A practical guide to detecting phishing and brand impersonation domains and escalating them for takedown. Learn how evidence and workflows speed up response and what to expect from registrars and registries.
Detection: what to look for
Phishing domains often mimic your real domain with typos, extra words, or different TLDs (e.g. yourbrand-support.com when your real site is yourbrand.com). Impersonation domains may use your brand name, product names, or executive names to trick users. Look for domains that are newly registered, that resolve to pages that copy your login or checkout flow, or that appear in threat feeds or customer reports. Continuous monitoring across the domain namespace is more effective than waiting for reports.
Evidence that gets action
Registrars and hosting providers need clear evidence of abuse before they will take down a domain or site. That typically includes: the abusive domain and URL, screenshots of the abusive content, DNS and WHOIS data, and a short description of how it is being used (e.g. phishing, impersonation). Well-structured evidence packages reduce back-and-forth and speed up takedown. We prepare this evidence for our clients so their legal or security teams can send a single, complete request.
Who can take action
The party that can actually remove a domain or site depends on the abuse. Often it is the registrar (where the domain was registered) or the hosting provider (where the content is served). Some cases require the registry. We help you identify the right recipient and draft the email you send. We do not send the request on your behalf; you (or your legal counsel) send it. We assist your legal team by providing all the evidence they need. If the recipient does not comply, you may need to escalate to legal action; we can also help arrange a lawyer for your case.
What to expect
Response times vary by provider and jurisdiction. Many legitimate abuse reports are processed within days to a few weeks. Having complete evidence and a clear, professional request improves the odds of a fast outcome. Some domains may be taken down quickly; others may require follow-up or escalation. The goal is to make your process repeatable so you can handle volume and prioritize the highest-risk cases first.