Phishing Site Takedowns:
How to Escalate When Registrars Ignore Abuse
Few things are more frustrating in cybersecurity than a domain registrar ignoring a clear case of DNS abuse. Whether it’s a phishing website or a malicious domain distributing malware, every day that these threats remain active increases the risk to the public and the targeted brand. When a registrar fails to act, knowing the right steps to escalate the issue can make all the difference.
How to Submit Effective Evidence for a Phishing Site Takedown
Not all registrars handle abuse reports the same way. Some strictly follow the DNS Abuse Framework, while others assess cases on a discretionary basis. Regardless of their approach, submitting well-documented evidence is key to securing a swift phishing site takedown. Ensure that your report clearly demonstrates how the abuse violates the Registrar Accreditation Agreement (RAA) or other applicable policies. Providing screenshots, WHOIS data, timestamps, and technical details can help strengthen your case and leave little room for inaction. We have listed the evidence requirements here.
Escalating to Registries When Registrars Fail to Act
Yes. If the registrar fails to act, you can escalate the case to the registry. Many registries have their own abuse policies and can intervene if a registrar ignores clear DNS abuse.
Registries like Public Interest Registry (PIR), which manages .ORG, provide dedicated abuse reporting systems, allowing cybersecurity professionals and the public to escalate complaints directly. This enables swift intervention, including domain suspensions for phishing, malware distribution, and other forms of DNS abuse.
Additionally, PIR incentivizes registrars to act on abuse complaints by incorporating response times and abuse mitigation efforts into its Quality Performance Index (QPI), a program that rewards registrars with commercial benefits for maintaining a safer domain space. These measures demonstrate how some registries take an active role in phishing site takedowns, ensuring that abusive domains don’t remain operational due to registrar inaction.
ICANN’s Role in Phishing Site Complaints
It’s a common misconception that escalating a complaint to ICANN will lead to the suspension of an infringing domain name. In reality, ICANN does not have the authority to take down or suspend domain names directly.
ICANN’s role is to oversee the contractual compliance of registrars and registries, ensuring they adhere to the Registrar Accreditation Agreement (RAA) and other policies. If a registrar fails to comply—such as by ignoring legitimate abuse complaints—ICANN can investigate and take action. This may include issuing warnings, requiring corrective measures, or, in extreme cases, revoking the registrar’s accreditation for repeated violations.
However, ICANN does not intervene in individual phishing site takedowns. While submitting complaints may not resolve a specific infringement, a high volume of reports can pressure ICANN to take enforcement actions that improve compliance, potentially increasing the likelihood of future complaints being addressed.
Reporting Phishing to Hosting Providers and CDNs
If a registrar fails to act on an abuse complaint, you can also contact the domain’s hosting provider. Hosting companies often have policies on malicious content, such as phishing, malware, or copyright infringement. To strengthen your complaint, provide clear evidence such as URLs, screenshots, and details on how the content violates the host’s Terms of Service. Many hosting providers have dedicated abuse reporting channels, and in cases where the content is egregious, they may suspend or remove the site entirely.
If the website is using a Content Delivery Network (CDN) such as Cloudflare, the actual hosting provider will be masked. So you will need to submit an abuse report to Cloudflare via their Abuse form that can lead to them disclosing the real hosting provider or taking action themselves if the site violates their policies. Additionally, tools like Crimeflare and other passive DNS lookup services can help uncover the origin server, allowing you to escalate the complaint directly to the true host.
Alternative Strategies to Disrupt Phishing Sites
If direct takedown efforts fail, there are several ways to disrupt an infringing website’s reach and effectiveness. Submitting a complaint to Google Safe Browsing, Microsoft SmartScreen, and other browser security lists can flag the site as dangerous, displaying warnings to potential visitors. Getting the website delisted from search engines by reporting the abuse to Google, Bing, and other search providers can drastically reduce traffic. Additionally, reporting the domain to Spamhaus, PhishTank, OpenPhish, and other threat intelligence feeds can lead to broader network-level blocking, impacting email providers, security tools, and corporate firewalls. Payment processors and ad networks can also be targeted for disruption, cutting off revenue streams for scammers and cybercriminals.
These multi-layered phishing site takedown tactics can significantly limit the impact of a malicious site, even if direct removal proves difficult.
Sign up for Unphish & take control of online threats
Unphish delivers fast, effective takedowns for phishing sites, fake profiles, and brand abuse — combining automation with expert enforcement to keep your brand safe.
FAQs: Phishing Site Takedowns When Registrars Ignore You
What should I do if a registrar ignores my phishing abuse report?
If a registrar fails to act, you can escalate to the registry, the hosting provider, or even submit the site to security blocklists like Google Safe Browsing. Providing detailed evidence in your report increases your chances of success.
Can ICANN take down phishing websites directly?
No. ICANN does not suspend or remove individual domains. Its role is to ensure registrars and registries comply with their contracts. If a registrar repeatedly ignores abuse complaints, ICANN can investigate and take compliance action.
What evidence do I need to submit for a phishing site takedown?
Strong evidence includes screenshots of the phishing content, timestamps, WHOIS records, technical details (such as DNS lookups), and proof of how the site violates registrar or host terms of service.
Can I report a phishing site to the hosting provider instead of the registrar?
Yes. Hosting providers often respond more quickly than registrars. Submitting a clear report with supporting evidence can lead to suspension or removal of the malicious site.
What are alternative ways to disrupt a phishing site if takedown requests fail?
You can report the site to browser security teams (Google Safe Browsing, Microsoft SmartScreen), search engines for delisting, threat intelligence feeds like PhishTank or Spamhaus, and payment processors or ad networks that may be supporting the scam.
Do registries always intervene if a registrar ignores abuse reports?
Not always, but many registries have their own abuse mitigation processes. For example, PIR (which manages .ORG) allows abuse escalation and can suspend domains if a registrar fails to act.
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.
