From first sighting to confirmed removal
A repeatable, evidence-first workflow we run on every case — and the same process we can walk a provider through when they receive one of our notices. No shortcuts, no circumvention, nothing we can't reproduce.
Detect
We continuously monitor for domains and pages impersonating the brands we protect, plus phishing and financial-fraud lures riding on those brands. Signals come from brand-keyword and look-alike domain monitoring, certificate-transparency streams, search-result surveillance, and inbound reports.
- New and recently-registered look-alike / typosquat domains
- Pages ranking under a protected brand in search
- Certificate issuance for brand-adjacent hostnames
- Tips submitted to
abuse@clearphish.org
Verify & capture
Nothing is reported until we have reproduced it ourselves. We fetch the page as an ordinary visitor and, where relevant, as a search-engine crawler, and we save the full HTTP evidence: request metadata, response headers and the rendered HTML for each variant.
- Captured request/response pairs retained for the case file
- Both the decoy and the cloaked variant where a site cloaks
- A single command a reviewer can run to see it themselves
Attribute
We resolve who can actually act. From WHOIS/RDAP, DNS and network data we identify the sponsoring registrar, the hosting provider behind any CDN, and the network operator — and we locate each party's published abuse channel.
- Registrar & registrar abuse contact (RDAP)
- Name servers, fronting CDN and origin network
- Any compromised third-party site used as a front
Report through official channels
We file a clear, evidence-led notice with every responsible party at once, and submit the URL to the relevant browser blocklists and search engines. Each notice states the abusive URL, the impersonated brand, the technique, and the reproduction step — and asks the provider to assess it against their own acceptable-use policy.
- Registrar, host and CDN notices in parallel
- Browser-blocklist and search submissions
- No circumvention of any provider's security controls
Follow up & escalate
Acknowledgement is not removal. We track each provider's response, answer requests for further evidence, and re-file or escalate when a notice stalls — moving up from front-line abuse desks to trust & safety and, where relevant, the upstream network.
- Per-provider response tracking
- Evidence supplied on request
- Escalation when a first notice is acknowledged but not actioned
Confirm removal
We monitor the URL and its infrastructure until the abusive content is down, and we keep watching: operators routinely re-register disposable look-alike domains and stand the same kit back up on fresh hosting. New variants re-enter the workflow at step 01.
- Verification that the content is actually removed
- Monitoring for re-registration and re-hosting
- Recurrence folded back into detection
What each stage produces
| Stage | Output | Typical timing |
|---|---|---|
| Detect | Candidate URL + brand match | Continuous |
| Verify & capture | Reproducible evidence file | Same day |
| Attribute | Registrar / host / CDN + abuse contacts | Same day |
| Report | Notices filed across all channels | Within 2 business days |
| Escalate | Follow-ups & trust-and-safety routing | Until actioned |
| Confirm | Removal verified + recurrence watch | Ongoing |
Found a site impersonating a brand?
Send us the URL and what it's pretending to be. If we can reproduce it, we run the whole workflow above.