AntiPhishers Reporting Phishing to ISPs for Takedown
Reporting Phishing to ISPs for Takedown
Reporting phishing to ISPs and hosting providers is one of the most direct actions you can take to disrupt active attacks. While reporting to IC3 and the FTC feeds law enforcement intelligence, reporting to ISPs gets phishing sites taken offline — often within hours. Every hour a phishing site stays live, more victims are compromised.
Why ISP Reporting Matters
Phishing sites have a median uptime of 21 hours according to APWG data, but many remain active for days or weeks. Each active phishing page can harvest hundreds of credentials per day. Reporting to the hosting provider triggers their abuse process, which typically results in:
- Content removal or site suspension
- Domain suspension by the registrar
- IP blacklisting by reputation services
- Disruption of the attacker’s infrastructure
A single effective abuse report can protect thousands of potential victims.
Identifying the Hosting Provider
Before you can report, you need to know who to report to.
Step 1: WHOIS Lookup
Use WHOIS services to identify the domain registrar and hosting provider:
- WHOIS.net or who.is — general WHOIS lookup
- ICANN WHOIS (lookup.icann.org) — authoritative domain data
- DomainTools — enriched WHOIS with historical data
Look for the “Registrar” field (who registered the domain) and “Name Server” fields (which may indicate the hosting provider).
Step 2: IP Resolution
Resolve the domain to its IP address using nslookup or dig, then identify the IP owner:
- ARIN (whois.arin.net) — North American IP addresses
- RIPE (stat.ripe.net) — European IP addresses
- IPinfo.io — user-friendly IP lookup
The IP owner’s abuse contact is typically listed in the WHOIS record.
Step 3: Find the Abuse Contact
Most hosting providers and registrars publish abuse contacts:
- Check the WHOIS record for “abuse-mailbox” or “abuse email”
- Look for abuse@ at the provider’s primary domain
- Check the provider’s website for an abuse reporting page
- Use abuse.net to find abuse contacts for any domain
How to File an Effective Abuse Report
Information to Include
A complete abuse report significantly speeds up takedown:
- The phishing URL(s) — full URL, not just the domain
- What the site impersonates — “This page impersonates PayPal’s login portal”
- Screenshot of the phishing page
- Evidence of phishing intent — form fields requesting credentials, impersonated brand logos, deceptive content
- The phishing email (if applicable) — forward as attachment with full headers
- Timeline — when you first observed the phishing site
- Impact — if known, note whether victims have reported credential theft or financial loss
Report Formatting
Keep the report concise and factual. ISP abuse teams process high volumes of reports and respond best to clear, evidence-based submissions.
Example report structure:
Subject: Phishing site hosted on your infrastructure - [domain]
Body:
- Phishing URL: https://example-phishing.com/login
- Impersonated brand: Microsoft
- Description: This page replicates Microsoft’s login portal and collects user credentials
- Observed: [Date and time]
- Evidence: [Attached screenshot]
- Email headers: [Attached .eml file]
Where to Send Reports
| Provider Type | Examples | Typical Abuse Contact |
|---|---|---|
| Domain registrar | GoDaddy, Namecheap, Cloudflare Registrar | abuse@ registrar domain |
| Hosting provider | AWS, Azure, DigitalOcean, Hostinger | Abuse reporting portal or abuse@ |
| CDN | Cloudflare, Akamai, Fastly | abuse@ or web form |
| Free hosting | GitHub Pages, Netlify, Firebase | Abuse reporting form |
| URL shortener | bit.ly, tinyurl.com | Abuse reporting page |
Major Provider Abuse Contacts
- Cloudflare: [email protected] or cloudflare.com/abuse
- AWS: aws.amazon.com/forms/report-abuse
- Google (Firebase/Sites): safebrowsing.google.com/safebrowsing/report_phish
- Microsoft (Azure): msrc.microsoft.com/report/abuse
- GoDaddy: [email protected]
- Namecheap: [email protected] or namecheap.com/support/abuse
Reporting to Other Services
Search Engines
Report phishing URLs to search engines to prevent them from appearing in search results and to trigger browser warnings:
- Google Safe Browsing: safebrowsing.google.com/safebrowsing/report_phish
- Microsoft: microsoft.com/en-us/wdsi/support/report-unsafe-site
- PhishTank: phishtank.org (community verification speeds up blacklisting)
Certificate Authorities
If the phishing site uses HTTPS, report the domain to the certificate authority for potential revocation. Identify the CA using browser certificate details, then file an abuse report.
Brand Abuse Teams
Most major brands maintain dedicated abuse reporting channels:
- Microsoft: microsoft.com/reportaphishingsite
- Google: safebrowsing.google.com/safebrowsing/report_phish
- Apple: [email protected]
- PayPal: [email protected]
- Amazon: [email protected]
See our brand impersonation guide for detecting which brands are being impersonated.
Tracking Takedown Progress
After filing reports:
- Save confirmation emails and ticket numbers from each provider
- Check the phishing URL periodically — most providers resolve abuse reports within 24-48 hours
- Follow up if the site remains active after 48 hours
- Use VirusTotal and PhishTank to check if the URL has been added to threat databases
Automating Takedown for Organizations
Organizations that regularly face brand impersonation should consider:
- Takedown services (Bolster, PhishFort, Netcraft) that automate detection and removal
- Domain monitoring tools that alert on new lookalike domain registrations
- Dedicated abuse response workflows integrated into your incident response plan
- Partnerships with registrars — some offer expedited takedown for verified brand owners
Key Takeaways
- ISP abuse reports get phishing sites taken down within hours, directly protecting potential victims
- WHOIS and IP lookups identify the hosting provider and registrar for any phishing domain
- Effective reports include the URL, screenshot, impersonated brand, and evidence of phishing intent
- Report to the hosting provider, domain registrar, search engines, and the impersonated brand
- Follow up after 48 hours if the site remains active
- Organizations facing repeated brand impersonation should consider automated takedown services
For the complete phishing defense framework, see our phishing recognition and reporting guide.
Sources
- CISA Phishing Guidance: Stopping the Attack Cycle at Phase One
- FBI IC3 2024 Internet Crime Report
- APWG Phishing Activity Trends Reports 2025
This content is for educational purposes only. File abuse reports in good faith with accurate information. Fraudulent abuse reports may have legal consequences.