How domain takedowns work: reporting a phishing domain
When an attacker registers a lookalike of your domain and starts phishing your customers, you want it gone. The reality is that a takedown is less a single button and more a sequence of reports to the parties who actually control the domain and its content. Here is how the process really works, who to contact, and the timelines you can expect.
Step 1: Gather evidence before you report anything
Abuse desks act on clear, documented evidence, not assertions. Malicious sites also disappear or change quickly, so capture proof while it is live. A strong evidence package includes:
- Timestamped screenshots of the phishing page, including any login form, brand logos, or copied content.
- DNS and MX records showing where the domain resolves and whether it is configured to send or receive mail.
- Certificate data from Certificate Transparency logs, which shows when a TLS certificate was issued for the lookalike and on which infrastructure.
- RDAP or WHOIS data identifying the registrar, registration date, and the registrar abuse contact.
- The full URL, the IP address it resolves to, and the hosting provider.
This is the part where continuous monitoring earns its keep. VigilDNS captures screenshots, DNS history, certificate records, and RDAP data automatically as it detects lookalike domains, so you have a complete evidence package ready the moment you need to file. To be clear: VigilDNS produces the evidence, it does not file takedowns on your behalf. You or your counsel submit the reports.
Step 2: Report to the registrar abuse contact
The registrar sold the domain and can suspend it. Find the registrar and its abuse email in the RDAP or WHOIS record (see RDAP vs WHOIS for how to read these). Send a concise, factual report citing the registrar's own acceptable use policy and the type of abuse: phishing, malware distribution, or trademark infringement. Attach your evidence and the exact URL. Reputable registrars suspend clear phishing within hours to a few days. Some registrars, especially low-cost or offshore ones, are slow or unresponsive, which is why you do not rely on this step alone.
Step 3: Report to the hosting provider
The phishing content physically sits on the hosting provider's servers, so the host can pull it down even if the registrar does nothing. The host is often the faster route. Identify it from the IP address (a reverse lookup or RDAP on the IP block points to the network operator), then send the same evidence to the host's abuse contact. Removing the content kills the phishing page even while the domain itself remains registered.
Step 4: Submit to browser and mail blocklists
Blocklists protect your users immediately, often before the domain or content is removed. When a URL is on these lists, browsers and mail filters warn or block users who try to reach it. Report the URL to:
- Google Safe Browsing, which protects Chrome, Firefox, and many other clients.
- Microsoft Defender SmartScreen, which protects Edge and Windows.
This step is fast, free, and high value. Even if the registrar takes a week, blocklisting can blunt the attack within hours.
Step 5: Report fraud to authorities
For active fraud against your customers, file with law enforcement. In the United States, report to the FBI Internet Crime Complaint Center (IC3). Elsewhere, report to your national CERT or equivalent computer emergency response team. These reports rarely produce a same-week takedown, but they build the record that supports larger investigations and, for repeat offenders, prosecution.
Step 6: UDRP or court as a last resort
If the domain itself is valuable and registered in bad faith, for example a clear lookalike of your trademark being held or used against you, you can pursue the Uniform Domain-Name Dispute-Resolution Policy (UDRP) or litigation. Be realistic about the cost. A standard WIPO UDRP filing for one to five domains before a single panelist runs about $1,500 in filing fees alone, plus attorney fees, and the process takes roughly two months. A UDRP transfers the domain to you rather than simply removing content, so it suits durable brand-protection goals more than an urgent phishing incident.
Where to report and what it achieves
| Where to report | What it controls | What it achieves | Typical speed |
|---|---|---|---|
| Registrar abuse contact | The domain registration | Suspends the domain | Hours to days, varies widely |
| Hosting provider | The server and content | Removes the phishing page | Often fastest |
| Google Safe Browsing / SmartScreen | Browser and mail warnings | Protects users immediately | Hours |
| IC3 / national CERT | Law enforcement record | Supports investigation and prosecution | Slow, not immediate |
| UDRP / court | Legal ownership | Transfers the domain to you | Weeks to months |
Why early detection beats takedown speed
Timelines vary from a few hours to never, depending on the registrar, the hosting provider, and the jurisdiction. You cannot control how fast a foreign registrar responds. What you can control is how early you find the threat. A lookalike caught the day its certificate appears in Certificate Transparency logs, before it is weaponized, gives you a head start on every step above. That is the case for continuous monitoring: not to take down faster, but to start earlier and limit the damage window. If someone has already registered a lookalike of your brand, read what to do when someone registers a lookalike of your domain.
Frequently asked questions
Can I get a phishing domain taken down myself, or do I need a service?
You can do it yourself. Most takedowns are abuse reports to the registrar and hosting provider, plus submissions to Safe Browsing and SmartScreen, all of which accept reports from anyone. The hard part is assembling solid evidence quickly and knowing where each report goes.
How long does a phishing domain takedown take?
It ranges from hours to never. Hosting providers and major registrars often act within a day on clear phishing, while unresponsive or offshore registrars may never cooperate. Blocklist submissions protect your users fastest, often within hours.
Does VigilDNS take down domains for me?
No. VigilDNS continuously monitors for lookalike domains and produces the evidence package: screenshots, DNS history, certificate records, and RDAP data. You or your counsel file the abuse reports. The value is early detection and ready-made evidence, not managed takedowns.
Catching a lookalike early is what makes every takedown step easier. Run a free scan of your domain with our free typosquat checker to see which lookalikes already exist, or compare plans on the pricing page.