infringement, or Spam). Provide the domain, a description, and attach evidence. You will receive a ticket number for tracking.
- Response time: Typically 24-72 hours. Namecheap is generally responsive to well-documented phishing reports.
Cloudflare
- Abuse form: abuse.cloudflare.com
- Abuse email: abuse@cloudflare.com
- Important note: Cloudflare acts as both a registrar and a CDN/proxy. If the domain is registered through Cloudflare Registrar, file the registrar abuse report. If Cloudflare is only providing DNS/CDN services (the domain is registered elsewhere), Cloudflare may disclose the origin server IP but typically will not take down the domain itself.
- Process: Select "Phishing" as the abuse type. Provide the URL, your contact information, and a description of the abuse. Cloudflare's form also asks for evidence of trademark ownership if applicable.
- Response time: 24-48 hours for phishing reports. Cloudflare may forward your report to the site owner and reveal the origin IP rather than taking direct action if they are only the CDN provider.
Squarespace Domains (formerly Google Domains)
- Abuse form: squarespace.com/abuse/registrar
- Abuse email: abuse@squarespace.com
- Important note: Google Domains was acquired by Squarespace in 2023. All former Google Domains registrations are now managed by Squarespace. If WHOIS shows "Google LLC" as the registrar, the abuse report should still go to Squarespace.
- Process: Use the registrar abuse form. Select the type of abuse, provide the domain name, and describe the issue with supporting evidence.
- Response time: 48-72 hours typical. Squarespace inherited Google Domains' abuse processing infrastructure.
Amazon Route 53 (AWS)
- Abuse form: support.aws.amazon.com/#/contacts/report-abuse
- Abuse email: abuse@amazonaws.com
- Process: AWS handles domain abuse through their centralized Trust & Safety team. Submit the report via the abuse form or email. Include the domain name, type of abuse, and all supporting evidence. AWS requires detailed documentation, and vague reports are deprioritized.
- Response time: 24-72 hours. AWS is generally responsive but may take longer for cases that require investigation (e.g., parked domains without active phishing content).
5 Also report to the hosting provider
If the domain is serving a live phishing site, the hosting provider can often take down the content faster than the registrar can suspend the domain. Report to both simultaneously.
- Resolve the domain to its IP address:
dig A lookalike-domain.com +short
- Look up who owns the IP address:
whois [IP address] | grep -i "orgname\|abuse\|netname"
- Send a similar abuse report to the hosting provider's abuse contact. Hosting providers typically have faster takedown times (often same-day for active phishing) because they can remove the content without affecting the domain registration.
Common hosting providers and their abuse contacts: AWS (abuse@amazonaws.com), Google Cloud (abuse@google.com), DigitalOcean (abuse@digitalocean.com), Hetzner (abuse@hetzner.com), OVH (abuse@ovh.net).
6 What to expect after filing
Response timelines
| Situation | Typical response |
|---|---|
| Active phishing site (stealing credentials) | 4-24 hours |
| Active phishing email (MX records in use) | 24-48 hours |
| Parked domain with brand impersonation | 5-14 business days |
| Inactive domain (registered but no content or DNS) | 7-30 business days |
| Hosting provider content takedown | 2-24 hours |
What registrars typically do
- Acknowledge receipt. Most registrars send an automated confirmation with a case/ticket number within 24 hours
- Investigate. The abuse team reviews the domain, checks the evidence, and may contact the registrant
- Take action. If the abuse is confirmed, the registrar may set the domain to
serverHoldstatus (which removes it from DNS), suspend the account, or in some cases delete the domain entirely - Notify you. You may or may not receive notification of the action taken, depending on the registrar's policy
How to verify the domain was suspended
After the registrar takes action, verify the domain status:
A suspended domain will show statuses like serverHold, serverTransferProhibited, or will no longer resolve to an IP address.
7 Escalation paths if the registrar does not respond
If the registrar has not responded or taken action within a reasonable time (5-10 business days for active abuse, 14-30 days for inactive domains), escalate through the following channels in order:
Level 1: ICANN Contractual Compliance Complaint
ICANN oversees all accredited registrars and can compel them to act on abuse reports.
- Go to icann.org/compliance/complaint
- Select the complaint type that fits your situation:
- Registrar complaint: the registrar failed to respond to or act on your abuse report
- WHOIS inaccuracy: the domain's registration data is clearly false
- Provide the domain name, registrar name, date you filed the original abuse report, and your case/ticket number
- Attach copies of your original report and any responses received
ICANN typically responds within 15 business days and can issue breach notices to non-compliant registrars. Registrars take ICANN complaints seriously because repeated non-compliance can result in losing their accreditation.
Level 2: Uniform Domain-Name Dispute-Resolution Policy (UDRP)
If you hold a trademark, you can file a UDRP complaint to have the domain transferred to you or cancelled. This is a formal arbitration process.
- WIPO: wipo.int/amc/en/domains/filing (most common for international disputes)
- NAF (Forum): adrforum.com/domain-dispute
- Cost: Starting at approximately $1,500 USD for a single-panelist decision on a single domain
- Timeline: Approximately 45-60 days from filing to decision
See the UDRP Complaint guide for a detailed walkthrough of this process.
Level 3: Law enforcement and government agencies
For serious, ongoing phishing campaigns (especially those involving financial fraud, identity theft, or targeting many victims), involve law enforcement:
- FBI IC3 (US): ic3.gov, the Internet Crime Complaint Center for cybercrime reports
- FTC (US): reportfraud.ftc.gov, the Federal Trade Commission for fraud and scam reports
- Action Fraud (UK): actionfraud.police.uk
- ACSC (Australia): cyber.gov.au/report-and-recover/report
- NCSC (UK): ncsc.gov.uk, for reporting scam websites directly
Law enforcement reports are especially valuable when combined with registrar and ICANN complaints, as they create a documented pattern that strengthens all of your cases.
Level 4: Anti-phishing organizations and blocklists
While pursuing the registrar and escalation paths above, also report to these organizations to get the domain blocked across browsers and security products:
- Google Safe Browsing: safebrowsing.google.com/safebrowsing/report_phish
- Microsoft SmartScreen: microsoft.com/wdsi/support/report-unsafe-site
- Netcraft: report.netcraft.com/report
- APWG: apwg.org/report-phishing or email reportphishing@apwg.org
- PhishTank: phishtank.org
See the Report a Live Phishing Site guide for detailed instructions on reporting to each of these services.
Quick reference: top registrar abuse contacts
| Registrar | Form | |
|---|---|---|
| GoDaddy | abuse@godaddy.com | Form |
| Namecheap | abuse@namecheap.com | Form |
| Cloudflare | abuse@cloudflare.com | Form |
| Squarespace | abuse@squarespace.com | Form |
| Amazon Route 53 | abuse@amazonaws.com | Form |