In crisis mode? Start here.

Phishing site takedown

A lookalike domain went live with a phishing page targeting your brand. Here's the 30-minute checklist to get it down — copy-paste templates included — and what PhishFence automates for you on the next one.

The 30-minute checklist

  1. 1

    Capture evidence NOW

    Full-page screenshot, the exact phishing URL, the resolved hosting IP, the registrar name, WHOIS data, screenshots of any forms or content. Phishing pages typically stay live for less than 48 hours; if you wait, the evidence is gone. PhishFence's alert detail page captures all of this automatically when the page is first detected.

  2. 2

    Report to Google Safe Browsing

    Submit at safebrowsing.google.com/safebrowsing/report_phish. Chrome and Firefox both consume Safe Browsing data; once listed, the red interstitial blocks most traffic to the site within a few hours.

  3. 3

    Report to APWG

    The Anti-Phishing Working Group publishes a feed used by many security vendors and ESPs. Submit at apwg.org/reportphishing, or forward the original phishing email to reportphishing@apwg.org.

  4. 4

    Report to the registrar's abuse contact

    Get the abuse email from the domain's WHOIS record (Registrar Abuse Contact Email). Send the template below. Larger registrars (GoDaddy, Namecheap, Cloudflare, Tucows, NameSilo) typically suspend a confirmed phishing domain within 2–24 hours.

  5. 5

    Report to the hosting provider's abuse contact

    Use the IP WHOIS (ARIN, RIPE, APNIC, LACNIC, AFRINIC) to find the abuse address for the IP block. Hosts move faster than registrars on confirmed phishing — cutting off the host is the fastest way to take the page offline even before the domain itself is suspended.

  6. 6

    Notify your customers (if applicable)

    If the attack targets your customers (not just your name), a short status-page or email notice telling people what to look for short-circuits the next round of the campaign. Don't link to the phishing URL; describe it.

Registrar abuse report template

Paste this into an email to the registrar's Abuse Contact Email from WHOIS. PhishFence pre-fills the bracketed fields automatically for monitored domains.

Email body Click to select
Subject: Urgent abuse report — phishing site at [phishing-domain] To the abuse team, We are writing to report a phishing site hosted on a domain sponsored by [registrar-name]. Phishing domain: [phishing-domain] Phishing URL: [full-url-of-phishing-page] Hosting IP: [resolved-ip-address] Detected: [iso-8601-timestamp] TLS issued by: [cert-issuer] on [cert-issue-date] This domain is impersonating [your-brand] and is currently hosting a page that solicits credentials and/or payment information from visitors who believe they are interacting with our brand. Evidence attached: full-page screenshot, captured HTML, message headers from the originating phishing email. We request that the domain be suspended immediately under your Anti-Abuse Policy / Registrar Accreditation Agreement obligations. Please confirm receipt and the case number you assign to this report. We can provide additional evidence and respond to questions as needed. Reporter: [your-name], [your-role] at [your-organization] Contact: [your-email] Phone: [optional-callback-number] Thank you for your prompt attention.

Hosting provider abuse template

Send to the abuse address from the IP WHOIS. Hosting providers can take a phishing page down without waiting on the registrar — usually faster.

Email body Click to select
Subject: Phishing content hosted on [ip-address] / [hostname] To the abuse team, We have identified phishing content hosted on infrastructure within your IP range: Hosting IP: [ip-address] Hostname: [reverse-dns-or-hostname] URL hosting the phishing content: [full-url] Domain: [phishing-domain] Detected: [iso-8601-timestamp] The page is a [credential-harvest / payment-form / support-scam] targeting [your-brand]. Attached: full-page screenshot and captured HTML. We request that the URL be taken offline immediately. Action against the customer hosting the content is at your discretion. Reporter: [your-name], [your-role] at [your-organization] Contact: [your-email] Thank you.

When to escalate to UDRP

UDRP (the Uniform Domain-Name Dispute-Resolution Policy administered by ICANN-approved providers like WIPO and the National Arbitration Forum) is the trademark-based process for permanently recovering or transferring a lookalike domain. It's not an emergency tool — it's the right tool when the abuse-report channels above stall or when you want the domain permanently in your possession.

Cost
~$1,500–3,000 USD

Per filing; varies by panel size and provider.

Timeline
~60 days

Not for emergency takedown.

Requires
Trademark

You must hold registered trademark rights.

Use UDRP when (a) the domain is clearly trademark-violating, (b) the registrar is uncooperative or slow on abuse reports, and (c) you actually want the domain rather than just wanting it offline. The PhishFence guide at /guides/udrp-complaint walks through filing.

What PhishFence does for you

  1. 1

    Evidence captured at detection

    The moment a lookalike registers and serves a page, the alert detail collects the screenshot, the resolved IP, registrar name, registrar abuse email, hosting WHOIS, TLS issuer, and DNS records. By the time you open the alert, you have everything you need to file all four abuse reports without opening another tab.

  2. 2

    Pre-filled report templates

    Each alert generates the registrar and hosting abuse templates above, pre-filled with the captured evidence — ready to copy or forward.

  3. 3

    Audit trail of every takedown action

    Every event — alert detection, status change, abuse-report dispatch, resolution — is logged on the alert page so your IR documentation is auto-generated.

  4. 4

    Re-checks until the page is gone

    PhishFence keeps probing the page until it goes 404, returns a non-phishing response, or the DNS resolution stops. You know when the takedown actually worked, not just when you sent the email.

In the dashboard

Screenshot: alert detail with collected evidence
Screenshot, WHOIS, registrar contact, hosting IP — all on one page
The alert detail captures every artifact a takedown report needs at the moment of detection — no scrambling for evidence 24 hours later when the page is already gone.
Screenshot: pre-filled abuse-report template
Copy-paste ready, evidence already populated
Each alert generates pre-filled registrar and hosting templates so the time between “notified” and “reported” is measured in minutes, not hours.

Which PhishFence tier?

Pro at $99/month includes alert detail with full evidence capture and pre-filled abuse-report templates — the workflow described above. Starter ($49/mo) provides the lookalike detection but not the evidence-capture suite. Business ($249/mo) is the right fit for orgs handling multiple takedowns per month across multiple monitored brands.