ClearPhish
[ 01 ] Brand Abuse & Phishing Monitoring

Brand impersonation,
found and taken down.

We monitor the web for sites impersonating the brands we protect, capture reproducible evidence, and drive removal through the registrars, hosts, CDNs and browser blocklists responsible for the abuse.

Report abuse to us See how it works
Evidence-led notices Registrar · host · CDN · blocklist No cookies, no trackers
Registrar abuse desksHosting providersCDNs & networksGoogle Safe BrowsingNetcraftSearch & copyright removalOrigin-IP disclosureRecord preservation Registrar abuse desksHosting providersCDNs & networksGoogle Safe BrowsingNetcraftSearch & copyright removalOrigin-IP disclosureRecord preservation
[ 02 ] What we do

Accurate takedowns, without the guesswork

Every case is independently verified and documented before a single notice goes out — so the reviewing provider can confirm the abuse in minutes.

2 days
Acknowledgement target
100%
Reports backed by evidence
5+
Channels per case
0
Cookies & trackers

Detection & monitoring

Continuous monitoring for brand-impersonation domains, phishing pages, typosquats and search-result manipulation targeting the brands we protect.

Evidence & verification

Each report is backed by captured, reproducible HTTP evidence — including the exact request that exposes search-engine cloaking — so reviewers never take our word for it.

Our methodology

Takedown coordination

We attribute the responsible registrar, host and network, then file through each party's official abuse channel and follow up until the content is gone.

Where we report
[ 03 ] How a takedown works

From first sighting to confirmed removal

A repeatable, evidence-first workflow we run on every case. Read the full process →

  1. Detect

    We identify a domain or page impersonating a protected brand, or running a phishing / financial-fraud lure.

  2. Verify & capture

    We independently reproduce the abuse and save the HTTP evidence — including the cloaked variant served only to crawlers.

  3. Attribute

    From WHOIS, DNS and network data we resolve the responsible registrar, host and CDN, and locate each abuse contact.

  4. Report & escalate

    We file evidence-led notices through every official channel, then follow up and escalate until removal is confirmed.

Tamper-evident by design

Every evidence bundle is hash-chained (SHA-256) and sealed with an RFC 3161 trusted timestamp, then written to write-once (WORM) storage — nobody, including us, can alter it after capture.

Captured from multiple perspectives

Each page is fetched as a normal browser, as a mobile client and as a search-engine crawler, side by side — so cloaked abuse that hides from manual review is documented in one reproducible artefact.

Independently archived

Snapshots are also submitted to the Internet Archive, so a reviewing abuse desk can verify what we saw on infrastructure we don't control.

Filed the way desks expect

Notices go through each provider's official lane — registrar and host abuse desks, Google Safe Browsing, Netcraft, browser blocklists — with the evidence attached up front, never "available on request".

[ 04 ] What we report

The abuse patterns we handle

Brand impersonation rarely arrives alone. See every pattern in detail →

Brand-impersonation domains

Look-alike sites posing as a protected brand's official entry point to capture its search traffic and users.

Phishing & credential theft

Pages that imitate a login or account flow to steal usernames, passwords and one-time codes.

Payment & deposit fraud

Fake deposit / "havale" pages that intercept bank transfers and harvest names, amounts and account numbers.

Search-engine cloaking

Sites that show an innocuous decoy to reviewers while serving the abusive page to Googlebot to rank under a brand.

Typosquats & look-alikes

Misspellings, added words and alternate TLDs registered to ride on a brand's name and reputation.

Fake apps & profiles

Impersonating mobile apps and social accounts that funnel users toward the same fraudulent infrastructure.

[ 05 ] Evidence-led by default

A reviewer can confirm it in under a minute

Vague abuse reports get queued and ignored. Every ClearPhish notice names the abusive URL, the impersonated brand, the responsible infrastructure, and a single command that reproduces the abuse — including the request that reveals cloaking.

We report only what we can independently reproduce, and we retain the captured responses to hand to the reviewing provider on request. We never ask any recipient for credentials, payment or account access.

Read our methodology
Case evidencebrand impersonation
Abusive URLhttps://[redacted]/
Impersonates[protected brand — redacted]
Registrar[registrar] · abuse@[registrar]
Network / CDN[CDN-fronted]
Techniquecloaking — decoy to browsers, target to Googlebot
Reproducecurl -A "Googlebot/2.1" …
Filed withregistrar · CDN · Safe Browsing · Netcraft
For providers & site owners

Received a notice from us?

Our notices are sent only from abuse@clearphish.org. Verify our identity, read our abuse and evidence-handling policy, and reach the team.

Verify a notice security.txt

Found a site impersonating a brand?

Send us the URL and what it's pretending to be. If we can reproduce it, we'll take it from there — evidence, notices and follow-up included.

Report abuse to us Contact the team