How to Report a Phishing Website: Step-by-Step Guide (2026)

You have discovered a phishing website impersonating your business. Maybe a customer alerted you. Maybe you found it yourself while monitoring your brand. Either way, every minute that site stays live is a minute your customers remain at risk.

Reporting phishing websites is not just about protecting your brand — it is about protecting the people who trust you. This guide walks you through exactly how to report a phishing website, who to contact, what evidence to collect, and when to escalate to law enforcement. Follow these steps to get phishing sites taken down quickly and efficiently.

Step 1: Document Everything Before You Report

Before you start filing reports, you need evidence. Phishing sites can disappear in minutes once the attackers realise they have been discovered. Capture everything while you can.

Screenshots: Take full-page screenshots of the phishing site showing the URL, any login forms, brand impersonation, and misleading content. Use tools like the browser's built-in screenshot feature, Full Page Screen Capture extension, or command-line tools like shot-scraper.

WHOIS data: Look up the domain registration details using WHOIS lookup tools like who.is, ICANN Lookup, or DomainTools. Record the registrar, registration date, name servers, and any contact information. Some registrars offer privacy protection, but you may still find useful hosting or DNS information.

DNS and hosting information: Use tools like dig, nslookup, or online services like SecurityTrails and VirusTotal to identify the hosting provider and IP addresses associated with the domain.

Phishing emails or messages: If the phishing site was promoted via email, save the original email with full headers. On Gmail, click the three dots and select "Show original." On Outlook, open the message and select File > Properties > Message headers. These headers contain crucial information about the sending infrastructure.

Store all evidence in an organized folder with timestamps. If this escalates to law enforcement or legal action, you will need a clear chain of documentation.

Step 2: Report to Google Safe Browsing

Google Safe Browsing is the most impactful first step. When a site is flagged in Safe Browsing, Chrome, Firefox, Safari, and Edge will display warning pages to users attempting to visit it. This immediately neutralises the threat even before the site is taken down.

How to report:

1. Visit the Google Safe Browsing report page at safebrowsing.google.com/safebrowsing/report_phish/
2. Enter the phishing URL in the form
3. Complete the CAPTCHA verification
4. Add any additional comments describing how the site is impersonating your brand
5. Submit the report

Google typically processes phishing reports within a few hours to one business day. You will not receive a direct response, but you can check if the site has been flagged by using the Safe Browsing Site Status checker at transparency-report.google.com/safe-browsing/search

Step 3: Report to the Anti-Phishing Working Group (APWG)

The Anti-Phishing Working Group (APWG) is an international coalition of financial institutions, retailers, ISPs, and security vendors that collect and analyse phishing attack data. Reporting to APWG helps protect users across multiple browsers, email providers, and security products.

How to report:

1. Forward phishing emails to reportphishing@apwg.org
2. Or submit via their web form at apwg.org/reportphishing
3. Include the phishing URL and any relevant details about the attack

APWG shares phishing data with member organizations including major banks, email providers, and security companies. Your report helps protect users far beyond your immediate customer base.

Step 4: Report to Microsoft Defender SmartScreen

Microsoft Edge and Internet Explorer use SmartScreen to block malicious websites. A separate report here ensures protection for users on Microsoft browsers and Windows systems.

How to report:

1. Visit microsoft.com/wdsi/support/report-unsafe-site
2. Select "I believe this is a phishing site"
3. Enter the malicious URL
4. Complete the CAPTCHA and submit

Step 5: Contact the Domain Registrar

Domain registrars have abuse policies and are obligated to take action against domains used for phishing. This is often the fastest path to complete takedown, as suspending the domain disables the entire site.

How to find the registrar:

Use a WHOIS lookup to identify the registrar. Look for the "Registrar" field in the results. Common registrars include GoDaddy, Namecheap, Cloudflare, Tucows, and Google Domains.

How to report:

1. Find the registrar's abuse reporting page (search "[registrar name] abuse report")
2. Submit a detailed abuse report including:
   • The phishing domain name
   • Your trademark or brand being impersonated
   • Screenshots showing the phishing content
   • Your contact information as the brand owner
   • A clear statement that the site is engaged in phishing

Most registrars have abuse teams that respond within 24-48 hours for clear phishing cases. Include as much detail as possible to expedite the process.

Step 6: Contact the Hosting Provider

If the registrar action is slow or ineffective, go directly to the hosting provider. Hosting providers can remove malicious content or suspend the account entirely.

How to identify the hosting provider:

• Use lookup.icann.org to find name servers, which often indicate the hosting company
• Check the IP address using ipinfo.io or arin.net
• Use tools like SecurityTrails or BuiltWith to identify hosting infrastructure

Major hosting provider abuse contacts:

• Cloudflare: cloudflare.com/abuse
• AWS: aws.amazon.com/premiumsupport/knowledge-center/report-abuse/
• Google Cloud: support.google.com/code/contact/cloud_platform_report
• Microsoft Azure: report abuse through the Microsoft Services portal
• GoDaddy: godaddy.com/help/report-abuse-27154
• DigitalOcean: digitalocean.com/legal

Step 7: Report to Social Media and Advertising Platforms

Phishing sites are often promoted through social media ads, sponsored posts, or direct messages. Reporting to these platforms can stop the distribution channel.

• Meta (Facebook/Instagram): Use the report links on any ads or posts. For business impersonation, visit facebook.com/help/contact/357439354283890
• LinkedIn: Report through the help center at linkedin.com/help/linkedin/ask/TS-RPP
• X/Twitter: Report via the platform's reporting tools or for business impersonation, contact twitter.com/forms/impersonation
• TikTok: Report through the app or at tiktok.com/legal/report/feedback
• Google Ads: Report malicious ads at support.google.com/adwords/contact/anti-malware

Step 8: When to Escalate to Law Enforcement

Not every phishing site requires law enforcement involvement, but some situations warrant official reports:

• Financial losses have occurred (yours or your customers')
• Customer data has been compromised
• The phishing is part of a larger, organized campaign
• You have identifying information about the attackers
• The phishing site is targeting vulnerable populations (elderly, healthcare patients, etc.)

United States:

• File a complaint with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov
• Contact your local FBI field office for significant cases
• Report to the FTC at reportfraud.ftc.gov for consumer protection issues

United Kingdom:

• Report to Action Fraud at actionfraud.police.uk
• For urgent matters, contact your local police force

European Union:

• Contact your national cybercrime reporting center
• Europol provides links to national reporting mechanisms at europol.europa.eu/report-a-crime/report-cybercrime-online

Australia:

• Report to ReportCyber at cyber.gov.au/acsc/report
• Contact your state or territory police for significant financial losses

Step 9: Notify Your Customers

Transparency builds trust. If your customers may have encountered the phishing site, proactively communicate with them.

• Send an email alert describing the phishing campaign
• Post warnings on your official social media accounts
• Update your website with a security notice if appropriate
• Provide clear instructions on how to identify legitimate communications from your business

Include your official domains, customer service contact information, and remind customers that you will never ask for passwords or sensitive information via email.

Timeline: What to Expect After Reporting

Takedown speeds vary, but here is a general timeline:

• 0-4 hours: Browser warnings (Google Safe Browsing, SmartScreen) typically appear
• 4-24 hours: Major registrars often suspend domains for clear phishing
• 24-48 hours: Hosting providers generally respond to abuse reports
• 1-7 days: Social media platforms remove fraudulent accounts and ads
• 1-4 weeks: Law enforcement investigations begin for serious cases

Follow up on your reports if you do not see action within these timeframes. Persistence pays off.

Prevention: Stop Phishing Sites Before They Launch

Reporting phishing sites is reactive. The real protection comes from proactive monitoring that catches these domains the moment they are registered — before they go live, before your customers see them, before any damage is done.

DoppelDown automates this process. Our platform continuously scans new domain registrations across all major TLDs, detecting lookalike domains, typosquats, and brand impersonation attempts in real-time. When a suspicious domain is registered, you get an immediate alert with risk scoring, evidence collection tools, and streamlined takedown workflows.

Instead of discovering phishing sites through customer complaints, you will know about them within hours of registration. Instead of scrambling to collect evidence after the fact, you will have automated documentation ready for abuse reports. Instead of checking dozens of different reporting channels, you will have a centralized dashboard for managing takedowns.

Start monitoring your brand with DoppelDown today — it is free to start, requires no credit card, and takes less than five minutes to set up. Do not wait for the next phishing report from a customer. See the threats before they see you.