How to report impersonation domains?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've spotted a domain impersonating your brand. Maybe it's captainn-sailing.com when your real domain is captainsailing.com. Maybe someone is already sending phishing emails from it. Either way, the clock is ticking, and there's a clear order of operations here.
Step 1: Find the registrar through WHOIS
Before you can report anything, you need to know who registered the domain. Run a WHOIS lookup using a tool like ICANN Lookup or DomainTools. Search for the impersonating domain and look for the "Registrar" field. You'll see a name like GoDaddy, Namecheap, or another registrar. Note the registrar's name and their abuse contact email (usually listed as "Registrar Abuse Contact Email").
Keep in mind that many registrars now mask registrant details behind privacy protection services. That's normal. You don't need the owner's identity to file an abuse complaint. The registrar's name and abuse email are enough to start.
Step 2: File an abuse complaint with the registrar
Most registrars have a dedicated abuse form or email. If you found an abuse email in WHOIS, use that. If not, go to the registrar's website and search for "domain abuse" or "report abuse."
Your complaint needs to be specific and well-documented. Here's what to include:
- The impersonating domain name (exact)
- Your legitimate domain and brand name
- A clear description of how it impersonates you (visual similarity, typosquatting, fake login page, etc.)
- Screenshots of the impersonating site (with URL visible in the address bar)
- Sample phishing emails if you have them (full headers included)
- Any evidence of consumer harm or fraud already in progress
- Your legal or brand ownership information if relevant
But a vague complaint gets ignored. A specific, evidence-backed report gets investigated. Write it like you'd write a legal notice, because in many cases it is one.
Timeline expectation: registrars typically respond within 24 to 72 hours for active phishing. For lookalike domains that haven't launched any attacks yet, it can take one to two weeks, and some registrars won't act without evidence of active harm.
Step 3: Report to the hosting provider at the same time
If the impersonating domain has an active website, the hosting provider is often faster to act than the registrar. To find the host, look at the domain's DNS records. An IP lookup or reverse DNS lookup will tell you which company is hosting the site. Tools like WHOIS.com or a basic IP lookup can surface this quickly.
But once you have the host, find their abuse contact (usually listed at their website or via ARIN for North American hosts). File a separate complaint there with the same evidence package. Hosting providers can pull the content offline even if the domain registration is still live, which is often the faster win.
Step 4: Report to Google and the anti-phishing community
These reports won't take down the domain, but they protect your users fast by flagging the site in browsers and blocklists.
- Google Safe Browsing: submit the phishing URL, and it can appear as a browser warning within hours
- APWG (Anti-Phishing Working Group): a global clearinghouse that feeds threat intelligence to security vendors, ISPs, and law enforcement
- Microsoft's phishing report page: especially useful if Microsoft 365 users are being targeted
- Your own email provider's abuse team if phishing emails are actively landing in inboxes
Step 5: Loop in your legal or brand protection team
If the impersonation is ongoing or escalating, a cease and desist letter from legal counsel can accelerate registrar action significantly. Some brand protection services like MarkMonitor handle this entire process on your behalf, which is worth it if you're dealing with serial impersonators or a high-volume attack.
You should also consider filing with ICANN's Uniform Domain-Name Dispute-Resolution Policy (UDRP) if the registrar won't act. That process takes longer (typically 45 to 90 days) but can result in a domain transfer to you rather than just a takedown. For more on the full domain takedown process, including ICANN escalation, see the next question.
What to track while you wait
Keep a log of every complaint you filed, who you sent it to, and when. Note ticket numbers and any responses. This paper trail matters if you need to escalate later. If the impersonating domain is actively sending phishing emails, alert your own customers directly. Don't wait for the takedown to warn people.
If this is a live emergency right now, our SOS hotline is free and we'll help you figure out where to start.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.