ClearPhish
Practical guideUpdated 2026-06-08~6 min read

How to report phishing

A good phishing report is one a stranger can verify in under a minute and act on without a follow-up question. This is the process we use — and the one a provider hopes to receive.

Capture the evidence first

Before anything can change, save what you saw — the live page can vanish in minutes. Record the full URL, save the page as served, and note the time. If the site behaves differently for crawlers, capture that variant too (see cloaking). Never enter real credentials to "test" a phishing page.

Attribute the infrastructure

Work out who can actually act. From the domain, resolve:

dig +short example A
dig +short example NS
# RDAP for registrar + abuse contact:
curl -s https://rdap.org/domain/example | grep -i abuse

Find the right abuse channel

Use each provider's published channel — an abuse address or form — not a generic support queue. Our abuse-contact directory lists the channels for the major registrars, hosts and CDNs. Browser blocklists and search engines have their own report forms.

Write a report they can act on

Keep it short, factual and reproducible. A reviewer should be able to confirm it without trusting you. Include:

Ask the provider to review the URL against their own policy. Don't demand, don't threaten, and never ask them for account access — that's what a scam does.

File everywhere, then follow up

Submit to the registrar, host, CDN and the relevant browser blocklists in parallel — don't serialise and wait. Track each response, supply evidence on request, and escalate when a notice is acknowledged but not actioned. Then watch for the operator standing the same kit back up on a fresh domain.

Prefer to hand this off? Report it to us and we run all of the above. Related: Abuse-contact directory.

Rather we handled it?

Send us the URL and the brand it's imitating. We attribute, document and file across every channel — and follow up until it's down.

Report abuse to us Abuse-contact directory